From: Dale Shaw (dale.shaw@gmail.com)
Date: Wed Mar 18 2009 - 08:38:51 ART
Hi,
On Wed, Mar 18, 2009 at 10:26 PM, Tolulope Ogunsina <togunsina@gmail.com> wrote:
> When an access-list is applied to an SVI, it only matches traffic
> routed THROUGH the SVI. on the other hand, traffic within vlans dont
> necessarily pass through the SVI, so ACLs applied to SVIs are not
> adequate to match such traffic. VLAN access-maps are designed to do
> just that.
> So by design, they perform entirely different functions.
I mostly agree with what you're saying, except there are areas where
the functionality provided by the various ACL types overlap. For
example, VLAN maps (VACLs) can be used to filter IP traffic routed
inbound and outbound to/from a VLAN, achieving similar results to
Router ACLs.
Of course, if one is not limited to using a particular tool, one is
not likely to choose VLAN maps for inter-VLAN IP filtering.
Between Port ACLs, VLAN maps, private VLANs, and switchport protected,
you've got some pretty good options for providing filtering/host
isolation at layer 2.
cheers,
Dale
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:05 ART