From: S Malik (ccie.09@gmail.com)
Date: Thu Mar 19 2009 - 12:24:41 ART
I think VACL is used to limit traffic with in a specific VLAN regardless of
direction (it would include all the traffic to&from the SVI as SVI is part
of that vlan) . It simply dictates which traffic can exist on the provided
vlan.
It is basically used with "vlan filter" which (I mean vlan filter) uses
"vlan access-map" where we match and take action (drop/forward) based on
the match.
ACL on SVI is applied to filter traffic either inbound or outbound (means
traffic going out of vlan or comming into vlan).
Please correct if wrong.
On Wed, Mar 18, 2009 at 7:58 AM, Dale Shaw <dale.shaw@gmail.com> wrote:
> Hi,
>
> On Wed, Mar 18, 2009 at 10:41 PM, Sadiq Yakasai <sadiqtanko@gmail.com>
> wrote:
> > As for the question of direction, it is implicit in the ACL the VACL
> matches
> > though, right Dale?
>
> Yeah, that's right -- sorry, I can see how that wasn't very clear.
>
> Gotta be careful with the default action (drop or forward), once a
> match is made, with VLAN maps.
>
> If you explicitly match some IP type traffic in one clause, the
> default action for all other IP traffic is 'drop', unless explicitly
> catered for in a subsequent clause. Same goes for MAC type traffic.
> That's why the most common VLAN map configs I've seen are either:
>
> deny explicit, permit explicit (usually a "permit any any" type clause
> at the end)
> permit explicit, deny implicit (this is the standard "deny by default"
> filtering posture)
>
> Cheers,
> Dale
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:06 ART