From: Derek Pocoroba (dpocoroba@gmail.com)
Date: Wed Jul 25 2007 - 19:24:15 ART
Ben brings up a good point about other IP traffic being implictly denied. I
always assumed everything was implicty permitted no matter what
Here is a note from doccd
If the VLAN map has a match clause for the type of packet (IP or MAC) and
the packet does not match the type, the default is to drop the packet. If
there is no match clause in the VLAN map for that type of packet, and no
action specified, the packet is forwarded.
This was also verified with some basic testing
======================
Rack1R1#pi 10.10.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.13.3, timeout is 2 seconds:
.....
Rack1R1#tel 10.10.13.3
Trying 10.10.13.3 ...
% Connection timed out; remote host not responding
Rack1R1#tel 10.10.13.3 80
Trying 10.10.13.3, 80 ...
% Connection timed out; remote host not responding
Rack1R1#
==============================
Rack1SW1#
!
vlan access-map VACL 10
action drop
match ip address 101
vlan filter VACL vlan-list 1
!
access-list 101 permit tcp any any eq telnet
!
================================
Rack1SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1SW1(config)#no vlan filter VACL vlan-list 1
Rack1SW1(config)#vlan access-map VACL 20
Rack1SW1(config-access-map)#exi
Rack1SW1(config)# vlan filter VACL vlan-list 1
Rack1SW1(config)#
term_serv>1
[Resuming connection 1 to r1 ... ]
Rack1R1#tel 10.10.13.3
Trying 10.10.13.3 ...
% Connection timed out; remote host not responding
Rack1R1#tel 10.10.13.3 80
Trying 10.10.13.3, 80 ... Open
get
HTTP/1.1 400 Bad Request
Date: Mon, 01 Mar 1993 01:46:28 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 10.10.13.3 closed by foreign host]
Rack1R1#ping 10.10.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
Rack1R1#
On 7/25/07, Djerk Geurts <djerk@djerk.nl> wrote:
>
> Ben,
>
> > A couple of points I would like to share on vlan maps:
> >
> > 1. In the first post, the action on http traffic was to
> > forward. I'm therefore inclined to agree with Branson that
> > you also need to permit the return traffic in the acl. If the
> > action had been to drop, then the acl as it stands would be
> > fine. This is my understanding, but perhaps I missed something.
>
> Come to think of it I think you're right.
>
> > 2. When you have any IP ACL being matched by a vlan map, then
> > the default action for all other IP traffic becomes drop.
> > Since the example given had an IP ACL, this rule will
> > therefore apply. Additionally, since there was no MAC ACL
> > matched in the vlan map, the default action for non-ip
> > traffic will be to forward. ARP will therefore not be
> > broken, but name resolution (DNS) and address assignment
> > (DHCP), if they are part of the traffic profile, will need to
> > be explicitly matched in an ACL, and configured to be forwarded.
>
> Right I need to find some documentation on this on CCO as I want to know
> for
> sure now... Will be back to post my findings
>
> Djerk
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:42 ART