Any cisco experts here? I'm currently taking CCNA security but i'm fairly certain my teacher is putting ccnp concepts like VACLS i can't find it anywhere and its hard finding concrete examples on the internet. Can anyone make some sense of this I understand what access lists do completely but the vlan thing is throwing me off and the first question not sure which command i'd use
Setup notes
1. All links are in the block of IP addresses 10.3.96.0 /21, except for R2's connection to the ISP.
2. These are the IPv6 addresses on each segment. PCs are allowed to obtain their IPv6 settings automatically.
Segment 1A: cafe:db8:acad:1A::/64
Segment 1B: cafe:db8:acad:1B::/64
Segment 2A: cafe:db8:acad:2A::/64
Segment 3A: cafe:db8:acad:3A::/64
Segment D: cafe:db8:acad:D::/64
WAN link E: cafe:db8:acad:E::/64
WAN link F: cafe:db8:acad:F::/64
3. On R2, NAT is configured to use access list 1, which does not currently exist. Create access list 1 so that only source addresses in 10.3.96.0 /21 are translated by NAT.
4. Filter network traffic so that hosts from Segment 1A cannot access Server0's website. All other traffic should be permitted.
5. Configure the network so that only hosts on Segment 1B can telnet or ssh to R2 regardless of the state of the network links.
6. Configure IPv6 traffic filtering to block all traffic coming from segment 3A and going to segment 2A. All other traffic should be permitted.
5. Put a note in Packet Tracer that indicates where you put each one of your access lists (which router, interface, direction, if it applies). Explain your choice of placement.
7. Upload the updated Packet Tracer file to the assignment folder.
Used to be ccna but now i have my own co and dont have time for this shit i just hire pajeet tier contractors at 100/day to do this shit
>>55230852
appreciate the bump i guess
anyone know wtf number 3 means
or is familiar with VACLS?
:(
no 1?
>>55231469
>>55231086
>>55230925
CCIE x 2 here. wait up like 20 minutes I need to put kid to bed then i'll read this shit.
>>55230821
>>55230819
>>55230819
>>55230821
Okay, I'm back. Long story short, due to limitations with L3 switch TCAM tables, you cannot filter intra-vlan traffic with ACLs. ACLs on L3 switches are only capable of filtering inter-vlan traffic. So if you want any traffic filtering between devices on the same VLAN you need to use a VACL.
Command is basically creating an ACL like this
(config)# ip access-list extended <ACL name>
(config-ext-nacl)# permit ip <source ip> <wildcard mask> <dest ip> <wildcard mask>
exit out of extended named access list config mode.
create your vlan map
(config)#vlan access-map <map tag AKA it's name>
(config-access-map)#match ip address <put the ACL name here>
(config-access-map)#action <drop>
here you are saying drop anything found in the ACL, but it's just like an ACL where there is an implicit deny
so you need to exit out of this mode and type it again but without telling it to match to any IPs and take the action forward, like this
(config-access-map)#exit
(config-access-map)#vlan access-map <same as last time>
(config-access-map)#action <forward>
Now you need to apply this VACL
(config)# vlan filter <VACL map tag from before> vlan-list <whatever VLAN you want this on>
Note you are only using the ACL to identify the traffic that the VACL should take action on. Really think about this because it's pretty fucking key to understanding why we need to create an ACL for a VACL.
Also, I would highly recommend the CCNP R&S before pursuing any other Cisco track.
