VACL {meaning of permit | deny} ?

Unanswered Question
Feb 11th, 2008

Hi,

The following snippet is taken from the following link:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/vacl.pdf

"When a flow matches a permit ACL entry,

the associated action is taken and the flow is not checked against the remaining sequences. When a flow

matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence."

I am not convinced about the above statement:

If I create the following vacl

vlan access-map block-aspire 10

action drop

match ip address ipexpert

vlan access-map block-aspire 20

action forward

vlan filter block-aspire vlan-list 55

ip access-list extended ipexpert

permit ip host 172.16.1.254 host 172.16.1.253

Here, I have a 'permit' access-list entry and the action performed is to successfully drop packets between the hosts 172.16.1.254 and 172.16.1.253 and to forward other packets for vlan 55.

If I change seq no 20 to 'drop' then I can see that this action is being taken since no hosts in vlan 55 can ping each other.

This appears contrary to the cisco link.

Can someone please verify ?

PS: I am using 2x3550's not 6500's as in the Cisco link.

Regards,

Phil.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Mon, 02/11/2008 - 10:39

The document says:

When a flow matches a deny ACL entry

and you did:

I change seq no 20 to 'drop'

You didn't create a deny ACL entry as the document states.

__

Edison.

Actions

This Discussion