From: Ben (bmunyao@gmail.com)
Date: Wed Jul 25 2007 - 03:12:50 ART
Hi Everyone
A couple of points I would like to share on vlan maps:
1. In the first post, the action on http traffic was to forward. I'm
therefore inclined to agree with Branson that you also need to permit the
return traffic in the acl. If the action had been to drop, then the acl as
it stands would be fine. This is my understanding, but perhaps I missed
something.
2. When you have any IP ACL being matched by a vlan map, then the default
action for all other IP traffic becomes drop. Since the example given had an
IP ACL, this rule will therefore apply. Additionally, since there was no MAC
ACL matched in the vlan map, the default action for non-ip traffic will be
to forward. ARP will therefore not be broken, but name resolution (DNS) and
address assignment (DHCP), if they are part of the traffic profile, will
need to be explicitly matched in an ACL, and configured to be forwarded.
HTH
Ben
On 7/25/07, Djerk Geurts <djerk@djerk.nl> wrote:
>
> Thank you for the update, I didn't know this and would've assumed similar
> behaviour as with an IP ACL.
>
> Djerk
>
> > -----Original Message-----
> > From: Derek Pocoroba [mailto:dpocoroba@gmail.com]
> > Sent: woensdag 25 juli 2007 1:04
> > To: Djerk Geurts
> > Subject: Re: FW: Vlan access-map
> >
> > Djerk,
> >
> > Something to just point out about the VLAN access-maps. There
> > is no implicit deny like there is with an ACL. The implicit
> > deny would wreak havoc with ARP, Routing, and other things of
> > that nature.
> >
> > In your example your permitting HTTP as well as all other
> > traffic ( implict permit)
> >
> > to block all the other IP traffic you would need
> >
> > vlan access-map VACL 20
> > action drop
> > match ip add ALL
> >
> > -Derek
> >
> >
> > On 7/24/07, Djerk Geurts <djerk@djerk.nl> wrote:
> >
> > Sean,
> >
> > Agreed, a L2 switch can not read any L3 information.
> > About the DNS etc...
> > Very good to ask the proctor indeed, DHCP might be
> > another good addition to
> > the list of things to allow. I'd typically be looking
> > for other indications
> > (read other tasks) of what might be blocked by such a
> > restrictive statement.
> >
> > According to the R&S lab blueprint the switches are
> > 3550 and 3560 with both
> > of them 'EMI' (routing) software. Anyone out there who
> > can tell me in a
> > nutshell the differences between IP Services and Adv IP
> > services on the 3550
> > and 3560?
> >
> > Djerk
> >
> > > -----Original Message-----
> > > From: Sean.Zimmerman@clubcorp.com
> > > [mailto:Sean.Zimmerman@clubcorp.com ]
> > > Sent: dinsdag 24 juli 2007 23:36
> > > To: Djerk Geurts
> > > Subject: Re: Vlan access-map
> > >
> > >
> > > AFAIK, an interface ACL on a cat L2 interface only applies to
> > > non-IP traffic.
> > >
> > > You also might consider including ARP, DNS, etc. in your
> > > VACL. No point in permitting HTTP if you can't resolve
> > > anything (name -> IP, IP -> MAC). A good question for
> > the proctor.
> > >
> > > Sean Zimmerman, CCIE #18225
> > >
> > >
> > >
> > >
> > > "Djerk Geurts" <djerk@djerk.nl>
> > > Sent by: nobody@groupstudy.com <mailto:nobody@groupstudy.com>
> > >
> > > 07/24/2007 03:14 PM
> > > Please respond to
> > > "Djerk Geurts" <djerk@djerk.nl>
> > >
> > > To
> > > "'Cisco certification'" < ccielab@groupstudy.com>
> > > cc
> > > Subject
> > > Vlan access-map
> > >
> > >
> > >
> > >
> > >
> > >
> > > Hi everyone,
> > >
> > > Just going over my notes and was reminded of the
> > following config:
> > >
> > > Allow only http on a VLAN
> > >
> > > vlan access-map only-http 10
> > > action forward
> > > match ip address http
> > > !
> > > ip access-list extended http
> > > permit tcp any any eq www
> > > !
> > > vlan filter only-http vlan-list 11
> > >
> > >
> > > Now is this the best way to apply an ACL to a vlan or should
> > > an interface
> > > ACL be used. In my head I'd say the above if L3 inspection of
> > > a L2 vlan is
> > > the objective. This as one can apply the ACL to the vlan
> > > without applying it
> > > to a vlan interface which imho is L3 (bar bridging and MPLS
> > > configurations).
> > >
> > > Is my recap correct?
> > >
> > > --
> > > Djerk
> > > www.djerk.nl
> > >
> > > ______________________________________________________________
> > > _________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > ______________________________________________________________
> > _________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:41 ART