The purpose of the access-list in this scenario is to match packets for processing by the access-map.

Suppose you wanted to apply an action to a whole /24 subnet except for a single host, you would use the following:

!
access-list 1 deny 10.1.10.100  0.0.0.0
access-list 1 permit 10.1.10.0  0.0.0.255
!

This would not match on the host IP of 10.1.10.100 but would match on the rest of the subnet.

Going back to your example, if you wanted to drop all traffic from that subnet using the access-map then simply issue an action drop for that clause:

!
vlan access-map DEMO 10
  match ip address 1
  action drop
! 

…but since a VLAN typically only contains one subnet, matching to then drop is a bit pointless. You should just remove the match statement entirely.

!
vlan access-map DEMO 10
  action drop
!
vlan filter DEMO vlan-list 10
!

cheers,

Seb.

In the context of a VACL access-map, the ACL is used only for packet matching not for filtering. (in the same way one is used in a NAT ACL)

So, yes you can use a deny statement in the ACL, this will have the effect of NOT matching (ie exclude the host from the access-map match clause). These NOT MATCHED packets will still be forwarded.

Take this pointless example:

!
access-list 1 deny 10.1.10.100  0.0.0.0
access-list 1 permit 10.1.10.0  0.0.0.255
!
vlan access-map DEMO 10
  match ip address 1
  action forward
vlan access-map DEMO 20
  action forward
!

Although you have denied 10.1.10.100 and permitted the rest of the /24 subnet in the ACL , you will find by the time the VACL has finished processing, the traffic flows for 10.1.10.100 will be unaffected.

Cheers,

Seb.

Hello

Just like to add , a VACL map with no match or action statement by default forwards traffic so regards sebs last example just creation of the second stanza would be good enough to forward all other traffic.

Hi @paul driver ,
I don't doubt your knowledge, but your statement has made me do a bit of document digging and I am reading some conflicting sources.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.html#14906

..says "If a VACL is configured for a packet type, and a packet of that type does not match the VACL, the default action is to deny the packet."

A bit further down an example:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/vlan_acls.html#30702

..says "In this example, IP traffic matching net_10 is forwarded and all other IP packets are dropped due to the default drop action."

Are you suggesting that an empty stanza has an a implicit permit? So without a match clause it will match and permit all the reaming packets?

!
vlan access-map DEMO 10
  match ip address 1
  action forward
vlan access-map DEMO 20
!

But if for example there was no sequence #20 then the remaining traffic would hit the implicit deny?
 

!
vlan access-map DEMO 10
  match ip address 1
  action forward
!

That seems like a subtle gotcha I've never noticed! I wish I had some hardware here at home to test this on!

cheers,
Seb.

Hello Seb

Correct , My understanding there is "invisible" deny at the end of every VACL

So say your just VACL statements are in bold
There will be applied a an invisible drop clause which wont get hit because clause two forwarding everything :

1) vlan access-map VACL
match ACL
action drop
2) vlan access-map VACL
3) (vlan access-map VACL  ( implict )

action drop)

However say you applied this

1) vlan access-map VACL
match ACL
action forward

2) (vlan access-map VACL  ( implict )

action drop)

Again there will be applied a an invisible drop clause which this time will get hit because clause 1is only forwarding specify whats defined in the matched acl

So in summary:
without any stanza = default implicit deny
with stanza + match clause and no defined action = default implicit deny
with empty stanza = default implicit permit