RE: VACL - two methods...

From: Mike Kraus \(mikraus\) (mikraus@cisco.com)
Date: Mon Jun 11 2007 - 20:53:53 ART

• Next message: achievewoo@gmail.com: "Passed RS yesterday"
• Previous message: Tarun Pahuja: "Re: VACL - two methods..."
• Maybe in reply to: Mike Kraus \(mikraus\): "VACL - two methods..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

All is clear now. Thanks for the clarification (and advice)!

-----Original Message-----
From: Brian Dennis [mailto:bdennis@internetworkexpert.com]
Sent: Monday, June 11, 2007 6:40 PM
To: Mike Kraus (mikraus); Cisco certification
Subject: Re: VACL - two methods...

Mike,
With your second configuration you are denying ARP (ethertype 0x806) in
the last action. Your ACL is permitting IP but ARP doesn't use the same
ethertype as IP so it's not matching the ACL. This means that ARP is
falling through to the next VLAN access-map statement and being dropped.
Remember that if you already have an ARP entry you won't immediately
notice the problem.

When working in the CCIE lab also try to deny the traffic you don't want
and permit the rest. You are less likely to run into problems as
opposed to permitting what you want and denying the rest.

-- 
Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
bdennis@internetworkexpert.com
 
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
On 6/11/07 1:57 PM, "Mike Kraus (mikraus)" <mikraus@cisco.com> wrote:
> Hi all!
> 
> Assume I am trying to prohibit DHCP within a given VLAN.
> 
> If I use this configuration, it all seems to work fine:
> 
>     access-list 101 permit udp any eq bootpc any eq bootps
>     vlan access-map test1 10
>      action drop
>      match ip address 101
>     vlan access-map test1 20
>      action forward
>     vlan filter test1 vlan-list 11
> 
> However, if I reverse the logic, I seem to lose all IP connectivity:
> 
>     access-list 102 deny   udp any eq bootpc any eq bootps
>     access-list 102 permit ip any any
>     vlan access-map test2 10
>      action forward
>      match ip address 102
>     vlan access-map test2 20
>      action drop
>     vlan filter test2 vlan-list 12
> 
> I do not see why the second configuration does not do the exact same 
> thing as the first.  Can someone clarify?
> 
> Thanks,
>   Mike
> 
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: achievewoo@gmail.com: "Passed RS yesterday"
• Previous message: Tarun Pahuja: "Re: VACL - two methods..."
• Maybe in reply to: Mike Kraus \(mikraus\): "VACL - two methods..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:48 ART