Practice Q's - VACL

Question 1

Which Catalyst 6500 feature provides network-security enforcement based on Layer 2, Layer 3, and Layer 4 information on a VLAN?

A. NAM

B. SPAN

C. VACL

D. 802.1X

Answer 1

Answer: C

Explanation:

VLAN access control lists (VACLs) provide network-security enforcement based on Layer 2, Layer 3, and Layer 4 information on a VLAN.

VACLs can be used to provide security based on MAC address, source and destination IP address, Layer 4 protocols, or port numbers. The VACL will act on all traffic of a select VLAN whether bridged or switched. The actions performed on a packet can include permit, redirect, or deny. The VACL entries are checked in sequence, which is similar in concept to route-map structures. The following procedure is used to create VACLs:

Define a VLAN access map:

• switch(config)# vlan access-map name [seq#]

Configure a match clause:

• switch(config-access-map)# match {ip address {1-99 | 1300-2699 | acl_name} | mac address acl_name}

Configure an action clause:

• switch(config-access-map)# action {drop | forward | redirect}

Apply the map to a VLAN:

• switch(config)# vlan filter map_name vlan-list list

Once created, you should verify the VACLs using the following commands: switch# show vlan access-map map_name

• switch# show vlan filter

In the sample configuration shown below, all VLAN traffic in VLANS 1 through 3 that match access list SAFE will be forwarded. All other traffic will be dropped.

• switch(config)# vlan access-map cisco 10
• switch(config-access-map)# match ip-address SAFE
• switch(config-access-map)# action forward
• switch(config)# vlan filter cisco vlan-list 1-3

If access list cisco were configured as shown below, for example, traffic with a source address of 172.16.10.8 would be dropped.

Switch# show ip access-list cisco 10 Extended ip access list cisco 10

10 permit 10.0.0.0 255.255.255.0 any

Question 2

You want to configure your Catalyst 6500 switch to redirect certain IP traffic from VLANs 22 through 33 to the Gigabit Ethernet interface that resides at slot 4, port 1. The IP traffic to be redirected must match an ACL named tn1.

Which of the following sets of commands should you issue?

A. vlan access-map 22-33match ip address tn1action redirect gigabitethernet 4/1vlan filter tn1

B. vlan access-map ge1match ip address tn1action redirect gigabitethernet 4/1vlan filter ge1 vlan-list 22-33

C. vlan access-map tn1match ip address ge1action redirect gigabitethernet 4/1vlan filter tn1 vlan-list 22 33

D. vlan access-map ge1match ip address tn1action redirect gigabitethernet 4/1vlan filter ge1 vlan-list 22 33

Answer 2

Answer: B Explanation:

To appropriately configure your Catalyst 6500 switch in this scenario, you should issue the following commands:

• Switch(config) vlan access-map ge1
• Switch(config-access-map) match ip address tn1
• Switch(config-access-map) action redirect gigabitethernet 4/1
• Switch(config-access-map) exit
• Switch(config) vlan filter ge1 vlan-list 22-33

VLAN access control lists (VACLs) are used to control how packets are switched within a virtual local area network (VLAN). To configure a VACL, you shouldperform the following actions:

The syntax for the vlan access-map command is vlan access-map map-name [sequence-number], where map-name is the name assigned to the VLAN access map. The optional sequence-number parameter defines the order in which the access map statements are checked. Therefore, the command vlan access-map ge1 creates a VLAN access map named ge1 with no sequence number.

The match command can filter traffic based on IP address, IPX address or Media Access Control (MAC) address. The syntax for the match command is match {ip address {acl-number | acl-name} | ipx address {acl-number | acl-name} | mac address acl-name}, where acl-number and acl-name are the number and name of the access list, respectively. Therefore, the command match ip address tn1 specifies that only traffic that matches ACL tn1 will trigger the action specified in the action command.

The action command will configure the VACL to drop, forward, or redirect traffic that matches the access list specified in the match command. The syntax for the action command is action {drop | forward | redirect interface slot/port}. Therefore, the command action redirect gigabitethernet 4/1 will redirect traffic that matches the access list to Gigabit Ethernet interface 4-1.

The syntax for the vlan filter command is vlan filter map-name {vlan-list vlan-list}, where map- name is the name of the VLAN access map and vlan-list is the VLAN or VLANs that should be filtered by the VACL. Therefore, the command vlan filter ge1 vlan-list 22-33 applies the VLAN access map named ge1 to VLANs 22 through 33.

The following command set incorrectly specifies the VLAN access map and filter:

• Switch(config)vlan access-map 22-33
• Switch(config-access-map) match ip address tn1
• Switch(config-access-map) action redirect gigabitethernet 4/1
• Switch(config-access-map) exit
• Switch(config) vlan filter tn1

The following command set incorrectly specifies the VLAN access map and the match statement. This command is also missing the required hyphen in the list of VLANs specified after the vlan-list keyword:

• Switch(config) vlan access-map tn1 Switch(config-access-map) match ip address ge1
• Switch(config-access-map) action redirect gigabitethernet 4/1
• Switch(config-access-map) exit
• Switch(config) vlan filter tn1 vlan-list 22 33

This following command is missing the required hyphen in the list of VLANs specified after the vlan-list keyword:

• Switch(config) vlan access-map ge1
• Switch(config-access-map) match ip address tn1
• Switch(config-access-map) action redirect gigabitethernet 4/1
• Switch(config-access-map) exit
• Switch(config) vlan filter ge1 vlan-list 22 33