KB.15.15

Figure 247 ACL "Test-1" and interface assignment commands

Figure 248 Using the same ACL for VACL and RACL applications

In the above case:

• Matches with ACEs 10 or 20 that originate on VLAN 20 will increment only the counters for

the instances of these two ACEs in the Test-1 VACL assignment on VLAN 20. The same counters

in the instances of ACL Test-1 assigned to VLANs 50 and 70 will not be incremented.

• Any Telnet requests to 10.10.20.12 that originate on VLANs 50 or 70 will be filtered by

instances of Test-1 assigned as RACLs, and will increment the counters for ACE 10 on both

RACL instances of the Test-1 ACL.

Using the network in Figure 83 (page 111), a device at 10.10.20.4 on VLAN 20 attempting to

ping and Telnet to 10.10.20.2 is filtered through the VACL instance of the "Test-1" ACL on VLAN

20 and results in the following:

Figure 249 Ping and telnet from 10.10.20.4 to 10.10.20.2 filtered by the assignment of "Test-1"

as a VACL on VLAN 20

• Drop all GVRP advertisements received on the port.

• Disable the port from sending advertisements of existing GVRP-created VLANs on the switch.

For more information, see "GVRP" in the Advanced Traffic Management Guide.

3. If you disable the use of dynamic VLANs in an authentication session using the no aaa

port-access gvrp-vlans command, client sessions that were authenticated with a dynamic

VLAN continue and are not deauthenticated.

Note: This behavior differs from how static VLAN assignment is handled in an authentication

session. If you remove the configuration of the static VLAN used to create a temporary client session,

the 802.1X, MAC, or Web authenticated client is deauthenticated.

However, if a RADIUS-configured dynamic VLAN used for an authentication session is deleted

from the switch through normal GVRP operation (for example, if no GVRP advertisements for the

VLAN are received on any switch port), authenticated clients using this VLAN are deauthenticated.

336 IPv4 Access Control Lists (ACLs)