Home > Ticket 6 – VLAN filter

Ticket 6 – VLAN filter

May 1st, 2018 in TSHOOT v2 Go to comments

Client 1 is not able to ping the server. Unable to ping DSW1 or the FTP Server(Use L2 Diagram).

Vlan Access map is applied on DSW1 blocking the ip address of client 10.2.1.3

Configuration on DSW1
vlan access-map test1 10
action drop
match ip address 10
vlan access-map test1 20
action drop
match ip address 20
vlan access-map test1 30
action forward
match ip address 30
vlan access-map test1 40
action forward
!
vlan filter test1 vlan-list 10
!
access-list 10 permit 10.2.1.3
access-list 20 permit 10.2.1.4
access-list 30 permit 10.2.1.0 0.0.0.255
!
interface VLAN10
ip address 10.2.1.1 255.255.255.0

Ans1) DSW1
Ans2) VLAN ACL/Port ACL
Ans3) Under the global configuration mode enter no vlan filter test1 vlan-list 10 command.

Note: After choosing DSW1 for Ans1, next page (for Ans2) you have to scroll down to find the VLAN ACL/Port ACL option. The scroll bar only appears in this ticket and is very difficult to be seen. Also make sure you choose DSW1 (not ASW1) for the first question as there is also “VLAN ACL/Port ACL” option for answer 2 if you choose ASW1 but it is wrong.

Nirmala
Comments (14) Comments
Comment pages
1 12 13 14 24
  1. Confuse guy
    April 11th, 2018

    a. Under the global configuration mode enter no access-list 10 command.
    B. Under the global configuration mode enter no access-map vlan 10 command.
    C. Under the global configuration mode enter no vlan access-map test1 10
    command.
    D. Under the global configuration mode enter no vlan filter test1 vlan-list 10
    command.

    Myself will pick A or B, I want to minizize config change on the environment. however we should look at the Q if it ask us to allow only 1 client or the whole subnet.

    1 more thing, can anybody tell me what is “After choosing DSW1 for Ans1, next page (for Ans2) you have to scroll down to find the VLAN ACL/Port ACL option. The scroll bar only appears in this ticket and is very difficult to be seen. Also make sure you choose DSW1 (not ASW1) for the first question as there is also “VLAN ACL/Port ACL” option for answer 2 if you choose ASW1 but it is wrong.”””

    I CANNOT BRAIN THE NOTE LOL

  2. engineer
    April 12th, 2018

    As far as i am concerned, in order to apply the VLAN access-map which is configured on the DSW1, we need to specify/apply this VLAN access-map on the “vlan filter test 1”. So as soon as we remove this vlan filter, automatically this Vlan access-map is not applied anywhere… So we just have the “access-list 10” which essentially is permitting Client 1.

  3. engineer
    April 12th, 2018

    Also i guess, that also the third answer seems also right to me: “Under the global configuration mode enter no vlan access-map test1 10 command”, because if we remove the access map, that means that the vlan filtet will have nothing to filter. So to sum up, to me both answer 3 and 4 seems right… Which is kind of confusing, lol

  4. Confuse guy
    April 13th, 2018

    @engineer i got it now lol

    As per my understanding, only C and D are correct answers.

    B is wrong because of configuration syntax
    A is wrong because configuration below will be error
    vlan access-map test1 10(ACL HAS BEEN DELETED!!!)
    action drop
    match ip address 10

  5. Harima
    April 21st, 2018

    Client has IP 10.2.1.3?? wasn’t the ip address of Client1, 10.2.1.4? (As in another tickets)

    In my opinion, if we will eliminate all vlan-access map entries with the command: “no vlan filter test1 vlan-list 10” (option D). This option will be more accurate.

    If you eliminate only the “entry 10″of the vlan access-map (option C), then the ip 10.2.1.4 will continue being denied by the “entry 20”

  6. natedigi
    May 4th, 2018

    Harima, you are exactly right and are answering the confusion from “confuse guy” and “engineer”. The access map in question has 4 entries, 10 20 30 and 40. 10 and 20 match and drop .3 and .4 respectively while 30 allows the whole subnet not previously matched, and 40 the catch all forward everything. If you only delete entry 10, effectively only client .3 will be blocked. Not sure the wording of the real question whether it mentions both clients .3 and .4 or not. Might be a bug in the wording but if .3 was indeed meant to be allowed while .4 continue to be blocked, then C would be a better answer. More often then not though, if you have two clients in the same subnet you wouldn’t block only one of them from reaching the gateway and the FTP server otherwise no need to have that client.

  7. Harima
    May 7th, 2018

    @natedigi

    The original question in tshoot is Client1 can’t access to web server, not Client1 or ftp server, then you must eliminate only the vlan-map test1 10. Eliminate all is the general solution, but then, for what reason you will implement vlan access-map if you eliminate all?

  8. Confuse guy
    May 8th, 2018

    @Harima
    the reason is to get full mark in the CCNP TShoot Question. LOL.

    When are u planning to take it tho

  9. 46598dasd
    May 14th, 2018

    2018 Latest Update CCNP Dumps 300-135 100% Valid
    stumbleupon.com/su/1xowyV

  10. X
    June 6th, 2018

    Thank you for the feedback team.
    In summary i see that the answers are as posted at the beginning of this section ‘Ticket 6 – VLAN filter’

    1. DSW1
    2. VLAN ACL/Port ACL
    3. Under the global configuration mode enter no vlan filter test1 vlan-list 10
    command

    *As “Cisco Queen” said, ” Make sure you scroll down to select the VLAN ACL/Port ACL after selecting DSW1″

    If client is not able to ping DSW1 (10.2.1.1), i would verify if VACL and ACL are configured to make sure we are talking about this ticket or if there is something else.

    On the other hand, does anyone know if in the same ticket we can skip question 1 and 2 so that we can have an insight in question 3 where the issue might be and troubleshoot from there?

    Thank you.

  11. Aggravated
    June 6th, 2018

    I took the test today and I got this question. There was no option for VLAN ACL. Now I read the comment above about needed to scroll down? Are you serious? None of the other options require you to scroll down fuentes for options except this one?

  12. mithr
    June 23rd, 2018

    so guys which one is the correct command to be removed
    no vlan filter test1 vlan-list 10
    or
    no vlan access-map test1 10

  13. Anonymous
    July 13th, 2018

    no vlan filter test1 vlan-list 10

  14. Anonymous
    July 13th, 2018

    You can “match” all day long.. (waist of resources)
    But if you don’t take an action. the packet will flow.

    Its like breaking the speed limit when the cops aren’t there….
    Not allowed, but no one is stopping you….

Comment pages
1 12 13 14 24