04-22-2018 12:51 PM - edited 03-08-2019 02:45 PM
HI Respected members,
I am reading VACLs for my CCNP these days. The official book has some text that i didnt understand. please help me to understand these concepts.
Q1) The text says
"When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence". what does that mean and the next sequence check for allow or deny.?
Q2) "if a flow does not match any ACL entry and at least one ACL is configured for the packet type, the packet is denied.
Q3: Beyond traffic filtering, the VACL capture port feature can hekp overcome some limitations of vlan SPAN. Please explain that as well for me.
I really didn't understand these statements. please to give me a clear explanation or guide me to clear explanation for better understanding.
Thanks in advance.
04-22-2018 01:09 PM - edited 04-22-2018 01:15 PM
Hi
An ACL is read from top to bottom, VACL (VLAN MAPS) and PBR is applied on the same way, now about the questions:
Q1) The text says
"When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence". what does that mean and the next sequence check for allow or deny.?
For example you have the following sequence:
access-list 100 deny ip any any
access-list 100 permit tcp host 1.1.1.1 any eq 80
The first line is denying everything, so the second line will be checked to verify if the first line is affecting or not the access.
Q2) "if a flow does not match any ACL entry and at least one ACL is configured for the packet type, the packet is denied.
By default there is an implict deny at the bottom into the ACL list, if the flow does not match any entry it will be denied, although you have more ACL lines.
Q3: Beyond traffic filtering, the VACL capture port feature can help overcome some limitations of vlan SPAN. Please explain that as well for me.
The VACL cannot monitor traffic like SPAN session does, you can use a sniffer program to see the kind of traffic passing through ports, my understanding is VACL can work with the feature called: Capture Port in order to analyze the traffic because VACL can match source, destinatin, ports, etc.
Hope it is useful
:-)
04-30-2018 12:51 PM
Thanks alot for your quick reply.
I am sorry for late response.
In this particular example
For example you have the following sequence:
access-list 100 deny ip any any
access-list 100 permit tcp host 1.1.1.1 any eq 80
1) Point nr 1:
What will be the result in this case "allow or deny". My understanding is that when the first rule is hit and it found a match "all deny", the traffic should not go and check the other rule in the seq.
2) point Nr 2
but if it check the 2nd rule what it is exactly checking. allow or deny.
Please explain the two point for me.
BR
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide