Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VACL not limiting traffic.

I have a VACL set up to forward/capture certain VLAN traffic to an ART applaicne. However, when I attepmt tp limit or exclude Veritas traffic, it still allows all traffic through. What am I doing wrong?

vlan access-map VACL_MAP 10

match ip address VACL_LIST

action forward capture

vlan access-map VACL_MAP 20

match ip address VACL_LIST_ALL

action forward

vlan filter VACL_MAP vlan-list 101,280-298,501,510,803-804,806,808,813-815,875

ip access-list extended VACL_LIST

3 deny tcp any any eq 9284

4 deny tcp any any eq 13709

5 deny tcp any any eq 13711

10 deny tcp any any range 13701 13702

20 deny tcp any any range 13705 13706

30 deny tcp any any range 13713 13724

40 deny tcp any any range 13782 13784

50 permit ip any any

ip access-list extended VACL_LIST_ALL

10 permit ip any any

2 REPLIES
Blue

Re: VACL not limiting traffic.

Which is the traffic you want to drop and which is the traffic you want to forward?

Your VACL denies traffic and then tries to forward it...dont get the logic.

In the ACL, permit the traffic you want to ultimately deny in the VACL.

Example for how to drop the flows in the ACL:

ip access-list extended DROP_TRAFFIC

permit ip 1.1.1.1 2.2.2.2

permit ip 3.3.3.3 4.4.4.4

vlan access-map VACL_MAP 10

match ip address DROP_TRAFFIC

action drop

vlan access-map VACL_MAP 20

action forward capture

The VACL is like a route map. It will match everything else if you dont specify a match statement. So, it matches the ACL, drops the traffic...then matches everything else and forwards it.

HTH

Please rate all helpful posts

Victor

Community Member

Re: VACL not limiting traffic.

Victor,

Thanks for the answer, but the issue is that I'd arather not drop the traffic, I would prefer that it not be forwared to the capture port, but still forwared as normal.

Does that make sense?

138
Views
0
Helpful
2
Replies
CreatePlease to create content