Solved: It's been a while since I - Cisco Community

1539

Views

10

Helpful

18

Replies

Dear All,

Please advise on the below.

Say in vlan 3 i have hosts 10.1.1.1 and 10.1.1.2. I have applied the vlan filter as below. According to the Cisco DOC for VACL, even if there is a deny for the host, it will still check the next sequence and if there is a permit any time below for those IP, it will still allow th traffic. Can someone please advise if my understanding is correct?

So can the two hosts communicate with each other?

vlan access-map testing 10

match ip address testing
action forward

vlan filter test vlan-list 3

And my Access list is as below

ip access-list extended testing

deny ip any any

permit ip any any

Thanks

1 Accepted Solution

Accepted Solutions

It's been a while since I looked at these but I am sure someone will correct me if I am wrong.

The logic is somewhat similar to the logic of route maps ie. not always intuitive :-)

So the match clause is checked in the first sequence and the first "deny ip any any" in the acl will match the traffic.

Because it is a deny and not a permit it simply moves on to the next sequence

Note it moves onto the next sequence not the next entry in the acl in the first match clause because it has already found a match in that acl.

That is what the documentation means when it says it checks the next sequence.

But you don't have another sequence and there is an implicit deny at the end so it should be dropped.

If you created another sequence and just had an action of forward it would be allowed.

Jon

View solution in original post

18 Replies 18

It's been a while since I looked at these but I am sure someone will correct me if I am wrong.

The logic is somewhat similar to the logic of route maps ie. not always intuitive :-)

So the match clause is checked in the first sequence and the first "deny ip any any" in the acl will match the traffic.

Because it is a deny and not a permit it simply moves on to the next sequence

Note it moves onto the next sequence not the next entry in the acl in the first match clause because it has already found a match in that acl.

That is what the documentation means when it says it checks the next sequence.

But you don't have another sequence and there is an implicit deny at the end so it should be dropped.

If you created another sequence and just had an action of forward it would be allowed.

Jon

Hello,

The action will be "DROP" and hosts can not communicate.

VCAL follows the conventional rule in route-map. If a flow matches with a permit, action will be performed and the route-maps with the higher sequence number will not be checked.

If it encounters with deny, it does not check the following ACEs and goes to the route-map with the higher sequence number and coutinues to check.

In your case, every traffic matches with Deny Deny so the next ACE will not be checked. Because there is no route-map with higher sequence, traffic will be dropped.

Hope it helps,

Masoud

Masoud

Okay we have provided different answers to the same question.

"When a flow matches a deny acl entry it will be checked against the next acl in the same sequence or the next sequence".

But is that the next entry in the same acl or the next acl in the same match clause because a match clause can refer to multiple acls.

I believe, although I could well be wrong and can't test it, that is it is referring to the next acl in the same match clause if there is one and if there isn't it moves on to next sequence and in this case there isn't another sequence so the traffic will be dropped.

What do you think ?

Jon

Hello John,

Thanks for reading my comment.

The purpose access-list in route-map is only matching the traffic. The actual deny or permit takes place in route-map.

Suppose you are going to match all traffic coming from the network of 1.1.1.0/24 except traffic coming from host 1.1.1.1

access-list 1 deny host 1.1.1.1

access-list 1 permit 1.1.1.0 0.0.0.255

deny deny( default)

With this access, traffic comes from 1.1.1.0 except 1.1.1.1 matches.

The default deny say everything else does not match.

Then you decide on router-map either deny the traffic or permit it.

Thanks,

Masoud

Dear All,

Below is what is in the Cisco DOC

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.html

Each VLAN access map can consist of one or more map sequences; each sequence has a match clause and an action clause. The match clause specifies IP or MAC ACLs for traffic filtering and the action clause specifies the action to be taken when a match occurs. When a flow matches a permit ACL entry, the associated action is taken and the flow is not checked against the remaining sequences. When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence. If a flow does not match any ACL entry and at least one ACL is configured for that packet type, the packet is denied.

Thanks

Yes but it can be read different ways as you can see.

A match clause can reference multiple acls.

I take that reference to mean that if the traffic matches a deny line in the acl it moves onto the next acl if there is one and if there isn't it moves onto the next sequence if there is one.

What I don't think it means is if the traffic matches a deny line in the acl it moves onto the next entry in the same acl.

Depending on which it does your traffic could be allowed or not.

If I had some switches to test with I would.

Jon

Hi Jon,

Thanks. I think you are correct. It seems that is what they are doing in the production currently. I will test with the switches if I can get hold of any.

Thanks

Are you sure that is what they are doing in production because it would mean those hosts would not be able to communicate with anything.

I thought this was just a general query rather than anything actually in use.

Jon

Hi Jon,

Sorry. What I meant was, one of my friends advised they have similar VACL in their production.

There is only one sequence and there is a deny statement for say hosts 10.1.1.1 to 10.1.1.2 and at the end there is a permit ip any any statement.

And with this rule, both hosts are not able to communicate with each other.

Thanks

Okay that makes more sense.

So yes it looks like what happens is the match is made for those two hosts with the deny line which moves it onto the next sequence but there isn't one so it is denied by the implicit rule.

Any other traffic between hosts in that vlan would match the "permit any any" line and be allowed.

Jon

Exactly and I believe we are seeing the same logic here.

The question is does the deny line simply move it on to the next entry in the same acl, which I don't think it does, or does it move it on to the next acl in the match clause within the same sequence if there is one or the next sequence if there is one.

Obviously depending on which it does the traffic will be either allowed or not.

Jon

Actually, you made me think. Let me get back to later.

Thanks

Hello John,

You were right

I finally found a source saying that VLAN access-list follows the conventional rule in route-map. I corrected my posts and rated your answer.

Masoud

Hi Masoud

Thanks for getting back to me on this.

I did a bit of searching as well but couldn't find anything definitive one way or the other.

I still don't understand your modifed answer though.

Why does nothing match with "deny ip any any" because that should match all traffic.

So it isn't forwarded but goes onto the next sequence but there isn't one so the implicit deny will take effect.

I don't think the traffic will be forwarded.

Please note I am not trying to prove you wrong at all.

I use these forums to learn as much as answer questions and so I am genuinely interested as to whether I am misunderstanding something here.

Jon

Review Cisco Networking products for a $25 gift card