VLAN Access Map
Here you will find answers to VLAN Access Map (VACL)
Quick review:
1. Define a VLAN access map
Switch(config)# vlan access-map map_name [sequence]
2. Configure a match clause:
Switch(config-access-map)# match {ip address | ipx address | mac address} {acl-number | acl-name}
3. Configure an action clause:
Switch(config-access-map)# action {drop | forward | redirect}
4. Apply a map to VLANs:
Switch(config)# vlan filter map_name vlan_list list
To verify the VACL configuration:
Switch# show vlan access-map map_name
Switch# show vlan filter [ access-map map_name | vlan vlan_id ]
An example of VACL:
The following example show how to define and apply a VLAN access map to forward packets matching certprepare_acl access list. All other packets in VLAN 10 to 20 are dropped due to the implicit “deny all” at the end of the access map.
| // Define access list Router(config)# ip access-list extended certprepare_acl Router(config-ext-nacl)#permit ip 10.0.0.0 0.255.255.255 any Router(config-ext-nacl)#exit ————————————————————————————————- //Define VLAN Access map Router(config)# vlan access-map certprepare 10 Router(config-access-map)# match ip address certprepare_acl Router(config-access-map)# action forward Router(config-access-map)# exit ————————————————————————————————- //Apply VACL to VLAN 10 to 20 Router(config)# vlan filter certprepare vlan-list 10-20 |
Question 1
Refer to the exhibit. Which statement is true?
| Router(config)# vlan access-map pass 10 Router(config-access-map)# match ip address ABC Router(config- access-map)# action forward Router(config)# vlan filter pass vlan-list 5-10 |
A. IP traffic matching access list ABC is forwarded through VLANs 5-10.
B. IP traffic matching VLAN list 5-10 will be forwarded, and all other traffic will be dropped.
C. All VLAN traffic matching VLAN list 5-10 will be forwarded, and all traffic matching access list ABC is dropped.
D. All VLAN traffic in VLANs 5-10 that match access list ABC will be forwarded, and all else will be dropped.
Answer: D
Explanation
Each VACL has an implicit “deny all” statement at the end, just like a regular ACL. From the exhibit we learn the VACL “pass” is applied from VLAN 5 to 10 with “action forward” -> All VLAN traffic in VLANs 5-10 that match ABC access list will be forwarded, other traffic in VLAN 5 to 10 will be dropped.
Question 2
VLAN maps have been configured on switch R1. Which of the following actions are taken in a VLAN map that does not contain a match clause?
A. Implicit deny feature at end of list.
B. Implicit deny feature at start of list.
C. Implicit forward feature at end of list
D. Implicit forward feature at start of list.
Answer: A
Explanation
If a VLAN map does not contain a match clause then it matches all type of traffic. Maybe this question is not clear but we should understand as “Which of the following actions are taken in a VLAN map that does not match a match clause?”.
Question 3
Refer to the exhibit. What will happen to the traffic within VLAN 14 with a source address of 172.16.10.5?
| Switch# show ip access-lists net_10 Extended IP access list net_10 10 permit ip 10.0.0.0 0.255.255.255 any Switch# conf t Switch(config)# vlan access-map thor 10 Switch(config-access-map)# match ip address net_10 Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan filter thor vlan-list 12-16 |
A. The traffic will be forwarded to the router processor for further processing.
B. The traffic will be dropped.
C. The traffic will be forwarded to the TCAM for further processing.
D. The traffic will be forwarded to without further processing.
Answer: B
Explanation
The source address of 172.16.10.5 is not matched with access list net_10. Something like this at the end of the access-map:
| vlan access-map thor action drop |
-> The traffic from 172.16.10.5 is dropped -> B is correct.
@ certprepare:
The review of commands on top of the page contains an error. The command format for configuring a match clause is:
Switch(config-access-map)# match {ip address | ipx address | mac address} {acl-number | acl-name}
Just pointing this out so that the whole page is accurate.
@AdyM: Yes, thanks for your detection. I updated it!
Th’s a lot!
Was this on the test for anyone recently?
Hi Guys,
Seeing the answer right in front your eyes before making selection is annoying. So i grabs all of the questions on this site and put them into VCE file to make my life easier. Be sure to check back CertPrepare site regularly for updates.
Here is the file: http://www.4shared.com/file/C5hmKPbb/CCNP_642-813_CertPrepare-by_Hu.html
Best of luck !!!
Hi Guys,
Seeing the answer right in front your eyes before making selection is annoying. So i grabs all of the questions on this site and put them into VCE file to make my life easier. Be sure to check back CertPrepare site regularly for updates.
Here is the file: http://www.4shared.com/file/C5hmKPbb/CCNP_642-813_CertPrepare-by_Hu.html
Best of luck !!!
Hi,
What is true about access control on bridged and routed VLAN traffic? (Choose three)
A. Router ACLs can be applied to the input and output directions of a VLAN interface.
B. Bridged ACLs can be applied to the input and output directions of a VLAN interface.
C. Only router ACLs can be applied to a VLAN interface.
D. VLAN maps and router ACLs can be used in combination.
E. VLAN maps can be applied to a VLAN interface.
Ans: ABD
For answer A & D, I can understand, but for answer B, if Bridged ACLs is referring to VACL, then it can only apply to the VLAN, but not to an interface (either int fa0/1 or int vlan 10), right? Hence, I am thinking of the 3rd choice should be C.
Please help. Thanks.
Hi
B no puede ser, ya que VACL no se aplican a interfaces, yo escogeria la A, C y D.
@dk
B would be correct bc you can use standard as well as extendend ACLs to filter traffic.
C cant be right because it has the word ONLY, there are other ACLs that can be applied to vlans.
VLAN maps do not use the specific permit or deny keywords. To deny a packet by using VLAN maps, create an ACL that would match the packet, and set the action to drop. A permit in the ACL counts as a match. A deny in the ACL means no match.
Note If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match the type, the default is to drop the packet. If there is no match clause in the VLAN map for that type of packet, and no action specified, the packet is forwarded.
That means that we need explicit VACL with drop statement at the end of access-map ?
@dk
I guess bridged ACL are Port ACL, so B is not correct as those are only applied inbound, and in addition VLAN interfaces are layer 3 and port ACL are layer 2.
Router ACL are layer 3 and they may be applied both inbound and outbound, so A is correct.
Also, you can use VACLs alone or a combination of VACLs and ACLs, so D is correct
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SY/configuration/guide/vlan_acls.html#wp1149762
Finally, VACL is applied globally to one or more VLANs listed and not to a VLAN interface (SVI), which makes C correct but at the same time it makes E not correct
http://www.cathayschool.com/VACL-Configuration-a577.html
cannot open in Premium Member link :(
Hi
anyone suggest me which simulation software you are using for CCNP switch preparation?
This quiz cannot be shown on the current domain.
@NOTIFICATION : The problem has been fixed. Thanks for your detection.
Hello,
Is question 1 syntax incorrect with application of the vlan filter:
Router(config)# vlan access-map pass 10
Router(config-access-map)# match ip address ABC
Router(config- access-map)# action forward
Router(config)# vlan filter pass vlan-list 5-10
Should be:
4. Apply a map to VLANs:
Switch(config)# vlan filter %map_name% vlan_list %list%
“Router(config)# vlan filter ABC vlan-list 5-10″
Thanks
Q1 on test today
@bdaboy22,
The map name is “pass”, so the syntax is correct as shown. “ABC” is the name of the ACL that the map refers to.
That is correct. Thanks for the clarification
Nothing from this section in the test today.
HungN – seeing your post int every section is annoying