×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VLAN ACL Question

Answered Question
Jul 12th, 2013
User Badges:

Hello Community,


I am currently studying for the CCNP SWITCH exam and had a question about how VLAN ACL's operate in a specific instance. The book is not clearing it up for me:


If I had the following configuration:


VTP-Server-1(config)# ip access-list extended ALLOW-TCP

VTP-Server-1(config-ext-nacl)# permit tcp any any

VTP-Server-1(config-ext-nacl)# exit

VTP-Server-1(config)# ip access-list extended ALLOW-UDP

VTP-Server-1(config-ext-nacl)# permit udp any any

VTP-Server-1(config-ext-nacl)# exit

VTP-Server-1(config)# ip access-list extended ALLOW-IP

VTP-Server-1(config-ext-nacl)# permit ip any any

VTP-Server-1(config-ext-nacl)# exit

VTP-Server-1(config)# vlan access-map MY-VACL-MAP 10

VTP-Server-1(config-access-map)# match ip address ALLOW-TCP

VTP-Server-1(config-access-map)# action forward

VTP-Server-1(config-access-map)# exit

VTP-Server-1(config)# vlan access-map MY-VACL-MAP 20

VTP-Server-1(config-access-map)# action drop

VTP-Server-1(config-access-map)# exit

VTP-Server-1(config)# vlan access-map MY-VACL-MAP 30

VTP-Server-1(config-access-map)# match ip address ALLOW-IP

VTP-Server-1(config-access-map)# action forward

VTP-Server-1(config-access-map)# exit

VTP-Server-1(config)# vlan    filter map VLAN-22-MAP vlan-list 22


Would TCP traffic be allowed to pass and all other traffic dropped since there is no specific ACL being matched to "MAP 20"? Would the filter ever get passed the second map "map 20" in this case? Im confused as to what would actually happen in this case. The book has conflicting entries about what actions would be taken since the second entry has no ACL matched to it. It says in the first part that "Because  no ACL is specifically matched in sequence 20, all traffic that  is not dropped  in sequence 10 is effectively forwarded." But at the end in the chapter quiz it marks me wrong when I say the traffic will be forwarded, its states that IP and UDP traffic will be dropped.


Thanks.


Chris.

Correct Answer by Eduardo Aliaga about 4 years 1 month ago

Hello Chris


Since MY-VACL-MAP-20 didn't specify a match , then it will match everything. That means the chapter quiz is correct, all IP and UDP traffic will be dropped.


For reference you can see the following links

http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/

https://learningnetwork.cisco.com/thread/37041


Please rate if this helps

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Eduardo Aliaga Sun, 07/14/2013 - 00:04
User Badges:
  • Silver, 250 points or more

Hello Chris


Since MY-VACL-MAP-20 didn't specify a match , then it will match everything. That means the chapter quiz is correct, all IP and UDP traffic will be dropped.


For reference you can see the following links

http://blog.ine.com/2009/08/10/vlan-access-control-lists-vacls-tiers-1/

https://learningnetwork.cisco.com/thread/37041


Please rate if this helps

Craddockc Mon, 07/15/2013 - 09:29
User Badges:

Eduardo,


Thank you so much for the clarification!


Chris.

Craddockc Tue, 07/16/2013 - 14:37
User Badges:

Eduardo,


I know this seems intuitive, but since sequence 20 matches everything, does it stand to reason that the map filter will never get passed sequence 20 and on to sequence 30 etc? I would venture to say that it doesnt since all packets are matched in sequence 20. Thanks.


Chris.

Actions

This Discussion

 

 

Trending Topics - Security & Network