el 08-08-2019 07:23 AM
Dear Colleagues,
I'm learning new concepts for cisco ccnp switch and I was blocked learning VACL.
I have read some documentation about it but I'm confused about how the access list and the vlan access-map is mapped.
here a quick example and their config:
For VLAN filtering configure it as follows:
VLAN 5
drop all tcp packets
drop all udp packets
forward all other non-ip packets
forward all other ip packets
here the configuration to be done at the switch
ip acess-list extended tcp
permit tcp any any
ip access-list extended udp
permit udp any any
vlan access-map vacl 10
match ip address tcp
action drop
vlan access-map vacl 20
match ip address udp
action drop
vlan access-map vacl 30
action forward
VLAN filter vacl VLAN-list 5
my questions are:
1) why don't we deny TCP/UDP at the extended access list level?
2) the command match IP address of vacl means that if an IP packet match with the access list TCP or UDP the consequent action is dropped?
3) if we don't specify a mapping for the vacl and the ACL and req the action forward will forward all packet protocols without differentiation?
Thanks for your answers.
¡Resuelto! Ir a solución.
el 08-09-2019 04:26 AM
Hi
Below you will find the answers for your questions:
1) why don't we deny TCP/UDP at the extended access list level?
You can specify or customize your ACL as you create extended ACL usually, for example you can especify the source, source port as destination as well, it can be configured as required, now take in consideration how to apply it.
2) the command match IP address of vacl means that if an IP packet match with the access list TCP or UDP the consequent action is dropped?
Yes, basically the VACL works like normal ACL reading from TOP to Botton, so in your case the UDP packets will be dropped.
3) if we don't specify a mapping for the vacl and the ACL and req the action forward will forward all packet protocols without differentiation?
No, Like the ACLs or PBR sequence, there is an implicit deny so if you dont specify anything else after the last map, everything will be dropped. Please visit the following link:
VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL
entry, and at least one ACL is configured for the packet type.
I hope the question is answered.
Regards.
el 08-09-2019 04:26 AM
Hi
Below you will find the answers for your questions:
1) why don't we deny TCP/UDP at the extended access list level?
You can specify or customize your ACL as you create extended ACL usually, for example you can especify the source, source port as destination as well, it can be configured as required, now take in consideration how to apply it.
2) the command match IP address of vacl means that if an IP packet match with the access list TCP or UDP the consequent action is dropped?
Yes, basically the VACL works like normal ACL reading from TOP to Botton, so in your case the UDP packets will be dropped.
3) if we don't specify a mapping for the vacl and the ACL and req the action forward will forward all packet protocols without differentiation?
No, Like the ACLs or PBR sequence, there is an implicit deny so if you dont specify anything else after the last map, everything will be dropped. Please visit the following link:
VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL
entry, and at least one ACL is configured for the packet type.
I hope the question is answered.
Regards.
Descubra y salve sus notas favoritas. Vuelva a encontrar las respuestas de los expertos, guías paso a paso, temas recientes y mucho más.
¿Es nuevo por aquí? Empiece con estos tips. Cómo usar la comunidad Guía para nuevos miembros
Navegue y encuentre contenido personalizado de la comunidad