cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
791
Views
0
Helpful
2
Replies

Vlan ACL concepts

sfarazaz123
Level 1
Level 1

HI Respected members,

I am reading VACLs for my CCNP these days. The official book has some text that i didnt understand. please help me to understand these concepts.

Q1) The text says

"When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence". what does that mean and the next sequence check for allow or deny.?

Q2) "if a flow does not match any ACL entry and at least one ACL is configured for the packet type, the packet is denied.

 

Q3: Beyond traffic filtering, the VACL capture port feature can hekp overcome some limitations of vlan SPAN. Please explain that as well for me.

 

I really didn't understand these statements. please to give me a clear explanation or guide me to clear explanation for better understanding. 

 

Thanks in advance.

 

 

2 Replies 2

Julio E. Moisa
VIP Alumni
VIP Alumni

Hi

An ACL is read from top to bottom, VACL (VLAN MAPS) and PBR is applied on the same way, now about the questions:

 

Q1) The text says

"When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence". what does that mean and the next sequence check for allow or deny.?

 

For example you have the following sequence:

access-list 100 deny ip any any

access-list 100 permit tcp host 1.1.1.1 any eq 80

 

The first line is denying everything, so the second line will be checked to verify if the first line is affecting or not the access. 

 

 

Q2) "if a flow does not match any ACL entry and at least one ACL is configured for the packet type, the packet is denied.

 

By default there is an implict deny at the bottom into the ACL list, if the flow does not match any entry it will be denied, although you have more ACL lines. 

 

Q3: Beyond traffic filtering, the VACL capture port feature can help overcome some limitations of vlan SPAN. Please explain that as well for me.

 

The VACL cannot monitor traffic like SPAN session does, you can use a sniffer program to see the kind of traffic passing through ports, my understanding is VACL can work with the feature called: Capture Port in order to analyze the traffic because VACL can match source, destinatin, ports, etc.

 

Hope it is useful

:-)

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Thanks alot for your quick reply.

I am sorry for late response. 

In this particular example

For example you have the following sequence:

access-list 100 deny ip any any

access-list 100 permit tcp host 1.1.1.1 any eq 80

 

1) Point nr 1:

What will be the result in this case "allow or deny". My understanding is that when the first rule is hit and it found a match "all deny", the traffic should not go and check the other rule in the seq.

2) point Nr 2

but if it check the 2nd rule what it is exactly checking. allow or deny.

 

Please explain the two point for me.

 

BR