Home > VLAN Access Map

VLAN Access Map

May 9th, 2014 Go to comments

Here you will find answers to VLAN Access Map (VACL)

Quick review:

1. Define a VLAN access map
Switch(config)# vlan access-map map_name [sequence]

2. Configure a match clause:
Switch(config-access-map)# match {ip address | ipx address | mac address} {acl-number | acl-name}

3. Configure an action clause:
Switch(config-access-map)# action {drop | forward | redirect}

4. Apply a map to VLANs:
Switch(config)# vlan filter map_name vlan_list list

To verify the VACL configuration:
Switch# show vlan access-map map_name
Switch# show vlan filter [ access-map map_name | vlan vlan_id ]

An example of VACL:

The following example show how to define and apply a VLAN access map to forward packets matching certprepare_acl access list. All other packets in VLAN 10 to 20 are dropped due to the implicit “deny all” at the end of the access map.

// Define access list
Router(config)# ip access-list extended certprepare_acl
Router(config-ext-nacl)#permit ip 10.0.0.0 0.255.255.255 any
Router(config-ext-nacl)#exit
————————————————————————————————-
//Define VLAN Access map
Router(config)# vlan access-map certprepare 10
Router(config-access-map)# match ip address certprepare_acl
Router(config-access-map)# action forward
Router(config-access-map)# exit
————————————————————————————————-
//Apply VACL to VLAN 10 to 20
Router(config)# vlan filter certprepare vlan-list 10-20

Question 1

Refer to the exhibit. Which statement is true?

Router(config)# vlan access-map pass 10
Router(config-access-map)# match ip address ABC
Router(config- access-map)# action forward
Router(config)# vlan filter pass vlan-list 5-10

A. IP traffic matching access list ABC is forwarded through VLANs 5-10.
B. IP traffic matching VLAN list 5-10 will be forwarded, and all other traffic will be dropped.
C. All VLAN traffic matching VLAN list 5-10 will be forwarded, and all traffic matching access list ABC is dropped.
D. All VLAN traffic in VLANs 5-10 that match access list ABC will be forwarded, and all else will be dropped.

 

Answer: D

Explanation

Each VACL has an implicit “deny all” statement at the end, just like a regular ACL. From the exhibit we learn the VACL “pass” is applied from VLAN 5 to 10 with “action forward” -> All VLAN traffic in VLANs 5-10 that match ABC access list will be forwarded, other traffic in VLAN 5 to 10 will be dropped.

Question 2

VLAN maps have been configured on switch R1. Which of the following actions are taken in a VLAN map that does not contain a match clause?

A. Implicit deny feature at end of list.
B. Implicit deny feature at start of list.
C. Implicit forward feature at end of list
D. Implicit forward feature at start of list.

 

Answer: C

Explanation

VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, provided that the access map contains at least one “match” clause.

If you configure like this:
Switch(config)# vlan access-map test
Switch(config-access-map)#match ip address ABC
Switch(config-access-map)#action forward
Switch(config-access-map)#exit

Then all unmatched traffic will be dropped because of an implicit “deny all” at the end of the VACL.

But if there is NOT A MATCH statement, then the default behavior of the VACL is the forward traffic. If you configure like this:
Switch(config)# vlan access-map test
Switch(config-access-map)#exit

Then “show run” you will find an “action forward” automatically placed under the vlan access-map command -> Answer C is correct.

Question 3

Refer to the exhibit. What will happen to the traffic within VLAN 14 with a source address of 172.16.10.5?

Switch# show ip access-lists net_10
Extended IP access list net_10
10 permit ip 10.0.0.0 0.255.255.255 any
Switch# conf t
Switch(config)# vlan access-map thor 10
Switch(config-access-map)# match ip address net_10
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan filter thor vlan-list 12-16

A. The traffic will be forwarded to the router processor for further processing.
B. The traffic will be dropped.
C. The traffic will be forwarded to the TCAM for further processing.
D. The traffic will be forwarded to without further processing.

 

Answer: B

Explanation

The source address of 172.16.10.5 is not matched with access list net_10. Something like this at the end of the access-map:

vlan access-map thor
action drop

-> The traffic from 172.16.10.5 is dropped -> B is correct.

Question 4

What is the method used to filter traffic being bridged within a VLAN?

A. Ethernet maps
B. Router ACLs
C. VLAN maps
D. IP ACLs

 

Answer: C

Comments
  1. No comments yet.
  1. No trackbacks yet.