VLAN Access Map

Here you will find answers to VLAN Access Map (VACL)

Quick review:

1. Define a VLAN access map
Switch(config)# vlan access-map map_name [sequence]

2. Configure a match clause:
Switch(config-access-map)# match {ip address | ipx address | mac address} {acl-number | acl-name}

3. Configure an action clause:
Switch(config-access-map)# action {drop | forward | redirect}

4. Apply a map to VLANs:
Switch(config)# vlan filter map_name vlan_list list

To verify the VACL configuration:
Switch# show vlan access-map map_name
Switch# show vlan filter [ access-map map_name | vlan vlan_id ]

An example of VACL:

The following example show how to define and apply a VLAN access map to forward packets matching certprepare_acl access list. All other packets in VLAN 10 to 20 are dropped due to the implicit “deny all” at the end of the access map.

Question 1

Refer to the exhibit. Which statement is true?

A. IP traffic matching access list ABC is forwarded through VLANs 5-10.
B. IP traffic matching VLAN list 5-10 will be forwarded, and all other traffic will be dropped.
C. All VLAN traffic matching VLAN list 5-10 will be forwarded, and all traffic matching access list ABC is dropped.
D. All VLAN traffic in VLANs 5-10 that match access list ABC will be forwarded, and all else will be dropped.

Answer: D

Explanation

Each VACL has an implicit “deny all” statement at the end, just like a regular ACL. From the exhibit we learn the VACL “pass” is applied from VLAN 5 to 10 with “action forward” -> All VLAN traffic in VLANs 5-10 that match ABC access list will be forwarded, other traffic in VLAN 5 to 10 will be dropped.

Question 2

VLAN maps have been configured on switch R1. Which of the following actions are taken in a VLAN map that does not contain a match clause?

A. Implicit deny feature at end of list.
B. Implicit deny feature at start of list.
C. Implicit forward feature at end of list
D. Implicit forward feature at start of list.

Answer: C

Explanation

VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, provided that the access map contains at least one “match” clause.

If you configure like this:
Switch(config)# vlan access-map test
Switch(config-access-map)#match ip address ABC
Switch(config-access-map)#action forward
Switch(config-access-map)#exit

Then all unmatched traffic will be dropped because of an implicit “deny all” at the end of the VACL.

But if there is NOT A MATCH statement, then the default behavior of the VACL is the forward traffic. If you configure like this:
Switch(config)# vlan access-map test
Switch(config-access-map)#exit

Then “show run” you will find an “action forward” automatically placed under the vlan access-map command -> Answer C is correct.

Question 3

Refer to the exhibit. What will happen to the traffic within VLAN 14 with a source address of 172.16.10.5?

A. The traffic will be forwarded to the router processor for further processing.
B. The traffic will be dropped.
C. The traffic will be forwarded to the TCAM for further processing.
D. The traffic will be forwarded to without further processing.

Answer: B

Explanation

The source address of 172.16.10.5 is not matched with access list net_10. Something like this at the end of the access-map:

-> The traffic from 172.16.10.5 is dropped -> B is correct.

Question 4

What is the method used to filter traffic being bridged within a VLAN?

A. Ethernet maps
B. Router ACLs
C. VLAN maps
D. IP ACLs

Answer: C