https://community.cisco.com/t5/wireless/vlan-acl-question/m-p/2206080#M217815 <HTML><HEAD></HEAD><BODY><P>Eduardo,</P><P></P><P>I know this seems intuitive, but since sequence 20 matches everything, does it stand to reason that the map filter will never get passed sequence 20 and on to sequence 30 etc? I would venture to say that it doesnt since all packets are matched in sequence 20. Thanks.</P><P></P><P>Chris.</P></BODY></HTML> Tue, 16 Jul 2013 21:37:13 GMT Craddockc 2013-07-16T21:37:13Z https://community.cisco.com/t5/wireless/vlan-acl-question/m-p/2206077#M217812 <P>Hello Community,</P><P></P><P>I am currently studying for the CCNP SWITCH exam and had a question about how VLAN ACL's operate in a specific instance. The book is not clearing it up for me:</P><P></P><P>If I had the following configuration:</P><P></P><P>VTP-Server-1(config)#<STRONG> ip access-list extended ALLOW-TCP</STRONG></P><P> VTP-Server-1(config-ext-nacl)#<STRONG> permit tcp any any</STRONG> </P><P>VTP-Server-1(config-ext-nacl)# <STRONG>exit</STRONG></P><P>VTP-Server-1(config)#<STRONG> ip access-list extended ALLOW-UDP</STRONG></P><P> VTP-Server-1(config-ext-nacl)#<STRONG> permit udp any any</STRONG></P><P>VTP-Server-1(config-ext-nacl)#<STRONG> exit</STRONG></P><P>VTP-Server-1(config)# <STRONG>ip access-list extended ALLOW-IP</STRONG></P><P>VTP-Server-1(config-ext-nacl)#<STRONG> permit ip any any</STRONG></P><P>VTP-Server-1(config-ext-nacl)#<STRONG> exit</STRONG></P><P>VTP-Server-1(config)#<STRONG> vlan access-map MY-VACL-MAP 10</STRONG></P><P>VTP-Server-1(config-access-map)#<STRONG> match ip address ALLOW-TCP</STRONG></P><P>VTP-Server-1(config-access-map)#<STRONG> action forward</STRONG> </P><P>VTP-Server-1(config-access-map)#<STRONG> exit</STRONG></P><P>VTP-Server-1(config)#<STRONG> vlan access-map MY-VACL-MAP 20</STRONG></P><P>VTP-Server-1(config-access-map)#<STRONG> action drop</STRONG></P><P>VTP-Server-1(config-access-map)#<STRONG> exit</STRONG></P><P>VTP-Server-1(config)# <STRONG>vlan access-map MY-VACL-MAP 30</STRONG></P><P>VTP-Server-1(config-access-map)#<STRONG> match ip address ALLOW-IP</STRONG></P><P>VTP-Server-1(config-access-map)#<STRONG> action forward</STRONG></P><P>VTP-Server-1(config-access-map)#<STRONG> exit</STRONG></P><P> VTP-Server-1(config)#<STRONG> vlan&nbsp;&nbsp;&nbsp; filter map VLAN-22-MAP vlan-list 22</STRONG> </P><P></P><P>Would TCP traffic be allowed to pass and all other traffic dropped since there is no specific ACL being matched to "MAP 20"? Would the filter ever get passed the second map "map 20" in this case? Im confused as to what would actually happen in this case. The book has conflicting entries about what actions would be taken since the second entry has no ACL matched to it. It says in the first part that<STRONG> "Because&nbsp; no ACL is specifically matched in sequence 20, all traffic that&nbsp; is not dropped&nbsp; in sequence 10 is effectively forwarded."</STRONG> But at the end in the chapter quiz it marks me wrong when I say the traffic will be forwarded, its states that IP and UDP traffic will be dropped. </P><P></P><P>Thanks.</P><P></P><P>Chris.</P> Sun, 04 Jul 2021 07:24:32 GMT https://community.cisco.com/t5/wireless/vlan-acl-question/m-p/2206077#M217812 Craddockc 2021-07-04T07:24:32Z https://community.cisco.com/t5/wireless/vlan-acl-question/m-p/2206078#M217813 <HTML><HEAD></HEAD><BODY><P>Hello Chris</P><P></P><P>Since MY-VACL-MAP-20 didn't specify a match , then it will match everything. That means the chapter quiz is correct, all IP and UDP traffic will be dropped.</P><P></P><P>For reference you can see the following links</P><P><A class="jive-link-external-small" href="http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/">http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/</A></P><P><A class="jive-link-external-small" href="https://learningnetwork.cisco.com/thread/37041">https://learningnetwork.cisco.com/thread/37041</A></P><P></P><P>Please rate if this helps</P></BODY></HTML> Sun, 14 Jul 2013 07:04:43 GMT https://community.cisco.com/t5/wireless/vlan-acl-question/m-p/2206078#M217813 Eduardo Aliaga 2013-07-14T07:04:43Z https://community.cisco.com/t5/wireless/vlan-acl-question/m-p/2206079#M217814 <HTML><HEAD></HEAD><BODY><P>Eduardo,</P><P></P><P>Thank you so much for the clarification! </P><P></P><P>Chris.</P></BODY></HTML> Mon, 15 Jul 2013 16:29:08 GMT https://community.cisco.com/t5/wireless/vlan-acl-question/m-p/2206079#M217814 Craddockc 2013-07-15T16:29:08Z https://community.cisco.com/t5/wireless/vlan-acl-question/m-p/2206080#M217815 <HTML><HEAD></HEAD><BODY><P>Eduardo,</P><P></P><P>I know this seems intuitive, but since sequence 20 matches everything, does it stand to reason that the map filter will never get passed sequence 20 and on to sequence 30 etc? I would venture to say that it doesnt since all packets are matched in sequence 20. Thanks.</P><P></P><P>Chris.</P></BODY></HTML> Tue, 16 Jul 2013 21:37:13 GMT https://community.cisco.com/t5/wireless/vlan-acl-question/m-p/2206080#M217815 Craddockc 2013-07-16T21:37:13Z