Task 1.17

Hi!

I have a question about the VLAN ACL task.

I came up with this.

vlan access-map GUEST_ACCESS 10
 action forward
 match ip address GUEST
!
vlan filter GUEST_ACCESS vlan-list 60

Extended IP access list GUEST
    10 permit tcp any any eq www
    20 permit tcp any any eq 443
    30 permit tcp any eq www any
    40 permit tcp any eq 443 any

The SG has a different ACL configured with permit ip any any and then using action drop in line 20 of the VACL.  Isn't this overkill?  If there is at least one match statement in the VACL, then the default action would be to drop.  So any traffic not matching the ip addresses in ACL GUEST would be dropped right?

Can I get some clarification as to why the second ACL and VACL statement was used?

Thanks,

Erick

Comments

  • <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">





    VLAN Access Lists can also filter layer 2 traffic.  By specifically
    matching an IP access-list and dropping it, we are constraining the
    filter to IP only, and not layer 2 protocols like STP.



    Brian McGahan, CCIE #8593
    (R&S/SP/Security)

    [email protected]



    Internetwork Expert, Inc.

    http://www.INE.com

    Toll Free: 877-224-8987 x 705

    Outside US: 775-826-4344 x 705

    Online Community: http://www.IEOC.com

    CCIE Blog: http://blog.INE.com






    eborgard wrote:

    Hi!

    I have a question about the VLAN ACL task.

    I came up with this.

    vlan access-map GUEST_ACCESS 10

     action forward

     match ip address GUEST

    !

    vlan filter GUEST_ACCESS vlan-list 60

    Extended IP access list GUEST

        10 permit tcp any any eq www

        20 permit tcp any any eq 443

        30 permit tcp any eq www any

        40 permit tcp any eq 443 any

    The SG has a different ACL configured with permit ip any any and
    then using action drop in line 20 of the VACL.  Isn't this overkill? 
    If there is at least one match statement in the VACL, then the default
    action would be to drop.  So any traffic not matching the ip addresses
    in ACL GUEST would be dropped right?

    Thanks,

    Erick







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



  • Hi Brian.

    Thank you for the clarification.

    Erick

    On Wed, Oct 14, 2009 at 9:57 AM, Brian McGahan <[email protected]> wrote:
    VLAN Access Lists can also filter layer 2 traffic.  By specifically
    matching an IP access-list and dropping it, we are constraining the
    filter to IP only, and not layer 2 protocols like STP.



    Brian McGahan, CCIE #8593
    (R&S/SP/Security)

    [email protected]



    Internetwork Expert, Inc.

    http://www.INE.com

    Toll Free: 877-224-8987 x 705

    Outside US: 775-826-4344 x 705

    Online Community: http://www.IEOC.com

    CCIE Blog: http://blog.INE.com






    eborgard wrote:

    Hi!

    I have a question about the VLAN ACL task.

    I came up with this.

    vlan access-map GUEST_ACCESS 10

     action forward

     match ip address GUEST

    !

    vlan filter GUEST_ACCESS vlan-list 60

    Extended IP access list GUEST

        10 permit tcp any any eq www

        20 permit tcp any any eq 443

        30 permit tcp any eq www any

        40 permit tcp any eq 443 any

    The SG has a different ACL configured with permit ip any any and
    then using action drop in line 20 of the VACL.  Isn't this overkill? 
    If there is at least one match statement in the VACL, then the default
    action would be to drop.  So any traffic not matching the ip addresses
    in ACL GUEST would be dropped right?

    Thanks,

    Erick







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



Sign In or Register to comment.