Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
564
Views
10
Helpful
3
Replies

VACL Question

Go to solution
oliclarke7
Level 1
Level 1

‎04-30-2018 09:23 AM - edited ‎03-08-2019 02:50 PM

Hi All,

 

I am currently studying towards my CCNP Switch (300-115) exam, and need a little bit of help with VLAN Access-Lists.

 

In the below configuration, i am a little confused what the point of the config starting 'vlan access-map NOT-TO-SERVER 20' is. I get that the first 3 lines essentially prevents a host communicating with the host stated in ACL 100, however im a little puzzled by the next bit. 

SW1(config)#vlan access-map NOT-TO-SERVER 10
SW1(config-access-map)#match ip address 100
SW1(config-access-map)#action drop
SW1(config-access-map)#vlan access-map NOT-TO-SERVER 20
SW1(config-access-map)#action forward

 If you'd like to see the full config/topology, please go to the link below:

https://networklessons.com/cisco/ccie-routing-switching/vlan-access-list-vacl/

 

Kind regards,

 

Oli

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
chrihussey
VIP Alumni
VIP Alumni

‎04-30-2018 09:40 AM

Without the  "vlan access-map  NOT-TO-SERVER  20 " and  the subsequent action forward, the route map would not allow any other packets to be forwarded. Consider it to be like an ACL with the implicit deny all at the end. It needs the match to allow all the other packets.

Hope this helps

View solution in original post

3 Replies 3

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎04-30-2018 09:39 AM

Hi,

SW1(config-access-map)#vlan access-map NOT-TO-SERVER 20

This is the same line but with a different sequence number (20)

and this line

SW1(config-access-map)#action forward

 Forward everything else, meaning communication from other hosts (192.168.1.1 and 2) is not blocked (forwarded).

HTH

Go to solution
chrihussey
VIP Alumni
VIP Alumni

‎04-30-2018 09:40 AM

Without the  "vlan access-map  NOT-TO-SERVER  20 " and  the subsequent action forward, the route map would not allow any other packets to be forwarded. Consider it to be like an ACL with the implicit deny all at the end. It needs the match to allow all the other packets.

Hope this helps

Go to solution
oliclarke7
Level 1
Level 1
In response to chrihussey

‎05-01-2018 03:06 AM

Ah, thank you! I get it now. So basically if that command wasn't there, it would still drop all packets if they did not match Access-list 100.... kind of like a 'deny all' statement at the end of an ACL like you said.

 

Thanks again,

 

Oli

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card