10-29-2015 06:06 PM - edited 03-08-2019 02:30 AM
Dear All,
Please advise on the below.
Say in vlan 3 i have hosts 10.1.1.1 and 10.1.1.2. I have applied the vlan filter as below. According to the Cisco DOC for VACL, even if there is a deny for the host, it will still check the next sequence and if there is a permit any time below for those IP, it will still allow th traffic. Can someone please advise if my understanding is correct?
So can the two hosts communicate with each other?
vlan access-map testing 10
match ip address testing
action forward
vlan filter test vlan-list 3
And my Access list is as below
ip access-list extended testing
deny ip any any
permit ip any any
Thanks
Solved! Go to Solution.
10-29-2015 07:09 PM
It's been a while since I looked at these but I am sure someone will correct me if I am wrong.
The logic is somewhat similar to the logic of route maps ie. not always intuitive :-)
So the match clause is checked in the first sequence and the first "deny ip any any" in the acl will match the traffic.
Because it is a deny and not a permit it simply moves on to the next sequence
Note it moves onto the next sequence not the next entry in the acl in the first match clause because it has already found a match in that acl.
That is what the documentation means when it says it checks the next sequence.
But you don't have another sequence and there is an implicit deny at the end so it should be dropped.
If you created another sequence and just had an action of forward it would be allowed.
Jon
10-29-2015 07:09 PM
It's been a while since I looked at these but I am sure someone will correct me if I am wrong.
The logic is somewhat similar to the logic of route maps ie. not always intuitive :-)
So the match clause is checked in the first sequence and the first "deny ip any any" in the acl will match the traffic.
Because it is a deny and not a permit it simply moves on to the next sequence
Note it moves onto the next sequence not the next entry in the acl in the first match clause because it has already found a match in that acl.
That is what the documentation means when it says it checks the next sequence.
But you don't have another sequence and there is an implicit deny at the end so it should be dropped.
If you created another sequence and just had an action of forward it would be allowed.
Jon
10-29-2015 07:15 PM
Hello,
The action will be "DROP" and hosts can not communicate.
VCAL follows the conventional rule in route-map. If a flow matches with a permit, action will be performed and the route-maps with the higher sequence number will not be checked.
If it encounters with deny, it does not check the following ACEs and goes to the route-map with the higher sequence number and coutinues to check.
In your case, every traffic matches with Deny Deny so the next ACE will not be checked. Because there is no route-map with higher sequence, traffic will be dropped.
Hope it helps,
Masoud
10-29-2015 07:15 PM
Masoud
Okay we have provided different answers to the same question.
"When a flow matches a deny acl entry it will be checked against the next acl in the same sequence or the next sequence".
But is that the next entry in the same acl or the next acl in the same match clause because a match clause can refer to multiple acls.
I believe, although I could well be wrong and can't test it, that is it is referring to the next acl in the same match clause if there is one and if there isn't it moves on to next sequence and in this case there isn't another sequence so the traffic will be dropped.
What do you think ?
Jon
10-29-2015 07:22 PM
Hello John,
Thanks for reading my comment.
The purpose access-list in route-map is only matching the traffic. The actual deny or permit takes place in route-map.
Suppose you are going to match all traffic coming from the network of 1.1.1.0/24 except traffic coming from host 1.1.1.1
access-list 1 deny host 1.1.1.1
access-list 1 permit 1.1.1.0 0.0.0.255
deny deny( default)
With this access, traffic comes from 1.1.1.0 except 1.1.1.1 matches.
The default deny say everything else does not match.
Then you decide on router-map either deny the traffic or permit it.
Thanks,
Masoud
10-29-2015 07:22 PM
Dear All,
Below is what is in the Cisco DOC
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.html
Each VLAN access map can consist of one or more map sequences; each sequence has a match clause and an action clause. The match clause specifies IP or MAC ACLs for traffic filtering and the action clause specifies the action to be taken when a match occurs. When a flow matches a permit ACL entry, the associated action is taken and the flow is not checked against the remaining sequences. When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence. If a flow does not match any ACL entry and at least one ACL is configured for that packet type, the packet is denied.
Thanks
10-29-2015 07:48 PM
Yes but it can be read different ways as you can see.
A match clause can reference multiple acls.
I take that reference to mean that if the traffic matches a deny line in the acl it moves onto the next acl if there is one and if there isn't it moves onto the next sequence if there is one.
What I don't think it means is if the traffic matches a deny line in the acl it moves onto the next entry in the same acl.
Depending on which it does your traffic could be allowed or not.
If I had some switches to test with I would.
Jon
10-29-2015 07:58 PM
Hi Jon,
Thanks. I think you are correct. It seems that is what they are doing in the production currently. I will test with the switches if I can get hold of any.
Thanks
10-29-2015 08:11 PM
Are you sure that is what they are doing in production because it would mean those hosts would not be able to communicate with anything.
I thought this was just a general query rather than anything actually in use.
Jon
10-29-2015 10:11 PM
Hi Jon,
Sorry. What I meant was, one of my friends advised they have similar VACL in their production.
There is only one sequence and there is a deny statement for say hosts 10.1.1.1 to 10.1.1.2 and at the end there is a permit ip any any statement.
And with this rule, both hosts are not able to communicate with each other.
Thanks
10-29-2015 10:23 PM
Okay that makes more sense.
So yes it looks like what happens is the match is made for those two hosts with the deny line which moves it onto the next sequence but there isn't one so it is denied by the implicit rule.
Any other traffic between hosts in that vlan would match the "permit any any" line and be allowed.
Jon
10-29-2015 07:28 PM
Exactly and I believe we are seeing the same logic here.
The question is does the deny line simply move it on to the next entry in the same acl, which I don't think it does, or does it move it on to the next acl in the match clause within the same sequence if there is one or the next sequence if there is one.
Obviously depending on which it does the traffic will be either allowed or not.
Jon
10-29-2015 07:28 PM
Actually, you made me think. Let me get back to later.
Thanks
10-29-2015 10:01 PM
Hello John,
You were right
I finally found a source saying that VLAN access-list follows the conventional rule in route-map. I corrected my posts and rated your answer.
Masoud
10-29-2015 10:34 PM
Hi Masoud
Thanks for getting back to me on this.
I did a bit of searching as well but couldn't find anything definitive one way or the other.
I still don't understand your modifed answer though.
Why does nothing match with "deny ip any any" because that should match all traffic.
So it isn't forwarded but goes onto the next sequence but there isn't one so the implicit deny will take effect.
I don't think the traffic will be forwarded.
Please note I am not trying to prove you wrong at all.
I use these forums to learn as much as answer questions and so I am genuinely interested as to whether I am misunderstanding something here.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide