ACL and VACL
when you create a vlan access-map, you use an ACL to specify the traffic being procssed. If the ACL contains a deny statement, does this mean that whatever traffic being denied is denied before the VACL process it?
For example
ACL:
sw1(config)# ip access-list extended ACL_TEST
sw1(config-nacl)# deny tcp any any eq 3689
sw1(config-nacl)# permit ip any any
VACL:
sw1(config)# vlan access-map VACL_TEST
sw1(config-access-map)# match ip address ACL_TEST
sw1(config-access-map)# action forward
sw1(config)# vlan filter VACL_TEST vlan-list 10
With that configuration, am I basically denying all RDP traffic within the VLAN? Since there's a deny statement for traffic going to port 3689, would that get dropped when the ACL is processed or when the VACL is processed? The VACL only process the traffic permitted by the ACL, right?
For example
ACL:
sw1(config)# ip access-list extended ACL_TEST
sw1(config-nacl)# deny tcp any any eq 3689
sw1(config-nacl)# permit ip any any
VACL:
sw1(config)# vlan access-map VACL_TEST
sw1(config-access-map)# match ip address ACL_TEST
sw1(config-access-map)# action forward
sw1(config)# vlan filter VACL_TEST vlan-list 10
With that configuration, am I basically denying all RDP traffic within the VLAN? Since there's a deny statement for traffic going to port 3689, would that get dropped when the ACL is processed or when the VACL is processed? The VACL only process the traffic permitted by the ACL, right?
Comments
-
Coolhandluke
Member Posts: 118
The ACL should permit whatever traffic you wish the VACL to process (remember the final deny will negate anything else).
access-list 100 permit tcp any any eq ftp
vlan access-map BLOCK_FTP 10
match ip address 100
action drop
vlan access-map BLOCK_FTP 20
action forward
vlan filter BLOCK_FTP vlan-list 1
hope this helps
[CCENT]->[CCNA]->[CCNP-ROUTE]->COLOR=#0000ff]CCNP SWITCH[/COLOR->[CCNP-TSHOOT] -
Zartanasaurus
Member Posts: 2,008 ■■■■■■■■■□
They way you wrote that policy will work, but your understanding is off.
The deny statement in the ACL doesn't deny the traffic before the VACL processes it. The ACL is used to determine the traffic you want to apply a policy to in the access-map.
So effectively it looks like this:
1: forward all traffic that matches ACL_TEST (explicit)
2: Everything but RDP matches ACL_TEST
3: No other policies to process so everything else is dropped (implicit deny at end)
Change the VACL to this:
vlan access-map VACL_TEST 10
match ip address ACL_TEST
action drop
vlan access-map VACL_TEST 20
action forward
Now what happens?
1: drop all traffic that matches ACL_TEST (explicit)
2: Everything but RDP matches ACL_TEST
3: Forward everything (explicit)
4: Drop everything (implicit)
Now everything will be dropped EXCEPT RDP.Currently reading:
IPSec VPN Design 44%
Mastering VMWare vSphere 5 42.8% -
pham0329
Member Posts: 556
Zartanasaurus wrote: »They way you wrote that policy will work, but your understanding is off.
The deny statement in the ACL doesn't deny the traffic before the VACL processes it. The ACL is used to determine the traffic you want to apply a policy to in the access-map.
So effectively it looks like this:
1: forward all traffic that matches ACL_TEST (explicit)
2: Everything but RDP matches ACL_TEST
3: No other policies to process so everything else is dropped (implicit deny at end)
Change the VACL to this:
vlan access-map VACL_TEST 10
match ip address ACL_TEST
action drop
vlan access-map VACL_TEST 20
action forward
Now what happens?
1: drop all traffic that matches ACL_TEST (explicit)
2: Everything but RDP matches ACL_TEST
3: Forward everything (explicit)
4: Drop everything (implicit)
Now everything will be dropped EXCEPT RDP.
I think you guys misunderstood. I'm not looking to drop all traffic except RDP, I'm looking to drop RDP traffic! I was playing around with one of our switches at work and found that VACL in there and I got curious because of the deny statement in the ACL.
I figure the way to drop RDP traffic would be like how CoolhandLuke did, so I got confused by the deny statement.