cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
703
Views
5
Helpful
7
Replies

VACL Question

Craddockc
Level 3
Level 3

Community,

I have a question regarding the Access Lists used by the VLAN Access Maps when creating a VACL. I understand that when you create an ACL with "permit" statements that are then referenced by the VACL Map, that the "permit" statement is used as a "positive" finding to complete the action in the VACL sequence. For instance if I had the following:

ip access-list 101 permit tcp host 10.10.10.1 host 10.10.10.2 eq 22

ip access-list 101 permit tcp host 10.10.10.2 eq 22 host 10.10.10.1

vlan access-map SSH 10

match ip address 101 

action forward (or) action drop

This VACL would match the "permit" statement in the ACL and then permit the "forward" or "drop" action correct? But what if I had DENY statements in my ACL? How does a VACL treat DENY statements in the ACL? And how does the VACL treat the DENY statement differently depening on if the action in the map is "forward" or "drop"?

Thanks.

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

It's a bit complicated but have a quick read of this thread and then come back if you have further questions -

https://supportforums.cisco.com/discussion/12692531/vacl

Jon

View solution in original post

7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

It's a bit complicated but have a quick read of this thread and then come back if you have further questions -

https://supportforums.cisco.com/discussion/12692531/vacl

Jon

Thanks Jon,

Exactly what im looking for! What Im gathering is that when the VACL sees a DENY clause in the ACL ACE line it immediately stops checking that ACE line in the sequence and moves onto the next sequence but ONLY for that particular ACE. Any PERMIT clauses in a subsequent ACE lines of the same ACL (being read in the original sequence) will take the specified ACTION in that original sequence whether it be forward/drop/redirect?

Thanks.

I think you are right it's just your use of ace vs acl which is confusing me.

In brief if it matches a deny line in an acl it stops processing that acl. If there is another acl in the same sequence (because a match clause can reference multiple acls) then it will go through that acl as well.

If there is not another acl in the same sequence it will move on to the next sequence.

Basically using deny lines is a way of moving the packet on so that the action within that sequence is not taken.

Which I think is what you are saying ?

Jon

Jon,

Thanks so much for your feedback, my reference to Access Control Entries (ACE's) means "a single line in an ACL" for instance the ACL below has 2 ACEs (lines) that make up the ACL.

ip access-list 101 deny tcp host 10.10.10.1 host 10.10.10.2 eq 22    <---ACE #1

ip access-list 101 permit tcp host 10.10.10.2 eq 22 host 10.10.10.1    <---ACE #2

However your explanation makes much more sense. So I am to gather that the second the sequence in the map hits a deny statement in an ACL, it abandons the entire sequence and moves on to the next? In my explanation I was thinking that once the map sequence hits ACE#1 it would move on to the next line in the ACL, only abandoning that one line in the ACL, but what youre saying is that as soon as it hits the deny in ACE#1 it skips ACE#2 entirely and moves onto the next sequence in the Map?

It will stop processing the rest of the acl so in your example yes it would not move onto the second line.

However if there is another acl in the same sequence (which there can be) then it will process that acl as well.

Does that make sense ?

Jon

Jon,

Thanks! Total light bulb moment! I did not realize that there could be multiple ACLs in the same sequence! I think that's where my confusion came from. i always thought you had to create a separate sequence in the map if you wanted to reference a different ACL. Thanks so much for your feedback, makes perfect sense now!

No problem, glad to have helped.

Jon

Review Cisco Networking for a $25 gift card