From: Ben (bmunyao@gmail.com)
Date: Wed Jul 25 2007 - 03:14:03 ART
Sorry Brandon for misspelling you name.
Ben
On 7/25/07, Ben <bmunyao@gmail.com> wrote:
Hi Everyone
>
> A couple of points I would like to share on vlan maps:
>
> 1. In the first post, the action on http traffic was to forward. I'm
> therefore inclined to agree with Branson that you also need to permit the
> return traffic in the acl. If the action had been to drop, then the acl as
> it stands would be fine. This is my understanding, but perhaps I missed
> something.
>
> 2. When you have any IP ACL being matched by a vlan map, then the default
> action for all other IP traffic becomes drop. Since the example given had an
> IP ACL, this rule will therefore apply. Additionally, since there was no MAC
> ACL matched in the vlan map, the default action for non-ip traffic will be
> to forward. ARP will therefore not be broken, but name resolution (DNS) and
> address assignment (DHCP), if they are part of the traffic profile, will
> need to be explicitly matched in an ACL, and configured to be forwarded.
>
> HTH
> Ben
>
>
>
> On 7/25/07, Djerk Geurts <djerk@djerk.nl> wrote:
> >
> > Thank you for the update, I didn't know this and would've assumed
> > similar
> > behaviour as with an IP ACL.
> >
> > Djerk
> >
> > > -----Original Message-----
> > > From: Derek Pocoroba [mailto: dpocoroba@gmail.com]
> > > Sent: woensdag 25 juli 2007 1:04
> > > To: Djerk Geurts
> > > Subject: Re: FW: Vlan access-map
> > >
> > > Djerk,
> > >
> > > Something to just point out about the VLAN access-maps. There
> > > is no implicit deny like there is with an ACL. The implicit
> > > deny would wreak havoc with ARP, Routing, and other things of
> > > that nature.
> > >
> > > In your example your permitting HTTP as well as all other
> > > traffic ( implict permit)
> > >
> > > to block all the other IP traffic you would need
> > >
> > > vlan access-map VACL 20
> > > action drop
> > > match ip add ALL
> > >
> > > -Derek
> > >
> > >
> > > On 7/24/07, Djerk Geurts <djerk@djerk.nl> wrote:
> > >
> > > Sean,
> > >
> > > Agreed, a L2 switch can not read any L3 information.
> > > About the DNS etc...
> > > Very good to ask the proctor indeed, DHCP might be
> > > another good addition to
> > > the list of things to allow. I'd typically be looking
> > > for other indications
> > > (read other tasks) of what might be blocked by such a
> > > restrictive statement.
> > >
> > > According to the R&S lab blueprint the switches are
> > > 3550 and 3560 with both
> > > of them 'EMI' (routing) software. Anyone out there who
> > > can tell me in a
> > > nutshell the differences between IP Services and Adv IP
> > > services on the 3550
> > > and 3560?
> > >
> > > Djerk
> > >
> > > > -----Original Message-----
> > > > From: Sean.Zimmerman@clubcorp.com
> > > > [mailto:Sean.Zimmerman@clubcorp.com ]
> > > > Sent: dinsdag 24 juli 2007 23:36
> > > > To: Djerk Geurts
> > > > Subject: Re: Vlan access-map
> > > >
> > > >
> > > > AFAIK, an interface ACL on a cat L2 interface only applies to
> > > > non-IP traffic.
> > > >
> > > > You also might consider including ARP, DNS, etc. in your
> > > > VACL. No point in permitting HTTP if you can't resolve
> > > > anything (name -> IP, IP -> MAC). A good question for
> > > the proctor.
> > > >
> > > > Sean Zimmerman, CCIE #18225
> > > >
> > > >
> > > >
> > > >
> > > > "Djerk Geurts" < djerk@djerk.nl>
> > > > Sent by: nobody@groupstudy.com <mailto:nobody@groupstudy.com>
> > > >
> > > > 07/24/2007 03:14 PM
> > > > Please respond to
> > > > "Djerk Geurts" <djerk@djerk.nl>
> > > >
> > > > To
> > > > "'Cisco certification'" < ccielab@groupstudy.com>
> > > > cc
> > > > Subject
> > > > Vlan access-map
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Hi everyone,
> > > >
> > > > Just going over my notes and was reminded of the
> > > following config:
> > > >
> > > > Allow only http on a VLAN
> > > >
> > > > vlan access-map only-http 10
> > > > action forward
> > > > match ip address http
> > > > !
> > > > ip access-list extended http
> > > > permit tcp any any eq www
> > > > !
> > > > vlan filter only-http vlan-list 11
> > > >
> > > >
> > > > Now is this the best way to apply an ACL to a vlan or should
> > > > an interface
> > > > ACL be used. In my head I'd say the above if L3 inspection of
> > > > a L2 vlan is
> > > > the objective. This as one can apply the ACL to the vlan
> > > > without applying it
> > > > to a vlan interface which imho is L3 (bar bridging and MPLS
> > > > configurations).
> > > >
> > > > Is my recap correct?
> > > >
> > > > --
> > > > Djerk
> > > > www.djerk.nl
> > > >
> > > > ______________________________________________________________
> > > > _________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > ______________________________________________________________
> > > _________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:41 ART