02-07-2020 12:23 AM
Hello everyone,
If you use the example ACL 121 for CoPP best pratice :
access-list 121 permit tcp <NOC block> <router receive block> eq telnet
access-list 121 permit tcp <NOC block> eq telnet <router receive block> established
access-list 121 permit tcp <NOC block> <router receive block> eq 22
access-list 121 permit tcp <NOC block> eq 22 <router receive block> established
access-list 121 permit udp <NOC block> <router receive block> eq snmp
access-list 121 permit tcp <NOC block> <router receive block> eq www
access-list 121 permit udp <NOC block> <router receive block> eq 443
access-list 121 permit tcp <NOC block> <router receive block> eq ftp
access-list 121 permit tcp <NOC block> <router receive block> eq ftp-data
access-list 121 permit udp <NOC block> <router receive block> eq syslog
access-list 121 permit udp <DNS block> eq domain <router receive block>
access-list 121 permit udp <NTP block> <router receive block> eq ntp
---etc--- for known good management traffic...
and than the class definition also from CoPP best practice:
!
class-map match-all Management
match access-group 121
My question is:
Does a packet that is checked with the ACL has to match all the permit statements before it is considered a member of the
class Management:
Or is it like this: A packet is received and checked with the ACL 121 if it matches to one permit statement it is a member of
the class Management.
The "match-all" makes me confusion.
Is someone out there to explain this ?
Solved! Go to Solution.
02-07-2020 12:59 AM
02-07-2020 12:59 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide