Pages

network cisco ccna gns3 certification arteq

network cisco ccna gns3 certification arteq
a network runs through it

Search insearchofthecert

Tuesday, July 3, 2012

vlan access-map

 good...


 Extended IP access list no_telnet
    10 permit tcp host 192.168.100.10 192.168.100.0 0.0.0.255 eq telnet (3 estim
ate matches)


dls1(config)#vlan access-map stop
dls1(config-access-map)#action drop
dls1(config-access-map)#match ip add no_telnet
dls1(config-access-map)#vlan access-map stop
dls1(config-access-map)#action forward
dls1(config-access-map)#exit
dls1(config)#vlan filter stop vlan-list 100

this works to block telnet for host 192.168.100.10 to vlan 100...

let's examine this thing... access-maps are counterintuitive. create the access list to permit first so then you can filter it with the vlan map using various criteria. it's ass backwards, but works... the consensus here is that if you can get these, route maps make complete sense...

the no_telnet is a variable to describe the ip that will be acted upon... basic RACL stuff and easier because it's permit... no thinking...

instead of access-list there is access-map for the vlan... in the example above stop is the variable for the action... call it poop, whatever,  doesn't matter... the action in this case is to drop, and then we match the  ip defined in the access-list which we called no_telnet, the action drop will be performed on it...

we then redefine stop to forward, which is the default action if one is not proscribed, and since we don't match an access list to it, it will forward everything not defined by the acl...

then assign the vlan (vlan 100 in this case) to filter using stop, which is our access map...

here's another:

dls1(config)#ip access-list extended NO
dls1(config-ext-nacl)#permit ip host 192.168.1.10 host 192.168.1.100                             

dls1(config)#vlan access-map YES                                                                      
dls1(config-access-map)#action drop                                                                   
dls1(config-access-map)#match ip address NO                                                           
dls1(config-access-map)#vlan access-map  YES                                                           
dls1(config-access-map)#action forward                                                                
dls1(config-access-map)#exit                                                                          
dls1(config)#vlan filter YES vlan-list 200                                                            
dls1(config)#

see below, vlan 200 cannot be pinged by the host


arteq@bo:~$ ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_req=1 ttl=63 time=1.24 ms

PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=0.567 ms
64 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=0.592 ms
64 bytes from 192.168.1.1: icmp_req=3 ttl=64 time=0.562 ms


arteq@bo:~$ ping 192.168.200.1
PING 192.168.200.1 (192.168.200.1) 56(84) bytes of data.






Posted by arteq at Tuesday, July 03, 2012
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)