9 Replies Latest reply: Dec 9, 2011 10:26 AM by Elvin Arias RSS


    Steven Williams

      Keith -


      I was watching a video last night that was taught by you a few years back I assume on layer 2 security. Now with VACL's you created a permit ACL for a tcp any any eq 23. But then went you applied it the action was to drop the traffic that matched. Now my question is why? If you are just going to drop traffic that you are permitting why not save a step and deny it?

        • 1. Re: VACL's
          Scott Morris - CCDE/4xCCIE/2xJNCIE

          So VACLs are a little confusing in the logic used.


          A "plain" ACL is simple a list of permit/deny things, and as you noted, telnet would be permitted in the access list itself.  If that were applied to an interface (RACL is the festive term someone invented for that) then telnet would indeed be permitted.


          In a VACL (much like route-maps) there is a separation between the "match" and the "action".  So a "permit" in the match portion only signifies "yes, I want to match that".  And the action taken is a completely different set of thinking.


          So if a "deny" were used in the ACL for matching, then that would say "No, I'm not matching that traffic, take no action and proceed to the next stanza for further matching/action".


          So in that case the deny action would only take place to items positively identified by the match clauses.





          • 2. Re: VACL's
            Steven Williams

            Ok so anything you want to forward has to be defined as a "permit" then the action would be "forward" or "drop". Seriously who came up with this stuff...So then without any actions defined your ACL's for your VLAN are useless...

            • 3. Re: VACL's
              Keith Barker - CCIE RS/Security, CISSP

              Scott is right on.


              The logic is, "congratulations you match the ACL permit statement", and then the packet asks, "what did I win?"


              The answer, based on the VACL or Route Map that was using the ACL as a classifier decides the action.   A deny statement in a VACL or a Route Map decides that the packet (who just had his hopes up) just won a first class trip to the bit bucket. 





              • 4. Re: VACL's
                Elvin Arias

                I see the VACL action logic as basic maths. Two positives makes a positive, a positive and a negative makes a negative, and soon.



                • 5. Re: VACL's
                  Steven Williams

                  So I was thinking about this tonight and I had another question. When applying a VACL, do you have to define an ACL statement for all traffic you want to allow?

                  • 6. Re: VACL's
                    Keith Barker - CCIE RS/Security, CISSP

                    Hollywood0728 wrote:


                    So I was thinking about this tonight and I had another question. When applying a VACL, do you have to define an ACL statement for all traffic you want to allow?

                    If there is a "permit" sequence, without a match clause, it will match on and permit all remaining traffic.





                    • 7. Re: VACL's
                      Steven Williams

                      Sorry Keith, I do not understand. Can you run out an example? 

                      • 8. Re: VACL's
                        Keith Barker - CCIE RS/Security, CISSP



                        Sequence 20, has no match condition, as a result everything that makes it to sequence 20 (wasn't dropped by 10) will match and be permitted.


                        mac access-list extended MACL-1

                        permit any any 0x8137 0x0

                        permit any any 0x8138 0x0


                        vlan access-map VACL-1 10

                        match mac address MACL-1

                        action drop


                        vlan access-map VACL-1 20

                        action forward


                        vlan filter VACL-1 vlan-list 10


                        Best wishes,



                        • 9. Re: VACL's
                          Elvin Arias

                          What Keith's means is that if you don't add any match statement into the access map it will match everything just like a route-map.


                          For instance if you see the example above the first sentence is matching the access-list called "MACL-1" and denying that traffic (it's being permitted to be denied, i know ...sounds crazy), and the second statement is the "VACL-1" which doesn't have any matching at all, therefore is matching everything and permiting it.