in

CCIE - Internetwork Expert's Online Community
Forums » Internetwork Expert Products » CCIE R&S Lab Workbook Volume II Version 4.1 » IEWB-RS Volume 2 Version 4.1 Lab 12 » Task 2.4
Latest post 11-08-2008 7:44 AM by Hamood. 4 replies.
Page 1 of 1 (5 items)
Sort Posts: Previous Next

  • 07-24-2008 11:00 AM

    • whitem316
    • Top 200 Contributor
    • Joined on 07-24-2008
    • San Dieg
    • Posts 7
    • Points 140

    Task 2.4

    Reply Contact

    Is the below config a possible correct answer for Task 2.4?

     

    !
    mac access-list extended ROUTER
     permit host 0030.1369.87a0 any
    !
    vlan access-map STOP_ROUTER 10
     action drop
     match mac address ROUTER
    !
    vlan filter STOP_ROUTER vlan-list 17
    • Post Points: 35

  • 07-24-2008 3:01 PM In reply to

    Re: Task 2.4

    Reply Contact

    Firstly, matching a MAC ACL will only match non-IP traffic (e.g. ARP, VTP, STP). In your case, the host will still be able to send IP packets e.g. by using static ARP entries. Secondly, you vlan filter misses another statement that permits all other traffic. In effect, it will filter ALL non-IP traffic on the  VLAN it maps onto.

    Petr Lapukhov, CCIE #16379 (R&S/Security/SP/Voice)
    petr@internetworkexpert.com 

    InternetworkExpert Inc.
    http://www.internetworkexpert.com
    Filed under:
    • Post Points: 20

  • 07-24-2008 3:30 PM In reply to

    • whitem316
    • Top 200 Contributor
    • Joined on 07-24-2008
    • San Dieg
    • Posts 7
    • Points 140

    Re: Task 2.4

    Reply Contact

    Notice I was missing the second permit statement in my VLAN filter when I had EIGRP nei problems.

    Thank you for your help.
    • Post Points: 5

  • 08-19-2008 11:53 PM In reply to

    • NTllect
    • Top 10 Contributor
    • Joined on 07-11-2008
    • CIS
    • Posts 269
    • Points 3,860

    Re: Task 2.4

    Reply Contact
    I think there is a small violation, init config for SW1 have: 
    interface range Fa0/7 - 8
 switchport access vlan 17
 no shutdown

Task 2.1 requires us to:

Rack1SW1#show vlan brief | exclude (unsup|^1 |^ )
VLAN Name Status Ports
---- -------------------------------- --------- -------------------
3   VLAN0003       active Fa0/3
17 VLAN0017        active Fa0/1
22 VLAN0022        active
33 VLAN0033        active
38 VLAN0038        active
45 VLAN0045        active
46 VLAN0046        active
58 VLAN0058        active Fa0/5
Rack1SW1#
    and SG for 2.4 uses vlan 17 for f0/7 and f0/8. While doing troubleshooting for task 1 I removed switchport access vlan 17 thinking that is a mistake since 2.1 do not show f0/7 & f0/8 as a vlan 17 member ports. As for solution: lab 11 have the same issue with mac ACLs which will not match IP traffic, but hands just configured mac ACL. Thanks IE for this nice coaching.
    • Post Points: 20

  • 11-08-2008 7:44 AM In reply to

    • Hamood
    • Top 100 Contributor
    • Joined on 08-01-2008
    • Posts 16
    • Points 175

    Re: Task 2.4

    Reply Contact

    I do as well remove vlan 17 from 8 and 7 thiking it is a mistake , can you explain this  more ?

     
    • Post Points: 5
Page 1 of 1 (5 items)