Confused over VACLs.

Discussion in 'Routing & Switching' started by Headache, Jun 21, 2007.

  1. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    I'm trying to get my head around vlan ACLs, but it just ain't working.

    The first entry in the following VACL is a permit statement. This is followed by the map sequence, the match clause and the action clause. Somehow the action clause (drop packets) doesn't seem to jibe with the permit statement in the first entry and I'm finding it difficult to reconcile the two. Is this VACL a permit statement, a deny statement, or a mixture of both ?

    This is totally doing my head in.


    3550/2#
    3550/2#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    3550/2(config)#access-list 100 permit tcp any any eq 10000
    3550/2(config)#vlan access-map BCMSN 100
    3550/2(config-access-map)#match ip address 100
    3550/2(config-access-map)#action ?
    drop Drop packets
    forward Forward packets

    3550/2(config-access-map)#action drop
    3550/2(config-access-map)#exit
    3550/2(config)#vlan filter BCMSN vlan-list 1
    3550/2(config)#end
    3550/2#
     
    Certifications: CCNA
    WIP: CCNP
  2. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    A VACL map entry has two basic parts: A way of selecting traffic (usually an access list) and an action to take on that traffic.

    It can help to think of the permit /deny of access list 100 as being select/don't select. Your access-list 100 selects all tcp packets with a source or destination port of 10000. The action portion decides what happens to that traffic, in your example dropping it.

    Note that with VACL's you will always be using permit statements in access lists to match traffic.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  3. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    I see.

    So what you're saying is that a deny statement in the ACL would render the whole VACL invalid because deny statements aren't used in VACLs ?

    Because that's the part that's confusing me. I kept thinking what if I was to substitute the permit statement with a deny statement, what would be the point of including an action clause then ? It just didn't make any sense.
     
    Certifications: CCNA
    WIP: CCNP
  4. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    ACLs can contain multiple allow and deny statements. Obviously, if EVERYTHING is denied, then no, it doesn't make much sense. But you can specifically allow certain ranges and protocols and deny other ranges and protocols, which is VERY useful.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  5. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    I understand now how the action clause can be applied to the permit statement. Spice-Weasel explained that part pretty well (thanks mate). But I'll be buggered if I can figure out how the action clause can be applied to a deny statement. Once you put in the map sequence and the match clause, what do you do before applying the traffic filter to the vlan ? It hardly makes sense to drop, forward or redirect any packets you've already denied, does it ?

    I can see I'm gonna have a bit of bother with this one.
     
    Certifications: CCNA
    WIP: CCNP
  6. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Yes, you can use deny statements in the acl's for VACL's. But often you will see permits used heavily to select traffic for dropping, forwarding, capture, etc. The vlan access map can contain multiple entries, each with different sequence numbers, matching against diffrent acl's. If traffic matches a permit statement the action clause is applied (e.g. capture, forward, etc) and the traffic is not checked against any remaining sequences. But if traffic matches a deny statement, the traffic will continue to bechecked against the next acl in the same sequence, and then against the next sequence, until it matches a permit statement.

    That is what I mean about using permit statements - processing does not stop upon hitting a matching deny statement, but continues onto the next acl and any remaining sequences. This is different then the familiar acl behaviour, where a matching deny statement blocks traffic and stops further acl processing.

    So, aim to match using permits, keeping in mind the implicit deny at the end of every acl. If using deny statements be aware how the behaviour differs from the usual acl processing. Deny statements can be used but think through what will happen. If you need to stop traffic use a permit, if possible, to select the traffic and use the drop action.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  7. Headache

    Headache Gigabyte Poster

    1,092
    9
    85
    You know what, Spice ? If you'd lived anywhere near my local, I'd buy you four beers. This explaination makes more sense than any number of pages I've read on the subject to date.

    Thanks a million, mate.
     
    Certifications: CCNA
    WIP: CCNP

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.