network cisco ccna gns3 certification arteq

network cisco ccna gns3 certification arteq
a network runs through it

Search insearchofthecert

Tuesday, July 3, 2012

vlan access-map


 Extended IP access list no_telnet
    10 permit tcp host eq telnet (3 estim
ate matches)

dls1(config)#vlan access-map stop
dls1(config-access-map)#action drop
dls1(config-access-map)#match ip add no_telnet
dls1(config-access-map)#vlan access-map stop
dls1(config-access-map)#action forward
dls1(config)#vlan filter stop vlan-list 100

this works to block telnet for host to vlan 100...

let's examine this thing... access-maps are counterintuitive. create the access list to permit first so then you can filter it with the vlan map using various criteria. it's ass backwards, but works... the consensus here is that if you can get these, route maps make complete sense...

the no_telnet is a variable to describe the ip that will be acted upon... basic RACL stuff and easier because it's permit... no thinking...

instead of access-list there is access-map for the vlan... in the example above stop is the variable for the action... call it poop, whatever,  doesn't matter... the action in this case is to drop, and then we match the  ip defined in the access-list which we called no_telnet, the action drop will be performed on it...

we then redefine stop to forward, which is the default action if one is not proscribed, and since we don't match an access list to it, it will forward everything not defined by the acl...

then assign the vlan (vlan 100 in this case) to filter using stop, which is our access map...

here's another:

dls1(config)#ip access-list extended NO
dls1(config-ext-nacl)#permit ip host host                             

dls1(config)#vlan access-map YES                                                                      
dls1(config-access-map)#action drop                                                                   
dls1(config-access-map)#match ip address NO                                                           
dls1(config-access-map)#vlan access-map  YES                                                           
dls1(config-access-map)#action forward                                                                
dls1(config)#vlan filter YES vlan-list 200                                                            

see below, vlan 200 cannot be pinged by the host

arteq@bo:~$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_req=1 ttl=63 time=1.24 ms

PING ( 56(84) bytes of data.
64 bytes from icmp_req=1 ttl=64 time=0.567 ms
64 bytes from icmp_req=2 ttl=64 time=0.592 ms
64 bytes from icmp_req=3 ttl=64 time=0.562 ms

arteq@bo:~$ ping
PING ( 56(84) bytes of data.

No comments:

Post a Comment