VACLs lab

wavewave Member Posts: 342
Hi guys,

Re Cisco lab manual for SWITCH - Lab 6-3

They ask "Configure the network so that the temporary staff host cannot access the rest of the staff VLAN, yet still beable to use the default gateway of the staff subnet to connect to the rest of the network and the ISP."

Based on the provided configuration my host wasn't able to ping 172.16.100.1 (gateway) until I added this line to the top of the temp-host ACL:

5 deny ip host 172.16.100.150 host 172.16.100.1

The question's configuration is:

DLS1(config)# ip access-list extended temp-host
DLS1(config-ext-nacl)# permit ip host 172.16.100.150 172.16.100.0 0.0.0.255

DLS1(config)# vlan access-map block-temp 10
DLS1(config-access-map)# match ip address temp-host
DLS1(config-access-map)# action drop
DLS1(config-access-map)# vlan access-map block-temp 20
DLS1(config-access-map)# action forward
DLS1(config-access-map)# exit

DLS1(config)# vlan filter block-temp vlan-list 100

This config alone blocks all ip traffic from 172.16.100.150. When I add sequence 5 it works.

Did I miss something or did they miss what I later added? (Full question attached)VACLs.pdf

ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP

Comments

  • Nate--IRL--Nate--IRL-- Member Posts: 103 ■■□□□□□□□□
    I'll not pretend to have given VACLs any lab time, but isn't this a case of Double negatives with ACLs?

    By denying with "5 deny ip host 172.16.100.150 host 172.16.100.1" from the "vlan access-map block-temp 10" block action, you are actually allowing it.

    "vlan access-map block-temp 20" does nothing because without "5 deny....." the ip 172.16.100.150 is caught in the "temp-host" access list and acted upon on in "vlan access-map block-temp 10"

    Nate
  • wavewave Member Posts: 342
    Yes you're right, I am allowing it. That's the desired behavior and really the only way I can think of using this example to allow the host to access the gateway but no other hosts in the VLAN>

    Sequence 20 is necessary because it allows other hosts to communicate with eachother. 172.16.100.150 is the only host that is not allowed to talk to other hosts.

    I was just wondering whether there was something about VACLs that allowed a host to always speak to the VLAN interface associated with the particular VLAN, but I'm thinking that the lab manual was just missing a line like my sequence 5.

    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
  • Nate--IRL--Nate--IRL-- Member Posts: 103 ■■□□□□□□□□
    I apologise - I should have looked at the pdf in your OP, before analysing your config. Yes it does in fact look like a missing line from the lab manual, it is the same in the manual I have too.

    However there are usually many ways of doing things - I'd be interested in other solutions too.

    Nate
  • wavewave Member Posts: 342
    I apologise - I should have looked at the pdf in your OP, before analysing your config. Yes it does in fact look like a missing line from the lab manual, it is that same in the manual I have too.

    Nate

    Thanks Nate! Thought so.

    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
Sign In or Register to comment.