FW: Vlan access-map

From: Djerk Geurts (djerk@djerk.nl)
Date: Tue Jul 24 2007 - 18:58:21 ART

• Next message: Djerk Geurts: "RE: Is show int | inc notconnect a reliable way to find"
• Previous message: Colin McNamara: "RE: CCIE Number Association"
• Maybe in reply to: Djerk Geurts: "Vlan access-map"
• Next in thread: Djerk Geurts: "FW: FW: Vlan access-map"
• Maybe reply: Djerk Geurts: "FW: FW: Vlan access-map"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sean,

Agreed, a L2 switch can not read any L3 information. About the DNS etc...
Very good to ask the proctor indeed, DHCP might be another good addition to
the list of things to allow. I'd typically be looking for other indications
(read other tasks) of what might be blocked by such a restrictive statement.

According to the R&S lab blueprint the switches are 3550 and 3560 with both
of them 'EMI' (routing) software. Anyone out there who can tell me in a
nutshell the differences between IP Services and Adv IP services on the 3550
and 3560?

Djerk

> -----Original Message-----
> From: Sean.Zimmerman@clubcorp.com
> [mailto:Sean.Zimmerman@clubcorp.com]
> Sent: dinsdag 24 juli 2007 23:36
> To: Djerk Geurts
> Subject: Re: Vlan access-map
>
>
> AFAIK, an interface ACL on a cat L2 interface only applies to
> non-IP traffic.
>
> You also might consider including ARP, DNS, etc. in your
> VACL. No point in permitting HTTP if you can't resolve
> anything (name -> IP, IP -> MAC). A good question for the proctor.
>
> Sean Zimmerman, CCIE #18225
>
>
>
>
> "Djerk Geurts" <djerk@djerk.nl>
> Sent by: nobody@groupstudy.com
>
> 07/24/2007 03:14 PM
> Please respond to
> "Djerk Geurts" <djerk@djerk.nl>
>
> To
> "'Cisco certification'" <ccielab@groupstudy.com>
> cc
> Subject
> Vlan access-map
>
>
>
>
>
>
> Hi everyone,
>
> Just going over my notes and was reminded of the following config:
>
> Allow only http on a VLAN
>
> vlan access-map only-http 10
> action forward
> match ip address http
> !
> ip access-list extended http
> permit tcp any any eq www
> !
> vlan filter only-http vlan-list 11
>
>
> Now is this the best way to apply an ACL to a vlan or should
> an interface
> ACL be used. In my head I'd say the above if L3 inspection of
> a L2 vlan is
> the objective. This as one can apply the ACL to the vlan
> without applying it
> to a vlan interface which imho is L3 (bar bridging and MPLS
> configurations).
>
> Is my recap correct?
>
> --
> Djerk
> www.djerk.nl
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Djerk Geurts: "RE: Is show int | inc notconnect a reliable way to find"
• Previous message: Colin McNamara: "RE: CCIE Number Association"
• Maybe in reply to: Djerk Geurts: "Vlan access-map"
• Next in thread: Djerk Geurts: "FW: FW: Vlan access-map"
• Maybe reply: Djerk Geurts: "FW: FW: Vlan access-map"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:41 ART