ACL and VACL

when you create a vlan access-map, you use an ACL to specify the traffic being procssed. If the ACL contains a deny statement, does this mean that whatever traffic being denied is denied before the VACL process it?

For example

ACL:
sw1(config)# ip access-list extended ACL_TEST
sw1(config-nacl)# deny tcp any any eq 3689
sw1(config-nacl)# permit ip any any

VACL:
sw1(config)# vlan access-map VACL_TEST
sw1(config-access-map)# match ip address ACL_TEST
sw1(config-access-map)# action forward

sw1(config)# vlan filter VACL_TEST vlan-list 10

With that configuration, am I basically denying all RDP traffic within the VLAN? Since there's a deny statement for traffic going to port 3689, would that get dropped when the ACL is processed or when the VACL is processed? The VACL only process the traffic permitted by the ACL, right?

Find more posts tagged with

Comments

Coolhandluke

The ACL should permit whatever traffic you wish the VACL to process (remember the final deny will negate anything else).

access-list 100 permit tcp any any eq ftp

vlan access-map BLOCK_FTP 10
match ip address 100
action drop
vlan access-map BLOCK_FTP 20
action forward

vlan filter BLOCK_FTP vlan-list 1

hope this helps

Zartanasaurus

They way you wrote that policy will work, but your understanding is off.

The deny statement in the ACL doesn't deny the traffic before the VACL processes it. The ACL is used to determine the traffic you want to apply a policy to in the access-map.

So effectively it looks like this:

1: forward all traffic that matches ACL_TEST (explicit)
2: Everything but RDP matches ACL_TEST
3: No other policies to process so everything else is dropped (implicit deny at end)

Change the VACL to this:

vlan access-map VACL_TEST 10
match ip address ACL_TEST
action drop

vlan access-map VACL_TEST 20
action forward

Now what happens?
1: drop all traffic that matches ACL_TEST (explicit)
2: Everything but RDP matches ACL_TEST
3: Forward everything (explicit)
4: Drop everything (implicit)

Now everything will be dropped EXCEPT RDP.

pham0329

Zartanasaurus wrote: »

They way you wrote that policy will work, but your understanding is off.

The deny statement in the ACL doesn't deny the traffic before the VACL processes it. The ACL is used to determine the traffic you want to apply a policy to in the access-map.

So effectively it looks like this:

1: forward all traffic that matches ACL_TEST (explicit)
2: Everything but RDP matches ACL_TEST
3: No other policies to process so everything else is dropped (implicit deny at end)

Change the VACL to this:

vlan access-map VACL_TEST 10
match ip address ACL_TEST
action drop

vlan access-map VACL_TEST 20
action forward

Now what happens?
1: drop all traffic that matches ACL_TEST (explicit)
2: Everything but RDP matches ACL_TEST
3: Forward everything (explicit)
4: Drop everything (implicit)

Now everything will be dropped EXCEPT RDP.

I think you guys misunderstood. I'm not looking to drop all traffic except RDP, I'm looking to drop RDP traffic! I was playing around with one of our switches at work and found that VACL in there and I got curious because of the deny statement in the ACL.

I figure the way to drop RDP traffic would be like how CoolhandLuke did, so I got confused by the deny statement.