vlan access maps query

hi

question 1.  im trying to understand (vacls) but cannot get my head around it and ive been doing some reading looking at the below example can anyone help  ?


(config)#ip access-list extended local-17
(config-acl)#permit ip host 192.168.99.17 192.168.99.0 0.0.0.255 - means allow this single host to its own network

(config-acl)#exit
(config)#vlan access-map block-17 10
(config-access-map)#match ip address local-17 - means match the above ip address

(config-access-map)#action drop - means drop all traffic from any other ip address except 192.168.99.17

(config-access-map)#vlan access-map block-17 20
(config-access-map)#action forward - as the key word is (block) i am not sure what this means as it states (forward)   ?

(config-access-map)#exit
(config)#vlan filter block-17 vlan-list 99 - allows the above to happen
mikey250Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Soulja53 6F 75 6C 6A 61 Commented:
The ACL that you create is used by the VACL to match traffic that it will act upon.

Drop means the VACL will drop traffic that it match in the ACL. Forward means it will forward traffic that it matches in the ACL.

Based on your ACL, it will match traffic from that host and either drop it or forward it. Any other traffic that doesn't get matches is not intercepted by the VACL.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AkinsdNetwork AdministratorCommented:
VACLs are like route maps
The acl permits the address specified to be acted upon

The match statement matches the acl specified.

Your vacl
0
AkinsdNetwork AdministratorCommented:
Your vacl will actually drop any traffic from the range and pass everything else

The default action for VACLs is forward an implicit forward if you will

Your access list is permitting the address to be dropped by the vacl

I hope that makes sense


If your goal is to permit just that range.
Deny the range in the acl instead
Add permit any any to the acl

The acl will filter the range from being processed
The vacl therefore will forward that range and drop everything else
0
Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

mikey250Author Commented:
hi soulja,

The acl that you create is used by the vacl to match traffic that it will act upon

- yes i understand.

drop means the vacl will drop traffic that it match in the acl. forward means it will forward traffic that it matches in the acl.

-  apparantely (drop) does not mean that hence confusion

based on your acl, it will match traffic from that host and either drop it or forward it.  any other traffic that doesn't get matches is not intercepted by the vacl.
0
mikey250Author Commented:
your vacl will actually drop any traffic from the range and pass everything else

the default action for vacls is forward an implicit forward if you will

your access list is permitting the address to be dropped by the vacl - yes this confuses me what is point of permitting acl and then (drop) it

i hope that makes sense

if your goal is to permit just that range.
deny the range in the acl instead
add permit any any to the acl
the acl will filter the range from being processed
the vacl therefore will forward that range and drop everything else

qns1.  is there any chance of you explaining line by line individually for my example assuming it is a good example so i can gain structure in my mind because confused and apologies for me being thick ?
0
AkinsdNetwork AdministratorCommented:
Take a box and put a couple of shirts in it.
Mark a set of shirts with a blue ink.
Then inform your employee to check the box and only wash the shirts with blue ink. He is not to pay attention to anything else.
This means literarily, you have permitted the blue-ink marked shirt to be paid attention to, and others ignored.

This means
permit blue-ink stained shirts
implicit deny any any will catch the rest

To Employee
Look at blue-ink shirts (match statement)
Action to perform when you get a match = wash



Conversely
To the same employee,
access-list box
you are denied to look at blue-ink shirts (deny blue-ink shirts)
I permit you to look at every other shirt (permit any any)

Match anything you are permitted to inspect (match access-list box)
The employee will ignore all blue-in shirts
He will match all other shirts
Action = wash

In this case, every shirt with no blue ink will be washed

If Action is drop
Every shirt with no blue ink will be dropped

Blue-ink shirts are ignored and not inspected because the employee was denied the permission to inspect them. Same logic goes for vacls. The Filter is denied access to inspect anything denied in the access list.

Since the default action is forward, all blue shirts will pass through unwashed
In other words, all blue-ink shirts will be forwarded.


Just note these'
There is an implicit (invincible) deny statement in "common" access lists racl, pacl
There is an implicit (invincible) forward action in vacl

Implicit meaning it is there whether you type it or not.

I hope this helps

All the best
0
Soulja53 6F 75 6C 6A 61 Commented:
@Akin

That is a nice analogy. I do however have to disagree. All VACL's have an implicit drop action at the end, so traffic that is not match by the referenced acl will be dropped. In order to forward the other traffic another sequence needs to be added to the VACL referencing another ACL that has a permit any and having an action to forward.
0
Craig BeckCommented:
ip access-list extended local-17
permit ip host 192.168.99.17 192.168.99.0 0.0.0.255


If you use the action permit command within the VLAN access-map you will forward ONLY traffic from host 192.168.99.17 due to the implicit deny at the end of the ACL.

If you use the action drop command you will drop ONLY traffic from 192.168.99.17, and pass everything else, again due to the implicit deny at the end of the ACL.

Page 35-9 is a good example...

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.pdf
0
AkinsdNetwork AdministratorCommented:
@ Soulja

I think you misunderstood my statement. There is an implicit drop but the default action is forward which means there is an implicit forward logically depending on the filter.

If you deny the traffic from being inspected (as in deny in acl), it doesn't matter if your action is drop or forward, the traffic will be forwarded regardless. That is what I was alluding to.

traffic that is not matched by the vacl is invicible to the vacl.
It is ignored. How do you drop what you've been instructed not to inspect.

How you configure the acl determines if everything is dropped or if everything is allowed.

If you permit everything in the acl and don't match it in the filter, then everything not matched will be dropped because you permitted everything to be inspected.

If you deny everything in the acl, everything will be forwarded because nothing is inspected.
If you permit everything in the acl, everything will be dropped unless your action is forward.

This will help you when configuring Route Maps, Policy Routing. Very significant especially with route redistribution and BGP configuration.
0
Soulja53 6F 75 6C 6A 61 Commented:
Per Cisco's Site:

 VLAN Access Map Configuration and Verification Examples

Assume IP-named ACL net_10 and any_host are defined as follows:

Router# show ip access-lists net_10

Extended IP access list net_10

    permit ip 10.0.0.0 0.255.255.255 any

Router# show ip access-lists any_host

Standard IP access list any_host

    permit any

This example shows how to define and apply a VLAN access map to forward IP packets. In this example, IP traffic matching net_10 is forwarded and all other IP packets are dropped due to the default drop action. The map is applied to VLAN 12 to 16.

Router(config)# vlan access-map thor 10

Router(config-access-map)# match ip address net_10

Router(config-access-map)# action forward

Router(config-access-map)# exit

Router(config)# vlan filter thor vlan-list 12-16




This example shows how to define and apply a VLAN access map to drop and log IP packets. In this example, IP traffic matching net_10 is dropped and logged and all other IP packets are forwarded:

Router(config)# vlan access-map ganymede 10

Router(config-access-map)# match ip address net_10

Router(config-access-map)# action drop log

Router(config-access-map)# exit

Router(config)# vlan access-map ganymede 20

Router(config-access-map)# match ip address any_host

Router(config-access-map)# action forward

Router(config-access-map)# exit

Router(config)# vlan filter ganymede vlan-list 7-9






You have to add an acl and sequence to allow all other traffic or they will be dropped.
0
mikey250Author Commented:
hi i have not forgotten about this thread as im trying to complete my configs for (distribution and access) so i can then come back to adding these vacls.

im currently in the process of completing this so i can then add some vacl's.

appreciated
0
mikey250Author Commented:
hi atkindsd,

"this will help you when configuring route maps, policy routing. very significant especially with route redistribution and bgp configuration."

you make reference to the above so as i have configured in the passed (6 routers with rip, ospf/redistribtion also all having internet access to my 6th router at the isp) i assume the routing policy like my example below would be created and (if it happen to pass through a switch the a vacl) would also need to be created to ensure it points in direction of isp route...

but can you give me an example as i only understand my own followed example  ?

below shows 3 interconnected ospf routers with the following which is a routing policy configured via a route map.  this allows specific (host a): 192.168.72.2/24 to choose int s0/1(bandwidth t1-768) temporarily otherwise by default without route map it would choose t1-1544 instead:

topology:

host a - 192.168.72.2/24 - connects to router a/int fa0/0
host b - 192.168.76.2/24 - connects to router a/int fa0/1
 
router a (master router)

int s0/0 - (bandwidth full t1-1544) connects to router b
int s0/1 - (bandwidth t1-768) connects to router c

cisco switch:

router b & c - connected via a cisco switch

host c - 10.0.0.3/24 - connects to cisco switch int fa0/3

router a

access-list 1 permit 192.168.72.0 0.0.0.255
route-map slow4u permit 10
match ip address 1
set interface serial0/1

int fa0/0
ip policy route-map slow4u
0
AkinsdNetwork AdministratorCommented:
Basically, yes

That's the logic behind route maps and vacls.  It is that simple.

See examples here
http://www.ciscopress.com/articles/article.asp?p=102092
0
mikey250Author Commented:
thanks for that (url) i will spend some time reading that!!  appreciated.
0
mikey250Author Commented:
appreciated!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.