VACLs lab

Hi guys,

Re Cisco lab manual for SWITCH - Lab 6-3

They ask "Configure the network so that the temporary staff host cannot access the rest of the staff VLAN, yet still beable to use the default gateway of the staff subnet to connect to the rest of the network and the ISP."

Based on the provided configuration my host wasn't able to ping 172.16.100.1 (gateway) until I added this line to the top of the temp-host ACL:

5 deny ip host 172.16.100.150 host 172.16.100.1

The question's configuration is:

DLS1(config)# ip access-list extended temp-host
DLS1(config-ext-nacl)# permit ip host 172.16.100.150 172.16.100.0 0.0.0.255

DLS1(config)# vlan access-map block-temp 10
DLS1(config-access-map)# match ip address temp-host
DLS1(config-access-map)# action drop
DLS1(config-access-map)# vlan access-map block-temp 20
DLS1(config-access-map)# action forward
DLS1(config-access-map)# exit

DLS1(config)# vlan filter block-temp vlan-list 100

This config alone blocks all ip traffic from 172.16.100.150. When I add sequence 5 it works.

Did I miss something or did they miss what I later added? (Full question attached)Attachment not found.

VACLs.pdf

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Nate--IRL--

I'll not pretend to have given VACLs any lab time, but isn't this a case of Double negatives with ACLs?

By denying with "5 deny ip host 172.16.100.150 host 172.16.100.1" from the "vlan access-map block-temp 10" block action, you are actually allowing it.

"vlan access-map block-temp 20" does nothing because without "5 deny....." the ip 172.16.100.150 is caught in the "temp-host" access list and acted upon on in "vlan access-map block-temp 10"

Nate

wave

Yes you're right, I am allowing it. That's the desired behavior and really the only way I can think of using this example to allow the host to access the gateway but no other hosts in the VLAN>

Sequence 20 is necessary because it allows other hosts to communicate with eachother. 172.16.100.150 is the only host that is not allowed to talk to other hosts.

I was just wondering whether there was something about VACLs that allowed a host to always speak to the VLAN interface associated with the particular VLAN, but I'm thinking that the lab manual was just missing a line like my sequence 5.

Nate--IRL--

I apologise - I should have looked at the pdf in your OP, before analysing your config. Yes it does in fact look like a missing line from the lab manual, it is the same in the manual I have too.

However there are usually many ways of doing things - I'd be interested in other solutions too.

Nate

wave

Nate--IRL-- wrote: »

I apologise - I should have looked at the pdf in your OP, before analysing your config. Yes it does in fact look like a missing line from the lab manual, it is that same in the manual I have too.

Nate

Thanks Nate! Thought so.