mikey250
asked on
vlan access maps query
hi
question 1. im trying to understand (vacls) but cannot get my head around it and ive been doing some reading looking at the below example can anyone help ?
(config)#ip access-list extended local-17
(config-acl)#permit ip host 192.168.99.17 192.168.99.0 0.0.0.255 - means allow this single host to its own network
(config-acl)#exit
(config)#vlan access-map block-17 10
(config-access-map)#match ip address local-17 - means match the above ip address
(config-access-map)#action
(config-access-map)#vlan access-map block-17 20
(config-access-map)#action
(config-access-map)#exit
(config)#vlan filter block-17 vlan-list 99 - allows the above to happen
question 1. im trying to understand (vacls) but cannot get my head around it and ive been doing some reading looking at the below example can anyone help ?
(config)#ip access-list extended local-17
(config-acl)#permit ip host 192.168.99.17 192.168.99.0 0.0.0.255 - means allow this single host to its own network
(config-acl)#exit
(config)#vlan access-map block-17 10
(config-access-map)#match ip address local-17 - means match the above ip address
(config-access-map)#action
(config-access-map)#vlan access-map block-17 20
(config-access-map)#action
(config-access-map)#exit
(config)#vlan filter block-17 vlan-list 99 - allows the above to happen
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
your vacl will actually drop any traffic from the range and pass everything else
the default action for vacls is forward an implicit forward if you will
your access list is permitting the address to be dropped by the vacl - yes this confuses me what is point of permitting acl and then (drop) it
i hope that makes sense
if your goal is to permit just that range.
deny the range in the acl instead
add permit any any to the acl
the acl will filter the range from being processed
the vacl therefore will forward that range and drop everything else
qns1. is there any chance of you explaining line by line individually for my example assuming it is a good example so i can gain structure in my mind because confused and apologies for me being thick ?
the default action for vacls is forward an implicit forward if you will
your access list is permitting the address to be dropped by the vacl - yes this confuses me what is point of permitting acl and then (drop) it
i hope that makes sense
if your goal is to permit just that range.
deny the range in the acl instead
add permit any any to the acl
the acl will filter the range from being processed
the vacl therefore will forward that range and drop everything else
qns1. is there any chance of you explaining line by line individually for my example assuming it is a good example so i can gain structure in my mind because confused and apologies for me being thick ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@Akin
That is a nice analogy. I do however have to disagree. All VACL's have an implicit drop action at the end, so traffic that is not match by the referenced acl will be dropped. In order to forward the other traffic another sequence needs to be added to the VACL referencing another ACL that has a permit any and having an action to forward.
That is a nice analogy. I do however have to disagree. All VACL's have an implicit drop action at the end, so traffic that is not match by the referenced acl will be dropped. In order to forward the other traffic another sequence needs to be added to the VACL referencing another ACL that has a permit any and having an action to forward.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Per Cisco's Site:
VLAN Access Map Configuration and Verification Examples
Assume IP-named ACL net_10 and any_host are defined as follows:
Router# show ip access-lists net_10
Extended IP access list net_10
permit ip 10.0.0.0 0.255.255.255 any
Router# show ip access-lists any_host
Standard IP access list any_host
permit any
This example shows how to define and apply a VLAN access map to forward IP packets. In this example, IP traffic matching net_10 is forwarded and all other IP packets are dropped due to the default drop action. The map is applied to VLAN 12 to 16.
Router(config)# vlan access-map thor 10
Router(config-access-map)#
Router(config-access-map)#
Router(config-access-map)#
Router(config)# vlan filter thor vlan-list 12-16
This example shows how to define and apply a VLAN access map to drop and log IP packets. In this example, IP traffic matching net_10 is dropped and logged and all other IP packets are forwarded:
Router(config)# vlan access-map ganymede 10
Router(config-access-map)#
Router(config-access-map)#
Router(config-access-map)#
Router(config)# vlan access-map ganymede 20
Router(config-access-map)#
Router(config-access-map)#
Router(config-access-map)#
Router(config)# vlan filter ganymede vlan-list 7-9
You have to add an acl and sequence to allow all other traffic or they will be dropped.
VLAN Access Map Configuration and Verification Examples
Assume IP-named ACL net_10 and any_host are defined as follows:
Router# show ip access-lists net_10
Extended IP access list net_10
permit ip 10.0.0.0 0.255.255.255 any
Router# show ip access-lists any_host
Standard IP access list any_host
permit any
This example shows how to define and apply a VLAN access map to forward IP packets. In this example, IP traffic matching net_10 is forwarded and all other IP packets are dropped due to the default drop action. The map is applied to VLAN 12 to 16.
Router(config)# vlan access-map thor 10
Router(config-access-map)#
Router(config-access-map)#
Router(config-access-map)#
Router(config)# vlan filter thor vlan-list 12-16
This example shows how to define and apply a VLAN access map to drop and log IP packets. In this example, IP traffic matching net_10 is dropped and logged and all other IP packets are forwarded:
Router(config)# vlan access-map ganymede 10
Router(config-access-map)#
Router(config-access-map)#
Router(config-access-map)#
Router(config)# vlan access-map ganymede 20
Router(config-access-map)#
Router(config-access-map)#
Router(config-access-map)#
Router(config)# vlan filter ganymede vlan-list 7-9
You have to add an acl and sequence to allow all other traffic or they will be dropped.
ASKER
hi i have not forgotten about this thread as im trying to complete my configs for (distribution and access) so i can then come back to adding these vacls.
im currently in the process of completing this so i can then add some vacl's.
appreciated
im currently in the process of completing this so i can then add some vacl's.
appreciated
ASKER
hi atkindsd,
"this will help you when configuring route maps, policy routing. very significant especially with route redistribution and bgp configuration."
you make reference to the above so as i have configured in the passed (6 routers with rip, ospf/redistribtion also all having internet access to my 6th router at the isp) i assume the routing policy like my example below would be created and (if it happen to pass through a switch the a vacl) would also need to be created to ensure it points in direction of isp route...
but can you give me an example as i only understand my own followed example ?
below shows 3 interconnected ospf routers with the following which is a routing policy configured via a route map. this allows specific (host a): 192.168.72.2/24 to choose int s0/1(bandwidth t1-768) temporarily otherwise by default without route map it would choose t1-1544 instead:
topology:
host a - 192.168.72.2/24 - connects to router a/int fa0/0
host b - 192.168.76.2/24 - connects to router a/int fa0/1
router a (master router)
int s0/0 - (bandwidth full t1-1544) connects to router b
int s0/1 - (bandwidth t1-768) connects to router c
cisco switch:
router b & c - connected via a cisco switch
host c - 10.0.0.3/24 - connects to cisco switch int fa0/3
router a
access-list 1 permit 192.168.72.0 0.0.0.255
route-map slow4u permit 10
match ip address 1
set interface serial0/1
int fa0/0
ip policy route-map slow4u
"this will help you when configuring route maps, policy routing. very significant especially with route redistribution and bgp configuration."
you make reference to the above so as i have configured in the passed (6 routers with rip, ospf/redistribtion also all having internet access to my 6th router at the isp) i assume the routing policy like my example below would be created and (if it happen to pass through a switch the a vacl) would also need to be created to ensure it points in direction of isp route...
but can you give me an example as i only understand my own followed example ?
below shows 3 interconnected ospf routers with the following which is a routing policy configured via a route map. this allows specific (host a): 192.168.72.2/24 to choose int s0/1(bandwidth t1-768) temporarily otherwise by default without route map it would choose t1-1544 instead:
topology:
host a - 192.168.72.2/24 - connects to router a/int fa0/0
host b - 192.168.76.2/24 - connects to router a/int fa0/1
router a (master router)
int s0/0 - (bandwidth full t1-1544) connects to router b
int s0/1 - (bandwidth t1-768) connects to router c
cisco switch:
router b & c - connected via a cisco switch
host c - 10.0.0.3/24 - connects to cisco switch int fa0/3
router a
access-list 1 permit 192.168.72.0 0.0.0.255
route-map slow4u permit 10
match ip address 1
set interface serial0/1
int fa0/0
ip policy route-map slow4u
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks for that (url) i will spend some time reading that!! appreciated.
ASKER
appreciated!!
ASKER
The acl that you create is used by the vacl to match traffic that it will act upon
- yes i understand.
drop means the vacl will drop traffic that it match in the acl. forward means it will forward traffic that it matches in the acl.
- apparantely (drop) does not mean that hence confusion
based on your acl, it will match traffic from that host and either drop it or forward it. any other traffic that doesn't get matches is not intercepted by the vacl.