07-12-2013 04:54 PM - edited 07-04-2021 12:24 AM
Hello Community,
I am currently studying for the CCNP SWITCH exam and had a question about how VLAN ACL's operate in a specific instance. The book is not clearing it up for me:
If I had the following configuration:
VTP-Server-1(config)# ip access-list extended ALLOW-TCP
VTP-Server-1(config-ext-nacl)# permit tcp any any
VTP-Server-1(config-ext-nacl)# exit
VTP-Server-1(config)# ip access-list extended ALLOW-UDP
VTP-Server-1(config-ext-nacl)# permit udp any any
VTP-Server-1(config-ext-nacl)# exit
VTP-Server-1(config)# ip access-list extended ALLOW-IP
VTP-Server-1(config-ext-nacl)# permit ip any any
VTP-Server-1(config-ext-nacl)# exit
VTP-Server-1(config)# vlan access-map MY-VACL-MAP 10
VTP-Server-1(config-access-map)# match ip address ALLOW-TCP
VTP-Server-1(config-access-map)# action forward
VTP-Server-1(config-access-map)# exit
VTP-Server-1(config)# vlan access-map MY-VACL-MAP 20
VTP-Server-1(config-access-map)# action drop
VTP-Server-1(config-access-map)# exit
VTP-Server-1(config)# vlan access-map MY-VACL-MAP 30
VTP-Server-1(config-access-map)# match ip address ALLOW-IP
VTP-Server-1(config-access-map)# action forward
VTP-Server-1(config-access-map)# exit
VTP-Server-1(config)# vlan filter map VLAN-22-MAP vlan-list 22
Would TCP traffic be allowed to pass and all other traffic dropped since there is no specific ACL being matched to "MAP 20"? Would the filter ever get passed the second map "map 20" in this case? Im confused as to what would actually happen in this case. The book has conflicting entries about what actions would be taken since the second entry has no ACL matched to it. It says in the first part that "Because no ACL is specifically matched in sequence 20, all traffic that is not dropped in sequence 10 is effectively forwarded." But at the end in the chapter quiz it marks me wrong when I say the traffic will be forwarded, its states that IP and UDP traffic will be dropped.
Thanks.
Chris.
Solved! Go to Solution.
07-14-2013 12:04 AM
Hello Chris
Since MY-VACL-MAP-20 didn't specify a match , then it will match everything. That means the chapter quiz is correct, all IP and UDP traffic will be dropped.
For reference you can see the following links
http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/
https://learningnetwork.cisco.com/thread/37041
Please rate if this helps
07-14-2013 12:04 AM
Hello Chris
Since MY-VACL-MAP-20 didn't specify a match , then it will match everything. That means the chapter quiz is correct, all IP and UDP traffic will be dropped.
For reference you can see the following links
http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/
https://learningnetwork.cisco.com/thread/37041
Please rate if this helps
07-15-2013 09:29 AM
Eduardo,
Thank you so much for the clarification!
Chris.
07-16-2013 02:37 PM
Eduardo,
I know this seems intuitive, but since sequence 20 matches everything, does it stand to reason that the map filter will never get passed sequence 20 and on to sequence 30 etc? I would venture to say that it doesnt since all packets are matched in sequence 20. Thanks.
Chris.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide