04-16-2009 01:03 PM - edited 03-06-2019 05:13 AM
I have a VACL set up to forward/capture certain VLAN traffic to an ART applaicne. However, when I attepmt tp limit or exclude Veritas traffic, it still allows all traffic through. What am I doing wrong?
vlan access-map VACL_MAP 10
match ip address VACL_LIST
action forward capture
vlan access-map VACL_MAP 20
match ip address VACL_LIST_ALL
action forward
vlan filter VACL_MAP vlan-list 101,280-298,501,510,803-804,806,808,813-815,875
ip access-list extended VACL_LIST
3 deny tcp any any eq 9284
4 deny tcp any any eq 13709
5 deny tcp any any eq 13711
10 deny tcp any any range 13701 13702
20 deny tcp any any range 13705 13706
30 deny tcp any any range 13713 13724
40 deny tcp any any range 13782 13784
50 permit ip any any
ip access-list extended VACL_LIST_ALL
10 permit ip any any
04-16-2009 02:58 PM
Which is the traffic you want to drop and which is the traffic you want to forward?
Your VACL denies traffic and then tries to forward it...dont get the logic.
In the ACL, permit the traffic you want to ultimately deny in the VACL.
Example for how to drop the flows in the ACL:
ip access-list extended DROP_TRAFFIC
permit ip 1.1.1.1 2.2.2.2
permit ip 3.3.3.3 4.4.4.4
vlan access-map VACL_MAP 10
match ip address DROP_TRAFFIC
action drop
vlan access-map VACL_MAP 20
action forward capture
The VACL is like a route map. It will match everything else if you dont specify a match statement. So, it matches the ACL, drops the traffic...then matches everything else and forwards it.
HTH
Please rate all helpful posts
Victor
04-17-2009 09:31 AM
Victor,
Thanks for the answer, but the issue is that I'd arather not drop the traffic, I would prefer that it not be forwared to the capture port, but still forwared as normal.
Does that make sense?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide