vlan access-map config trouble please help

esswok

hi

I just cant seem to get these commands correct, and wonder if someone could post an example of a correct config; or suggest my error.

This is my specific area of trouble, but this may not be limited to an upstream confi error right.

this example can be found on page 399 Cisco press

sw1(config)#ip access-list extended local-17
sw1(config-acl)#permit ip host 192.168.99.17 192.168.99.0 0.0.0.255
sw1(config-acl)#exit
sw1(config)#vlan access-map block-17 10

^^^^^this is were I always get an error message^^^^^

sw1(config-access-map)#<<<(never goes into this config mode)

sw1(config-access-map)#


I am using a 2950/24 for practice, Ios v12.2

thanks for reading

pitviper

Is the command available on the 2950?

What do you see when you type the following:

sw1(config)#vlan ?

pitviper

Doesn't look like it's supported (possibly not at all on L2 only switches) - Some examples from 3 different platforms:

2950(config)#vlan >?
WORD

2960(config)#vlan ?
WORD ISL VLAN IDs 1-4094
internal internal VLAN

3560(config)#vlan ?
WORD ISL VLAN IDs 1-4094
access-map Create vlan access-map or enter vlan access-map command mode
dot1q dot1q parameters
filter Apply a VLAN Map
group Create a vlan group
internal internal VLAN

BroadcastStorm

pitviper wrote: »

Doesn't look like it's supported (possibly not at all on L2 only switches) - Some examples from 3 different platforms:

2950(config)#vlan >?
WORD

2960(config)#vlan ?
WORD ISL VLAN IDs 1-4094
internal internal VLAN

3560(config)#vlan ?
WORD ISL VLAN IDs 1-4094
access-map Create vlan access-map or enter vlan access-map command mode
dot1q dot1q parameters
filter Apply a VLAN Map
group Create a vlan group
internal internal VLAN

VACL's is only supported on Multi Layer Switches MLS, the technology was derived from a 6500, it looks like it's best used to redirect traffic on a SPAN port that is connected to a sniffer/security medium.

ConstantlyLearning

BroadcastStorm wrote: »

VACL's is only supported on Multi Layer Switches MLS, the technology was derived from a 6500, it looks like it's best used to redirect traffic on a SPAN port that is connected to a sniffer/security medium.

hmm, I'd be of the opinion that it's best/most used to control traffic flow within a VLAN. Although I'm open to correction. I doubt people do much more with SPAN/RSPAN traffic than just configuring the source and destination ports as part of the SPAN/RSPAN configuration.

BroadcastStorm

ConstantlyLearning wrote: »

hmm, I'd be of the opinion that it's best/most used to control traffic flow within a VLAN. Although I'm open to correction. I doubt people do much more with SPAN/RSPAN traffic than just configuring the source and destination ports as part of the SPAN/RSPAN configuration.

Yes VACL is made for VLAN traffic flow control, my point was I really never seen this implemented on most networks.

I'll try to recall and check which resource I got this from but it tells about VACL on 6500 switch redirecting VLAN traffic to an IDS/IPS device, I'll let people with experience chime in more on this.

BroadcastStorm

ConstantlyLearning wrote: »

hmm, I'd be of the opinion that it's best/most used to control traffic flow within a VLAN. Although I'm open to correction. I doubt people do much more with SPAN/RSPAN traffic than just configuring the source and destination ports as part of the SPAN/RSPAN configuration.

Check the links below, they used VACL's on the RSPAN configuration.

SPAN-RSPAN Across multiple switches (7th Response) - Toolbox for IT Groups

http://netqos.wikispaces.com/RSPAN