From: Djerk Geurts (djerk@djerk.nl)
Date: Tue Jul 24 2007 - 20:51:49 ART
Thank you for the update, I didn't know this and would've assumed similar
behaviour as with an IP ACL.
Djerk
> -----Original Message-----
> From: Derek Pocoroba [mailto:dpocoroba@gmail.com]
> Sent: woensdag 25 juli 2007 1:04
> To: Djerk Geurts
> Subject: Re: FW: Vlan access-map
>
> Djerk,
>
> Something to just point out about the VLAN access-maps. There
> is no implicit deny like there is with an ACL. The implicit
> deny would wreak havoc with ARP, Routing, and other things of
> that nature.
>
> In your example your permitting HTTP as well as all other
> traffic ( implict permit)
>
> to block all the other IP traffic you would need
>
> vlan access-map VACL 20
> action drop
> match ip add ALL
>
> -Derek
>
>
> On 7/24/07, Djerk Geurts <djerk@djerk.nl> wrote:
>
> Sean,
>
> Agreed, a L2 switch can not read any L3 information.
> About the DNS etc...
> Very good to ask the proctor indeed, DHCP might be
> another good addition to
> the list of things to allow. I'd typically be looking
> for other indications
> (read other tasks) of what might be blocked by such a
> restrictive statement.
>
> According to the R&S lab blueprint the switches are
> 3550 and 3560 with both
> of them 'EMI' (routing) software. Anyone out there who
> can tell me in a
> nutshell the differences between IP Services and Adv IP
> services on the 3550
> and 3560?
>
> Djerk
>
> > -----Original Message-----
> > From: Sean.Zimmerman@clubcorp.com
> > [mailto:Sean.Zimmerman@clubcorp.com ]
> > Sent: dinsdag 24 juli 2007 23:36
> > To: Djerk Geurts
> > Subject: Re: Vlan access-map
> >
> >
> > AFAIK, an interface ACL on a cat L2 interface only applies to
> > non-IP traffic.
> >
> > You also might consider including ARP, DNS, etc. in your
> > VACL. No point in permitting HTTP if you can't resolve
> > anything (name -> IP, IP -> MAC). A good question for
> the proctor.
> >
> > Sean Zimmerman, CCIE #18225
> >
> >
> >
> >
> > "Djerk Geurts" <djerk@djerk.nl>
> > Sent by: nobody@groupstudy.com <mailto:nobody@groupstudy.com>
> >
> > 07/24/2007 03:14 PM
> > Please respond to
> > "Djerk Geurts" <djerk@djerk.nl>
> >
> > To
> > "'Cisco certification'" < ccielab@groupstudy.com>
> > cc
> > Subject
> > Vlan access-map
> >
> >
> >
> >
> >
> >
> > Hi everyone,
> >
> > Just going over my notes and was reminded of the
> following config:
> >
> > Allow only http on a VLAN
> >
> > vlan access-map only-http 10
> > action forward
> > match ip address http
> > !
> > ip access-list extended http
> > permit tcp any any eq www
> > !
> > vlan filter only-http vlan-list 11
> >
> >
> > Now is this the best way to apply an ACL to a vlan or should
> > an interface
> > ACL be used. In my head I'd say the above if L3 inspection of
> > a L2 vlan is
> > the objective. This as one can apply the ACL to the vlan
> > without applying it
> > to a vlan interface which imho is L3 (bar bridging and MPLS
> > configurations).
> >
> > Is my recap correct?
> >
> > --
> > Djerk
> > www.djerk.nl
> >
> > ______________________________________________________________
> > _________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:41 ART