Re: VACL vs ACL

From: Dale Shaw (dale.shaw@gmail.com)
Date: Wed Mar 18 2009 - 08:58:00 ART

• Next message: Thor Kopp: "OT: CCSP and CCVP Resources"
• Previous message: Sadiq Yakasai: "Re: NAT with router on a stick"
• Maybe in reply to: Salahaddin Elshekeil: "VACL vs ACL"
• Next in thread: S Malik: "Re: VACL vs ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

On Wed, Mar 18, 2009 at 10:41 PM, Sadiq Yakasai <sadiqtanko@gmail.com> wrote:
> As for the question of direction, it is implicit in the ACL the VACL matches
> though, right Dale?

Yeah, that's right -- sorry, I can see how that wasn't very clear.

Gotta be careful with the default action (drop or forward), once a
match is made, with VLAN maps.

If you explicitly match some IP type traffic in one clause, the
default action for all other IP traffic is 'drop', unless explicitly
catered for in a subsequent clause. Same goes for MAC type traffic.
That's why the most common VLAN map configs I've seen are either:

deny explicit, permit explicit (usually a "permit any any" type clause
at the end)
permit explicit, deny implicit (this is the standard "deny by default"
filtering posture)

Cheers,
Dale

Blogs and organic groups at http://www.ccie.net

• Next message: Thor Kopp: "OT: CCSP and CCVP Resources"
• Previous message: Sadiq Yakasai: "Re: NAT with router on a stick"
• Maybe in reply to: Salahaddin Elshekeil: "VACL vs ACL"
• Next in thread: S Malik: "Re: VACL vs ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:05 ART