Re: direction of vlan access-map
From: Bajo (bajoalex@gmail.com)
Date: Wed Jun 07 2006 - 07:28:16 ART
Hi Max,
VLAN maps have no direction.
Important points from the Doc CD:
VLAN Map Configuration Guidelines
Follow these guidelines when configuring VLAN maps:
�If there is no router ACL configured to deny traffic on a routed VLAN
interface (input or output), and *no* VLAN map configured, all traffic is
permitted.
�Each VLAN map consists of a series of entries. The order of entries in an
VLAN map is important. A packet that comes into the switch is tested against
the first entry in the VLAN map. If it matches, the action specified for
that part of the VLAN map is taken. If there is no match, the packet is
tested against the next entry in the map.
�If the VLAN map has at least one match clause for the type of packet (IP or
MAC) and the packet does not match any of these match clauses, the default
is to drop the packet. If there is no match clause for that type of packet
in the VLAN map, the default is to forward the packet.
�The system might take longer to boot if you have configured a very large
number of ACLs.
�For information about using both router ACLs and VLAN maps, see the
"Guidelines
for Using Router ACLs and VLAN Maps"
section<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/sc
g/swacl.htm#wp1135336>.
�See the "Using VLAN Maps in Your Network"
section<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/sc
g/swacl.htm#wp1082532>for
configuration examples.
�When a switch has an IP access list or MAC access list applied to a Layer 2
interface, you can create VLAN maps, but you cannot apply a VLAN map to any
of the switch VLANs. An error message is generated if you attempt to do so.
�If you apply a nonexistent VLAN map to a VLAN, a warning message appears.
Although you can apply a nonexistent VLAN map to a VLAN, it is not enabled
until the VLAN map is defined. To avoid accidentally dropping packets and
disabling connectivity in the middle of the configuration process, we
recommend that you completely define the VLAN map before applying it to a
VLAN.
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swacl.
htm
On 6/6/06, Maximus <victorius@gmail.com> wrote:
>
> If i apply a drop in a vlan acces-map.... which direction does the
> filtering
> take place ?
>
> if i want to deny 'dec-spanning' about a router r1 are these two options
> valid ?
>
> i make a mac access-list deny 'dec-spanning' then permit any.. apply it
> using a #mac access-group.... in bound n outbound to an interface where R1
> is connected....
>
> # mac access-list extended R1
> deny any any dec-spanning
> permit any any
>
> #int f0/11
> mac access-group R1 in
> or
>
> i make a mac access-list permit dec-spanning tree... match it on a vlan
> access-map... perform action drop... then apply it to the vlan using #vlan
> filter
>
> # mac access-list extended R1
> permit any any dec-spanning
>
> vlan access-map r1 10
> action drop
> match mac address r1
> vlan access-map r1 20
> action forward
> vlan filter r1 vlan-list 10
> --
> regards,
>
> Max
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
--
Kind Regards,
Bajo
This archive was generated by hypermail 2.1.4
: Sat Jul 01 2006 - 07:57:32 ART