Access control list and Virtual Local Area Networks Maps

[Nobleman]

The 3750 Command Reference states: "There can be only one VLAN map per VLAN and it is applied as packets are received by a VLAN."

Does "received by a VLAN" mean a packet that the 3750 forwards from one SVI to another or does it mean a packet that comes into a Gigabit Ethernet port that's a member of the VLAN? For access-groups, do the keywords IN and OUT always refer to physical ports (and never to SVIs or to the process of forwarding packets from one VLAN to another)?

[Marco-D]

Quote:

Originally Posted by Nobleman

The 3750 Command Reference states: "There can be only one VLAN map per VLAN and it is applied as packets are received by a VLAN."

Does "received by a VLAN" mean a packet that the 3750 forwards from one SVI to another or does it mean a packet that comes into a Gigabit Ethernet port that's a member of the VLAN? For access-groups, do the keywords IN and OUT always refer to physical ports (and never to SVIs or to the process of forwarding packets from one VLAN to another)?

Since a Vlan is Logical, It Means Comes IN and is processed by a Logical Vlan interface, which would be at any number of physical ingress points based on trunks or access ports. Since I really didn't answer your bigger question, an access-list is 'routed' traffic being processed by the SVI. The VACL or vlan map will impact intra-vlan traffic which an access-list does not. L2 vs L3.

[The Edge]

Quote:

Originally Posted by Marco-D

Since a Vlan is Logical, It Means Comes IN and is processed by a Logical Vlan interface, which would be at any number of physical ingress points based on trunks or access ports. Since I really didn't answer your bigger question, an access-list is 'routed' traffic being processed by the SVI. The VACL or vlan map will impact intra-vlan traffic which an access-list does not. L2 vs L3.

It seems to me that forwarding process from say, VLAN 10 to VLAN 20 would be another ingress point for VLAN 20.If this is not true, why not?

[Marco-D]

Quote:

Originally Posted by The Edge

It seems to me that forwarding process from say, VLAN 10 to VLAN 20 would be another ingress point for VLAN 20.If this is not true, why not?

I would agree with that, so I would assume that in that case, a vacl and an acl would both apply to that traffic.However, if it is vlan 10 to vlan 10, only a vacl would impact that traffic.I have never tried both at the same time, as I use ACLs for layer 3, and VACLs for sniffer ports, etc.Perhaps someone can correct me if a VACL only applies to intra-vlan traffic.