VLAN ACLs Flashcards
What are VLAN ACLs used for?
Regulating intra-VLAN traffic on L3 switches.
VLAN ACLs are not used for inter-VLAN traffic because this can be accomplished by what?
Regular or extended ACLs.
What are the four steps in creating and applying a VLAN ACL?
1.Create an ACL. 2.Create a VLAN ACL, tie your ACL to it, and set your action. 3.Apply your VLAN ACL to a VLAN.
What command will put you into VLAN ACL config mode?
vlan access-map _(name)_
What happens if you do not specify an ACL to match in your VLAN ACL?
The VLAN ACL will apply to all traffic.
What do you not have to specify on a VLAN ACL when applying it?
Whether to apply it to inbound/outbound.
Refer to the exhibit. Which statement is true?
Router(config)# vlan access-map pass 10
Router(config-access-map)# match ip address ABC
Router(config- access-map)# action forward
Router(config)# vlan filter pass vlan-list 5-10
A. IP traffic matching access list ABC is forwarded through VLANs 5-10.
B. IP traffic matching VLAN list 5-10 will be forwarded, and all other traffic will be dropped.
C. All VLAN traffic matching VLAN list 5-10 will be forwarded, and all traffic matching access list ABC is dropped.
D. All VLAN traffic in VLANs 5-10 that match access list ABC will be forwarded, and all else will be dropped.
Answer: D
Explanation
Each VACL has an implicit “deny all” statement at the end, just like a regular ACL. From the exhibit we learn the VACL “pass” is applied from VLAN 5 to 10 with “action forward” -> All VLAN traffic in VLANs 5-10 that match ABC access list will be forwarded, other traffic in VLAN 5 to 10 will be dropped.
VLAN maps have been configured on switch R1. Which of the following actions are taken in a VLAN map that does not contain a match clause?
A. Implicit deny feature at end of list.
B. Implicit deny feature at start of list.
C. Implicit forward feature at end of list
D. Implicit forward feature at start of list.
Answer: A
Explanation
If a VLAN map does not contain a match clause then it matches all type of traffic. Maybe this question is not clear but we should understand as “Which of the following actions are taken in a VLAN map that does not match a match clause?”.
Refer to the exhibit. What will happen to the traffic within VLAN 14 with a source address of 172.16.10.5?
Switch# show ip access-lists net_10
Extended IP access list net_10
10 permit ip 10.0.0.0 0.255.255.255 any
Switch# conf t
Switch(config)# vlan access-map thor 10
Switch(config-access-map)# match ip address net_10
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan filter thor vlan-list 12-16
A. The traffic will be forwarded to the router processor for further processing.
B. The traffic will be dropped.
C. The traffic will be forwarded to the TCAM for further processing.
D. The traffic will be forwarded to without further processing.
Answer: B
Explanation
The source address of 172.16.10.5 is not matched with access list net_10. Something like this at the end of the access-map:
vlan access-map thor
action drop
-> The traffic from 172.16.10.5 is dropped -> B is correct.
How are VACLs configured?
as a VLAN access map
How are VACLs applied
to a VLAN and not to a VLAN interface (SVI)
What does *VACL* stand for?
VLAN Access List
What is a *VACL*?
A VACL is applied to VLANs and configured similar to route-maps.
What does the *VACL Forward* action do?
VACL Forward allows traffic to be forwarded.
What does the *VACL Drop* action do?
VACL Drop drops traffic.