Compare cert salaries and plan your next career move
ConstantlyLearning wrote: » Good job. Would have been nice to include a section on the logic of the VACL config. People get confused by the permit/deny statements in the ACL. VACL's may be used in a situation where a company hosts servers for differant companies and has them in the same VLAN but doesn't have switches that support PVLAN's. Port ACL's could be used in the same situation.
notgoing2fail wrote: » Ahh I was going to talk about VACL config but ended up leaving it out. I'll go ahead and revise it, that's something people should know about I agree..... Port ACL's...that's something to look into.....
ConstantlyLearning wrote: » I'm currently testing the best way to implement VACL's at the moment so I'd be happy to hear any thoughts you or anyone else has about them. In relation to disparate customer servers on the same VLAN: 1) Should you configure the VACL to permit traffic to what's needed, then deny traffic to everywhere else within the VLAN and then permit traffic to everywhere else? 2) Should you configure the VACL to deny traffic to all other customer servers and then permit traffic to everywhere else? 3) Should you use PACL's in order to remove the potential of denying all traffic within the VLAN which could happen with VACL's?! I think option 1 is the most scalable. If a new customer is introduced to the VLAN then you only need to permit traffic to what's needed for that customer. With option 2, if a new customer was introduced to the VLAN you would have to add lines to deny traffic from their servers to all other customers servers and from all other customer servers to the new customer. With option 3 you could put an ACL on each interface to permit traffic to where it's needed, deny traffic to everywhere else within the VLAN and permit traffic to everywhere else. I'm not sure if this is as neat as the VACL's. From my testing so far of VACL's though, I've come across the issue of forgetting to add an 'action forward' for all other traffic and locking myself out and denying a tone of traffic!! Are VACL's a bad idea in the first place? Should you be using PVLAN's? Should you be putting disparate customer servers in separate VLAN's and allowing traffic to flow between VLAN's that needs to? I'll put a post up on this thread over the weekend detailing some tests.
notgoing2fail wrote: » I kinda like option 1. But it also seems like PVLAN's would be a better method. As soon as I started reading your post, I was thinking PVLAN's all the way. PVLAN's seems like it was designed for your scenario.
ConstantlyLearning wrote: » Money. Currently using 2970's and getting a couple of 3560's isn't an option at the moment if the same thing can be implemented another way. PVLAN's would be my preference.
notgoing2fail wrote: » Do the 2970's even support VACL's?
ConstantlyLearning wrote: » The feature navigator says so and the vlan access-map and vlan filter commands seems to be available so I'm assuming/hoping yes.
knwminus wrote: » Aww I didn't realise brandontek is notgoing2fail. I was like who the hell is this following me. Your blog looks very nice dude and I have it book marked. Looking forward to watching your CCNP studies.
stuh84 wrote: » Good stuff, looks fun, you got another subscriber and follower I will say that if you've worked with Route Maps at any point (like from the BSCI/ROUTE syllabus) then VACLs are so similar its criminal. When I looked at VACLs, I got them straight away due to studying the BSCI. It'll work the same the other way, if you know VACLs and start looking at Route Maps, you'll see a LOT similar.
notgoing2fail wrote: » My latest lab/blog for anyone that is interested.BrandonTek Blog Archive VLAN Access Lists Lab#01
Compare salaries for top cybersecurity certifications. Free download for TechExams community.
