VACL {meaning of permit | deny} ?

Unanswered Question
Feb 11th, 2008
User Badges:


The following snippet is taken from the following link:

"When a flow matches a permit ACL entry,

the associated action is taken and the flow is not checked against the remaining sequences. When a flow

matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence."

I am not convinced about the above statement:

If I create the following vacl

vlan access-map block-aspire 10

action drop

match ip address ipexpert

vlan access-map block-aspire 20

action forward

vlan filter block-aspire vlan-list 55

ip access-list extended ipexpert

permit ip host host

Here, I have a 'permit' access-list entry and the action performed is to successfully drop packets between the hosts and and to forward other packets for vlan 55.

If I change seq no 20 to 'drop' then I can see that this action is being taken since no hosts in vlan 55 can ping each other.

This appears contrary to the cisco link.

Can someone please verify ?

PS: I am using 2x3550's not 6500's as in the Cisco link.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Edison Ortiz Mon, 02/11/2008 - 10:39
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The document says:

When a flow matches a deny ACL entry

and you did:

I change seq no 20 to 'drop'

You didn't create a deny ACL entry as the document states.




This Discussion