RE: VACL vs ACL

From: Jared Scrivener (jscrivener@ipexpert.com)
Date: Thu Mar 19 2009 - 12:34:33 ART

• Next message: Pavel Bykov: "Re: VACL vs ACL"
• Previous message: S Malik: "Re: VACL vs ACL"
• Maybe in reply to: Salahaddin Elshekeil: "VACL vs ACL"
• Next in thread: Pavel Bykov: "Re: VACL vs ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The beauty of the VLAN filter is you don't have to worry about SVI's (which
are Layer 3 interfaces). The VLAN filter restricts traffic passing through
any of the Layer 2 ports within a VLAN - this includes intra-VLAN traffic
(which an ACL on an SVI wouldn't).

Cheers,
 
Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP
Sr. Technical Instructor - IPexpert, Inc.
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Mailto: jscrivener@ipexpert.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of S
Malik
Sent: Thursday, 19 March 2009 11:25 AM
To: Dale Shaw
Cc: Sadiq Yakasai; Tolulope Ogunsina; Salahaddin Elshekeil; Marc La Porte;
Cisco certification
Subject: Re: VACL vs ACL

I think VACL is used to limit traffic with in a specific VLAN regardless of
direction (it would include all the traffic to&from the SVI as SVI is part
of that vlan) . It simply dictates which traffic can exist on the provided
vlan.

It is basically used with "vlan filter" which (I mean vlan filter) uses
"vlan access-map" where we match and take action (drop/forward) based on
the match.

ACL on SVI is applied to filter traffic either inbound or outbound (means
traffic going out of vlan or comming into vlan).

Please correct if wrong.

On Wed, Mar 18, 2009 at 7:58 AM, Dale Shaw <dale.shaw@gmail.com> wrote:

> Hi,
>
> On Wed, Mar 18, 2009 at 10:41 PM, Sadiq Yakasai <sadiqtanko@gmail.com>
> wrote:
> > As for the question of direction, it is implicit in the ACL the VACL
> matches
> > though, right Dale?
>
> Yeah, that's right -- sorry, I can see how that wasn't very clear.
>
> Gotta be careful with the default action (drop or forward), once a
> match is made, with VLAN maps.
>
> If you explicitly match some IP type traffic in one clause, the
> default action for all other IP traffic is 'drop', unless explicitly
> catered for in a subsequent clause. Same goes for MAC type traffic.
> That's why the most common VLAN map configs I've seen are either:
>
> deny explicit, permit explicit (usually a "permit any any" type clause
> at the end)
> permit explicit, deny implicit (this is the standard "deny by default"
> filtering posture)
>
> Cheers,
> Dale
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Pavel Bykov: "Re: VACL vs ACL"
• Previous message: S Malik: "Re: VACL vs ACL"
• Maybe in reply to: Salahaddin Elshekeil: "VACL vs ACL"
• Next in thread: Pavel Bykov: "Re: VACL vs ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:06 ART