cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
339
Views
0
Helpful
1
Replies

Nexus VLAN ACLs - Logic Question

Paul Chapman
Level 4
Level 4

Hi All -

I'm trying to understand the logic for the following sample (derived from the OTV deployment guide):

ip access-list ACL-ANY-IP
 permit ip any any
ip access-list ACL-FHRP-IP
 permit ip any 224.0.0.2
 permit ip any 224.0.0.102
 permit ip any 224.0.0.18
mac access-list ACL-ANY-MAC
 permit any any
mac access-list ACL-FHRP-MAC
 permit 0000.0c07.ac00 0000.0000.00ff any
 permit 0000.0c9f.f000 0000.0000.0fff any
 permit 0000.5e00.0100 0000.0000.00ff any
!
vlan access-map BLOCK-FHRP 10
match mac address ACL-FHRP-MAC
match ip address ACL-FHRP-IP
action drop
vlan access-map BLOCK-FHRP 20
match mac address ACL-ANY-MAC
match ip address ACL-ANY-IP
action forward
!
vlan filter BLOCK-FHRP vlan-list 10-19

In PBR, two or more match statements in a block are a logical AND.  The Catalyst documentation (top of page 6) says that this is an invalid configuration, but the Nexus documentation seems to state otherwise.

So is this a logical AND or a logical OR?  If it's a logical AND, does this actually work considering that there are multiple matches in each of the ACLs?

Thanks in advance,

PSC

1 Reply 1

Paul Chapman
Level 4
Level 4

After a sit down in the lab to do some testing, it would appear that this configuration is a logical OR.  Altering either the MAC or IP access lists with some nonsensical address yields the expected blocking behavior if at least one of the two is correct (i.e. IP or MAC).

Please comment if you have a different experience.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: