Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VACL {meaning of permit | deny} ?


The following snippet is taken from the following link:

"When a flow matches a permit ACL entry,

the associated action is taken and the flow is not checked against the remaining sequences. When a flow

matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence."

I am not convinced about the above statement:

If I create the following vacl

vlan access-map block-aspire 10

action drop

match ip address ipexpert

vlan access-map block-aspire 20

action forward

vlan filter block-aspire vlan-list 55

ip access-list extended ipexpert

permit ip host host

Here, I have a 'permit' access-list entry and the action performed is to successfully drop packets between the hosts and and to forward other packets for vlan 55.

If I change seq no 20 to 'drop' then I can see that this action is being taken since no hosts in vlan 55 can ping each other.

This appears contrary to the cisco link.

Can someone please verify ?

PS: I am using 2x3550's not 6500's as in the Cisco link.



Hall of Fame Super Bronze

Re: VACL {meaning of permit | deny} ?

The document says:

When a flow matches a deny ACL entry

and you did:

I change seq no 20 to 'drop'

You didn't create a deny ACL entry as the document states.