Solucionado: how switch vacl works

GB2452 · ‎08-08-2019

Dear Colleagues,

I'm learning new concepts for cisco ccnp switch and I was blocked learning VACL.

I have read some documentation about it but I'm confused about how the access list and the vlan access-map is mapped.

here a quick example and their config:

For VLAN filtering configure it as follows:

VLAN 5

drop all tcp packets
drop all udp packets
forward all other non-ip packets
forward all other ip packets

here the configuration to be done at the switch

ip acess-list extended tcp

permit tcp any any

ip access-list extended udp

permit udp any any

vlan access-map vacl 10

match ip address tcp

action drop

vlan access-map vacl 20

match ip address udp

action drop

vlan access-map vacl 30

action forward

VLAN filter vacl VLAN-list 5

my questions are:

1) why don't we deny TCP/UDP at the extended access list level?

2) the command match IP address of vacl means that if an IP packet match with the access list TCP or UDP the consequent action is dropped?

3) if we don't specify a mapping for the vacl and the ACL and req the action forward will forward all packet protocols without differentiation?

Thanks for your answers.

Julio E. Moisa · ‎08-09-2019

Hi

Below you will find the answers for your questions:

1) why don't we deny TCP/UDP at the extended access list level?

You can specify or customize your ACL as you create extended ACL usually, for example you can especify the source, source port as destination as well, it can be configured as required, now take in consideration how to apply it.

2) the command match IP address of vacl means that if an IP packet match with the access list TCP or UDP the consequent action is dropped?

Yes, basically the VACL works like normal ACL reading from TOP to Botton, so in your case the UDP packets will be dropped.

3) if we don't specify a mapping for the vacl and the ACL and req the action forward will forward all packet protocols without differentiation?

No, Like the ACLs or PBR sequence, there is an implicit deny so if you dont specify anything else after the last map, everything will be dropped. Please visit the following link:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.pdf

VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL
entry, and at least one ACL is configured for the packet type.

I hope the question is answered.

Regards.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Ver la solución en mensaje original publicado

Julio E. Moisa · ‎08-09-2019

Hi

Below you will find the answers for your questions:

1) why don't we deny TCP/UDP at the extended access list level?

You can specify or customize your ACL as you create extended ACL usually, for example you can especify the source, source port as destination as well, it can be configured as required, now take in consideration how to apply it.

2) the command match IP address of vacl means that if an IP packet match with the access list TCP or UDP the consequent action is dropped?

Yes, basically the VACL works like normal ACL reading from TOP to Botton, so in your case the UDP packets will be dropped.

3) if we don't specify a mapping for the vacl and the ACL and req the action forward will forward all packet protocols without differentiation?

No, Like the ACLs or PBR sequence, there is an implicit deny so if you dont specify anything else after the last map, everything will be dropped. Please visit the following link:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.pdf

VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL
entry, and at least one ACL is configured for the packet type.

I hope the question is answered.

Regards.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<