Well, I finished up the lab portfolio today!!!! Hooraaahhh
I felt that I finished up pretty strong writing some VACLS on one of my switches. Basically permitting a host to still use its default gateway, but blocking it from reaching other hosts on the vlan. Config is as follows:
dsl2(config)#ip access-list extended temp-host
dsl2(config-ext-nacl)#permit ip host 172.16.200.7 172.16.200.0 0.0.0.255 - id what you are identifying
dsl2(config-ext-nacl)#exit
dsl2(config)#vlan access-map block-temp 10 -create "access-map"
dsl2(config-access-map)#match ip address temp-host
dsl2(config-access-map)#action ?
drop Drop packets
forward Forward packets
dsl2(config-access-map)#action drop - drop packets from 172.16.200.7
dsl2(config-access-map)#vlan access-map block-temp 20
dsl2(config-access-map)#action forward -permit all others (there is still an implicit deny at the end)
dsl2(config-access-map)#exit
dsl2(config)#vlan filter block-temp vlan-list 200 - identify the access-map with a specific vlan
dsl2(config)#end
dsl2#sh vlan access-map - check your work
Vlan access-map "block-temp" 10
Match clauses:
ip address: temp-host
Action:
drop
Vlan access-map "block-temp" 20
Match clauses:
Action:
forward
I did test this with a host in vlan 200 with the ip address of 172.16.200.7. It worked flawlessly. The host could not communicate within the vlan, but could still get out to others and the internet.
So, now its on to a little review, some practice questions, reinforcement labbing, and then the exam pretty soon! I will keep everyone posted (the few that may ever see this anyways!).
No comments:
Post a Comment