Security
VLAN Access Lists
Email this post
⋅ 
Print this post
⋅ Post a commentSite Search Tags: access list, vlan
Thanks for visiting! If you're new here, you may want to subscribe to my RSS feed. This blog posts regular tutorials, news, and study tips about networking, especially about Cisco CCIE related topics. Go ahead, subscribe to the rss feed! You can also receive updates from this blog via email. Thanks for visiting!
I read this over on group study, which i thought was a really good example of how of why in the CCIE lab we should try and deny the traffic you don’t want and permit the rest. You will probably run into a lot less trouble. This goes against the usual security advice of permit what you want and deny everything else. This is the Cisco CCIE lab, it’s not meant to be a collection of best practices (quite the contrary sometimes!)
Anyway, the problem was this: assume you are trying to prohibit DHCP within a given VLAN.
We could configure it with:
access-list 101 permit udp any eq bootpc any eq bootps
vlan access-map test1 10
action drop
match ip address 101
vlan access-map test1 20
action forward
vlan filter test1 vlan-list 11This will work by first dropping what we don’t want and permitting everything else. But if we reverse the logic (ie permit IP traffic, then deny the bootp) with:
access-list 102 deny udp any eq bootpc any eq bootps
access-list 102 permit ip any any
vlan access-map test2 10
action forward
match ip address 102
vlan access-map test2 20
action drop
vlan filter test2 vlan-list 12This will not work. Why? It seems logical. But what about ARP? Arp traffic will be matched by the second part of the vlan access-map (ethertype 0×806), so unless we have some static arp statements or they have been cached, we are in trouble.
Great example of vlan-access map logic.
Related posts
Categories
Twitter Feed...
- Sitting at the docklands listening to the band play acoustic matchbox 20 http://twitpic.com/kt11
- At the horse races http://twitpic.com/jtqv
- @ccietalk LOL. just taking a break! This is my first summer in two years that I haven't been studying!
- @joshatterbury dude that is my kind of diet!
- James squire tasting paddle. 5 beers. Heaven http://twitpic.com/jpdj
Follow me...
Recent Comments
- diriger on Tutorial: IPv6 Tunnels Part 2 - Automatic 6to4 Tunnels
- csyeo on Blog: My IPexpert Voice Stuff Has Arrived!
- Arden Packeer, CCIE #20716 on Tutorial: How to use Cisco MQC & NBAR to filter websites like Youtube
- Dan on Tutorial: How to use Cisco MQC & NBAR to filter websites like Youtube
- Ricardo on Configuring Priority Queuing
Most Emailed
- Tutorial: How to use Cisco MQC & NBAR to filter websites like Youtube - 10 emails
- Tutorial: What is the difference between bandwidth percent and bandwidth remaining percent? - 10 emails
- Tutorial: OSPF Network Types and Frame Relay Part 1 - 7 emails
- Tutorial: How to set up a basic Dynamips Lab using Dynagen, Part 1 - 6 emails
- Tutorial: OSPF Network Types and Frame Relay Part 4 - 3 emails
Discussion
No comments for “VLAN Access Lists”
Post a comment