Task 1.17

eborgard

Hi!

I have a question about the VLAN ACL task.

I came up with this.

vlan access-map GUEST_ACCESS 10
 action forward
 match ip address GUEST
!
vlan filter GUEST_ACCESS vlan-list 60

Extended IP access list GUEST
    10 permit tcp any any eq www
    20 permit tcp any any eq 443
    30 permit tcp any eq www any
    40 permit tcp any eq 443 any

The SG has a different ACL configured with permit ip any any and then using action drop in line 20 of the VACL.  Isn't this overkill?  If there is at least one match statement in the VACL, then the default action would be to drop.  So any traffic not matching the ip addresses in ACL GUEST would be dropped right?

Can I get some clarification as to why the second ACL and VACL statement was used?

Thanks,

Erick

Brian McGahan

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">





VLAN Access Lists can also filter layer 2 traffic.  By specifically
matching an IP access-list and dropping it, we are constraining the
filter to IP only, and not layer 2 protocols like STP.

Brian McGahan, CCIE #8593
(R&S/SP/Security)

[email protected]



Internetwork Expert, Inc.

http://www.INE.com

Toll Free: 877-224-8987 x 705

Outside US: 775-826-4344 x 705

Online Community: http://www.IEOC.com

CCIE Blog: http://blog.INE.com

eborgard wrote:

Hi!

I have a question about the VLAN ACL task.

I came up with this.

vlan access-map GUEST_ACCESS 10

 action forward

 match ip address GUEST

!

vlan filter GUEST_ACCESS vlan-list 60

Extended IP access list GUEST

    10 permit tcp any any eq www

    20 permit tcp any any eq 443

    30 permit tcp any eq www any

    40 permit tcp any eq 443 any

The SG has a different ACL configured with permit ip any any and
then using action drop in line 20 of the VACL.  Isn't this overkill? 
If there is at least one match statement in the VACL, then the default
action would be to drop.  So any traffic not matching the ip addresses
in ACL GUEST would be dropped right?

Thanks,

Erick

Internetwork Expert - The Industry Leader in CCIE Preparation

http://www.internetworkexpert.com

eborgard

Hi Brian.

Thank you for the clarification.

Erick

On Wed, Oct 14, 2009 at 9:57 AM, Brian McGahan <[email protected]> wrote:

VLAN Access Lists can also filter layer 2 traffic.  By specifically
matching an IP access-list and dropping it, we are constraining the
filter to IP only, and not layer 2 protocols like STP.

Brian McGahan, CCIE #8593
(R&S/SP/Security)

[email protected]



Internetwork Expert, Inc.

http://www.INE.com

Toll Free: 877-224-8987 x 705

Outside US: 775-826-4344 x 705

Online Community: http://www.IEOC.com

CCIE Blog: http://blog.INE.com

eborgard wrote:

Hi!

I have a question about the VLAN ACL task.

I came up with this.

vlan access-map GUEST_ACCESS 10

 action forward

 match ip address GUEST

!

vlan filter GUEST_ACCESS vlan-list 60

Extended IP access list GUEST

    10 permit tcp any any eq www

    20 permit tcp any any eq 443

    30 permit tcp any eq www any

    40 permit tcp any eq 443 any

The SG has a different ACL configured with permit ip any any and
then using action drop in line 20 of the VACL.  Isn't this overkill? 
If there is at least one match statement in the VACL, then the default
action would be to drop.  So any traffic not matching the ip addresses
in ACL GUEST would be dropped right?

Thanks,

Erick

Internetwork Expert - The Industry Leader in CCIE Preparation

http://www.internetworkexpert.com

Internetwork Expert - The Industry Leader in CCIE Preparation

http://www.internetworkexpert.com