RE: VACL vs ACL

From: Steve Means (smeans@ccbootcamp.com)
Date: Thu Mar 19 2009 - 14:51:57 ART

• Next message: Hotmail: "Frame-Relay Interfaces"
• Previous message: nhatphuc: "How to change to First name first in Corporate Directory in"
• Maybe in reply to: Salahaddin Elshekeil: "VACL vs ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

One particular use that comes to mind (and one I've used it a few times) is a
VACL to copy traffic to an IPS blade in a 6500. I'm sure there are other
capture/redirection examples.

Steve Means
Security Instructor/Consultant
smeans@ccbootcamp.com
CCBOOTCAMP - A Cisco Learning Partner
877.654.2243 Toll Free
+1.702.968.5100 Direct Outside the USA
+1.702.446.0357 Fax
YES! We take Cisco Learning Credits
Training And Remote Racks: http://www.ccbootcamp.com
<http://www.ccbootcamp.com/>

________________________________

From: nobody@groupstudy.com on behalf of Pavel Bykov
Sent: Thu 3/19/2009 8:49 AM
To: Jared Scrivener
Cc: S Malik; Dale Shaw; Sadiq Yakasai; Tolulope Ogunsina; Salahaddin
Elshekeil; Marc La Porte; Cisco certification
Subject: Re: VACL vs ACL

Besides allowing you to filter communication between two ports in the same
VLAN,
VACL allows you to capture or redirect traffic, so you can easily capture
traffic like SPAN port but only for specified parameters (MAC/IP/L4) or you
can redirect traffic, so it does not go to destination, but goes to where
you want it to go.

This is called VACL Capture

On Thu, Mar 19, 2009 at 4:34 PM, Jared Scrivener
<jscrivener@ipexpert.com>wrote:

> The beauty of the VLAN filter is you don't have to worry about SVI's (which
> are Layer 3 interfaces). The VLAN filter restricts traffic passing through
> any of the Layer 2 ports within a VLAN - this includes intra-VLAN traffic
> (which an ACL on an SVI wouldn't).
>
> Cheers,
>
> Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP
> Sr. Technical Instructor - IPexpert, Inc.
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> Mailto: jscrivener@ipexpert.com
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of S
> Malik
> Sent: Thursday, 19 March 2009 11:25 AM
> To: Dale Shaw
> Cc: Sadiq Yakasai; Tolulope Ogunsina; Salahaddin Elshekeil; Marc La Porte;
> Cisco certification
> Subject: Re: VACL vs ACL
>
> I think VACL is used to limit traffic with in a specific VLAN regardless of
> direction (it would include all the traffic to&from the SVI as SVI is part
> of that vlan) . It simply dictates which traffic can exist on the provided
> vlan.
>
> It is basically used with "vlan filter" which (I mean vlan filter) uses
> "vlan access-map" where we match and take action (drop/forward) based on
> the match.
>
> ACL on SVI is applied to filter traffic either inbound or outbound (means
> traffic going out of vlan or comming into vlan).
>
> Please correct if wrong.
>
>
>
>
> On Wed, Mar 18, 2009 at 7:58 AM, Dale Shaw <dale.shaw@gmail.com> wrote:
>
> > Hi,
> >
> > On Wed, Mar 18, 2009 at 10:41 PM, Sadiq Yakasai <sadiqtanko@gmail.com>
> > wrote:
> > > As for the question of direction, it is implicit in the ACL the VACL
> > matches
> > > though, right Dale?
> >
> > Yeah, that's right -- sorry, I can see how that wasn't very clear.
> >
> > Gotta be careful with the default action (drop or forward), once a
> > match is made, with VLAN maps.
> >
> > If you explicitly match some IP type traffic in one clause, the
> > default action for all other IP traffic is 'drop', unless explicitly
> > catered for in a subsequent clause. Same goes for MAC type traffic.
> > That's why the most common VLAN map configs I've seen are either:
> >
> > deny explicit, permit explicit (usually a "permit any any" type clause
> > at the end)
> > permit explicit, deny implicit (this is the standard "deny by default"
> > filtering posture)
> >
> > Cheers,
> > Dale
> >
> >
> > Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

--
Pavel Bykov
----------------
Don't forget to help stopping the braindumps, use of which reduces value of
your certifications. Sign the petition at http://www.stopbraindumps.com/
Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>

• Next message: Hotmail: "Frame-Relay Interfaces"
• Previous message: nhatphuc: "How to change to First name first in Corporate Directory in"
• Maybe in reply to: Salahaddin Elshekeil: "VACL vs ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:06 ART