From: Pavel Bykov (slidersv@gmail.com)
Date: Thu Mar 19 2009 - 12:49:11 ART
Besides allowing you to filter communication between two ports in the same
VLAN,
VACL allows you to capture or redirect traffic, so you can easily capture
traffic like SPAN port but only for specified parameters (MAC/IP/L4) or you
can redirect traffic, so it does not go to destination, but goes to where
you want it to go.
This is called VACL Capture
On Thu, Mar 19, 2009 at 4:34 PM, Jared Scrivener <jscrivener@ipexpert.com>wrote:
> The beauty of the VLAN filter is you don't have to worry about SVI's (which
> are Layer 3 interfaces). The VLAN filter restricts traffic passing through
> any of the Layer 2 ports within a VLAN - this includes intra-VLAN traffic
> (which an ACL on an SVI wouldn't).
>
> Cheers,
>
> Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP
> Sr. Technical Instructor - IPexpert, Inc.
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> Mailto: jscrivener@ipexpert.com
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of S
> Malik
> Sent: Thursday, 19 March 2009 11:25 AM
> To: Dale Shaw
> Cc: Sadiq Yakasai; Tolulope Ogunsina; Salahaddin Elshekeil; Marc La Porte;
> Cisco certification
> Subject: Re: VACL vs ACL
>
> I think VACL is used to limit traffic with in a specific VLAN regardless of
> direction (it would include all the traffic to&from the SVI as SVI is part
> of that vlan) . It simply dictates which traffic can exist on the provided
> vlan.
>
> It is basically used with "vlan filter" which (I mean vlan filter) uses
> "vlan access-map" where we match and take action (drop/forward) based on
> the match.
>
> ACL on SVI is applied to filter traffic either inbound or outbound (means
> traffic going out of vlan or comming into vlan).
>
> Please correct if wrong.
>
>
>
>
> On Wed, Mar 18, 2009 at 7:58 AM, Dale Shaw <dale.shaw@gmail.com> wrote:
>
> > Hi,
> >
> > On Wed, Mar 18, 2009 at 10:41 PM, Sadiq Yakasai <sadiqtanko@gmail.com>
> > wrote:
> > > As for the question of direction, it is implicit in the ACL the VACL
> > matches
> > > though, right Dale?
> >
> > Yeah, that's right -- sorry, I can see how that wasn't very clear.
> >
> > Gotta be careful with the default action (drop or forward), once a
> > match is made, with VLAN maps.
> >
> > If you explicitly match some IP type traffic in one clause, the
> > default action for all other IP traffic is 'drop', unless explicitly
> > catered for in a subsequent clause. Same goes for MAC type traffic.
> > That's why the most common VLAN map configs I've seen are either:
> >
> > deny explicit, permit explicit (usually a "permit any any" type clause
> > at the end)
> > permit explicit, deny implicit (this is the standard "deny by default"
> > filtering posture)
> >
> > Cheers,
> > Dale
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Pavel Bykov ---------------- Don't forget to help stopping the braindumps, use of which reduces value of your certifications. Sign the petition at http://www.stopbraindumps.com/Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:06 ART