Home > Ticket 6 – VLAN filter

Ticket 6 – VLAN filter

May 1st, 2018 in TSHOOT v2 Go to comments

Client 1 is not able to ping the server. Unable to ping DSW1 or the FTP Server(Use L2 Diagram).

Vlan Access map is applied on DSW1 blocking the ip address of client 10.2.1.3

Configuration on DSW1
vlan access-map test1 10
action drop
match ip address 10
vlan access-map test1 20
action drop
match ip address 20
vlan access-map test1 30
action forward
match ip address 30
vlan access-map test1 40
action forward
!
vlan filter test1 vlan-list 10
!
access-list 10 permit 10.2.1.3
access-list 20 permit 10.2.1.4
access-list 30 permit 10.2.1.0 0.0.0.255
!
interface VLAN10
ip address 10.2.1.1 255.255.255.0

Ans1) DSW1
Ans2) VLAN ACL/Port ACL
Ans3) Under the global configuration mode enter no vlan filter test1 vlan-list 10 command.

Note: After choosing DSW1 for Ans1, next page (for Ans2) you have to scroll down to find the VLAN ACL/Port ACL option. The scroll bar only appears in this ticket and is very difficult to be seen. Also make sure you choose DSW1 (not ASW1) for the first question as there is also “VLAN ACL/Port ACL” option for answer 2 if you choose ASW1 but it is wrong.

Nirmala
Comments (23) Comments
Comment pages
1 12 13 14 24
  1. Confuse guy
    April 11th, 2018

    a. Under the global configuration mode enter no access-list 10 command.
    B. Under the global configuration mode enter no access-map vlan 10 command.
    C. Under the global configuration mode enter no vlan access-map test1 10
    command.
    D. Under the global configuration mode enter no vlan filter test1 vlan-list 10
    command.

    Myself will pick A or B, I want to minizize config change on the environment. however we should look at the Q if it ask us to allow only 1 client or the whole subnet.

    1 more thing, can anybody tell me what is “After choosing DSW1 for Ans1, next page (for Ans2) you have to scroll down to find the VLAN ACL/Port ACL option. The scroll bar only appears in this ticket and is very difficult to be seen. Also make sure you choose DSW1 (not ASW1) for the first question as there is also “VLAN ACL/Port ACL” option for answer 2 if you choose ASW1 but it is wrong.”””

    I CANNOT BRAIN THE NOTE LOL

  2. engineer
    April 12th, 2018

    As far as i am concerned, in order to apply the VLAN access-map which is configured on the DSW1, we need to specify/apply this VLAN access-map on the “vlan filter test 1”. So as soon as we remove this vlan filter, automatically this Vlan access-map is not applied anywhere… So we just have the “access-list 10” which essentially is permitting Client 1.

  3. engineer
    April 12th, 2018

    Also i guess, that also the third answer seems also right to me: “Under the global configuration mode enter no vlan access-map test1 10 command”, because if we remove the access map, that means that the vlan filtet will have nothing to filter. So to sum up, to me both answer 3 and 4 seems right… Which is kind of confusing, lol

  4. Confuse guy
    April 13th, 2018

    @engineer i got it now lol

    As per my understanding, only C and D are correct answers.

    B is wrong because of configuration syntax
    A is wrong because configuration below will be error
    vlan access-map test1 10(ACL HAS BEEN DELETED!!!)
    action drop
    match ip address 10

  5. Harima
    April 21st, 2018

    Client has IP 10.2.1.3?? wasn’t the ip address of Client1, 10.2.1.4? (As in another tickets)

    In my opinion, if we will eliminate all vlan-access map entries with the command: “no vlan filter test1 vlan-list 10” (option D). This option will be more accurate.

    If you eliminate only the “entry 10″of the vlan access-map (option C), then the ip 10.2.1.4 will continue being denied by the “entry 20”

  6. natedigi
    May 4th, 2018

    Harima, you are exactly right and are answering the confusion from “confuse guy” and “engineer”. The access map in question has 4 entries, 10 20 30 and 40. 10 and 20 match and drop .3 and .4 respectively while 30 allows the whole subnet not previously matched, and 40 the catch all forward everything. If you only delete entry 10, effectively only client .3 will be blocked. Not sure the wording of the real question whether it mentions both clients .3 and .4 or not. Might be a bug in the wording but if .3 was indeed meant to be allowed while .4 continue to be blocked, then C would be a better answer. More often then not though, if you have two clients in the same subnet you wouldn’t block only one of them from reaching the gateway and the FTP server otherwise no need to have that client.

  7. Harima
    May 7th, 2018

    @natedigi

    The original question in tshoot is Client1 can’t access to web server, not Client1 or ftp server, then you must eliminate only the vlan-map test1 10. Eliminate all is the general solution, but then, for what reason you will implement vlan access-map if you eliminate all?

  8. Confuse guy
    May 8th, 2018

    @Harima
    the reason is to get full mark in the CCNP TShoot Question. LOL.

    When are u planning to take it tho

  9. 46598dasd
    May 14th, 2018

    2018 Latest Update CCNP Dumps 300-135 100% Valid
    stumbleupon.com/su/1xowyV

  10. X
    June 6th, 2018

    Thank you for the feedback team.
    In summary i see that the answers are as posted at the beginning of this section ‘Ticket 6 – VLAN filter’

    1. DSW1
    2. VLAN ACL/Port ACL
    3. Under the global configuration mode enter no vlan filter test1 vlan-list 10
    command

    *As “Cisco Queen” said, ” Make sure you scroll down to select the VLAN ACL/Port ACL after selecting DSW1″

    If client is not able to ping DSW1 (10.2.1.1), i would verify if VACL and ACL are configured to make sure we are talking about this ticket or if there is something else.

    On the other hand, does anyone know if in the same ticket we can skip question 1 and 2 so that we can have an insight in question 3 where the issue might be and troubleshoot from there?

    Thank you.

  11. Aggravated
    June 6th, 2018

    I took the test today and I got this question. There was no option for VLAN ACL. Now I read the comment above about needed to scroll down? Are you serious? None of the other options require you to scroll down fuentes for options except this one?

  12. mithr
    June 23rd, 2018

    so guys which one is the correct command to be removed
    no vlan filter test1 vlan-list 10
    or
    no vlan access-map test1 10

  13. Anonymous
    July 13th, 2018

    no vlan filter test1 vlan-list 10

  14. Anonymous
    July 13th, 2018

    You can “match” all day long.. (waist of resources)
    But if you don’t take an action. the packet will flow.

    Its like breaking the speed limit when the cops aren’t there….
    Not allowed, but no one is stopping you….

  15. Magneto
    August 7th, 2018

    no vlan filter test1 vlan-list 10

  16. KALEL
    August 11th, 2018

    Hi guys a frind that recently took the exam told me that the correct answer is just to remove de the vlan access map and not the hole vlan filter……. what do you think ????

  17. Anonymous
    August 21st, 2018

    By removing “vlan filter test1 vlan-list 10” vlan access map will not be applied, so this will work as well.

  18. jk
    August 24th, 2018

    Hello Networktut,most of the question end with the following statement like, a trouble ticket has been opened indicating that Client 1 cannot ping the 209.65.200.241 address, that is when you open the link to try it, but from the above question 6 says Client 1 is not able to ping the server. Unable to ping DSW1 or the FTP Server(Use L2 Diagram). so how do I differentiate and some of the tickets are not having questions in front at all kindly help.

  19. Peter
    August 26th, 2018

    Try setting up the scenario and then apply each command…
    Here is what I got:
    a. Under the global configuration mode enter no access-list 10 command.
    This took down the EIGRP neighbor, as the ACL was now blank, and still applied on the filter, nothing works… X
    B. Under the global configuration mode enter no access-map vlan 10 command.
    This command is not valid, it is around the wrong way C is the correct format of this command. X
    C. Under the global configuration mode enter no vlan access-map test1 10
    command.
    This works! PC1 is now able to ping… however I have fixed PC1’s issue I have not rectified the fault fully to the best of my expertise, as a quick check means the user of PC2 will soon call with the same problem, and then I will have to make another change… X
    D. Under the global configuration mode enter no vlan filter test1 vlan-list 10
    command.
    Best answer (as Cisco expects) this totally removes the problem in full, and now everyone can move on and use their PCs… FYI of you want to black PC2 you might as well just remove him from the network, as a DHCP refresh or static IP would get around this anyway… Y

  20. bono
    September 24th, 2018

    Hi all,

    I had two questions last week which look new or same issue on different device.

    1- passive interface configured under eigrp router on DSW1 instead of R4
    2- there was no OSPF neighbor relationship between R1 and R2 but the issue was not auth under sub-int on R1

    Could you please kindly assist if anyone has any idea what these issues are regarding to as I booked another exam in two days? This is the last chance I have as my CCNA will be expired by 1st of October.

    I am also wondering if anyone knows how many score each TT and MCQ has?

    Your guidance is much appreciated.

    Cheers

  21. Anonymous
    October 4th, 2018

    Packet Tracer. ping fails at client but works at R1 and R4. Issue points towards the client or switches. Router R4 cannot ping the client. Check clients default gateway. This is 10.2.1.254 on the client. On DSW1 and DSW2 is HSRP. This is the HSRP address, DSW1 is the active. ACL found under the vlan 10 interface. 3 mins to find.

  22. TestingSoon
    November 11th, 2018

    regarding above comment, I do not see an ACL under int vlan10

    Also do not receive “Correct”if I choose the answer DSW2, Vlan ACL/Port ACL, and “no plan filter test1 clan-list 10” within global.

    Anyone receive a “Correct” with above choose?

  23. Kuiwal
    November 27th, 2018

    Testing Soon,

    This applies under DSW1, not DSW2 :)

Comment pages
1 12 13 14 24