Home > Ticket 6 – VLAN filter

Ticket 6 – VLAN filter

May 1st, 2018 in TSHOOT v2 Go to comments

Client 1 is not able to ping the server. Unable to ping DSW1 or the FTP Server(Use L2 Diagram).

Vlan Access map is applied on DSW1 blocking the ip address of client

Configuration on DSW1
vlan access-map test1 10
action drop
match ip address 10
vlan access-map test1 20
action drop
match ip address 20
vlan access-map test1 30
action forward
match ip address 30
vlan access-map test1 40
action forward
vlan filter test1 vlan-list 10
access-list 10 permit
access-list 20 permit
access-list 30 permit
interface VLAN10
ip address

Ans1) DSW1
Ans3) Under the global configuration mode enter no vlan filter test1 vlan-list 10 command.

Note: After choosing DSW1 for Ans1, next page (for Ans2) you have to scroll down to find the VLAN ACL/Port ACL option. The scroll bar only appears in this ticket and is very difficult to be seen. Also make sure you choose DSW1 (not ASW1) for the first question as there is also “VLAN ACL/Port ACL” option for answer 2 if you choose ASW1 but it is wrong.

Comments (50) Comments
Comment pages
1 2 3 14 24
  1. Pre
    September 4th, 2010

    In my exam i chose DSW1 but 2nd question didnt contain VACL/PACL that’s why i changed to ASW1 then VACL/PACL then 3rd one No Vlan Filter 10

  2. Naveed
    September 4th, 2010

    Symptoms of this ticket.
    1- Client 1 is getting the correct IP address from DHCP (i.e
    2- But Client 1 is unable to ping DSW1.
    3- Client 1 is unable to ping FTP Server (

  3. Sept7_candidate
    September 7th, 2010

    Additonal information:
    VACL/PACL can be chosen for DSW1. You have to SCROLL DOWN to find the option.

  4. Anonymous
    September 8th, 2010

    Ans1) DSW1
    Ans2) Vlan access map (Scroll down )
    Ans3) No vlan filter test1 vlan-list 10 ( last option)

    exam config

    vlan access-map test1 10
    match ip address 10 (10 is the access-list number)

    vlan filter test1 vlan-list 10 (Apply vlan access-map to vlan 10)

    ip access-list standard 10
    ip access-list standard 20
    ip access-list standard 30

  5. ASLAM
    September 9th, 2010

    Thanks anonymous, it helps a lot when you can see the sample output from exam or just something similar , i hope if there is someone who can do this for all the tickets available will help a lot to locate the problem …

    Thanks in advance

  6. tomorrow
    September 18th, 2010

    my exam is within 2 Houres , in case of Vlan access mp will the pc get an ip address ,plz reply ASAP /.


  7. gazza
    September 26th, 2010

    Naveed and Network tut…thanks to u guys..i have been doing self study reading the materials and the video mentor….i just want to know if configurations will be required or we are just to detect the network problem and perform the necessary IOS commands to get the right answer..Your quick response is really appreciated…

  8. Adoga
    September 27th, 2010

    @ gazza, you dont need to perform any configuration on the devices, all you need to do is run the approprite show commands on the ios devices as explained in this forum and dont forget to start from the client using “ipconfig” to know if the client has a valid ip(10.2.*.*) and its not getting an ip i.e its having 169.*.*.*.


  9. ki
    September 28th, 2010

    @Naveed, my exam tomorrow, same concern as @tomorrow. Can the PC get IP address? For DHCP discovery it does not use the ‘10.2.2.*’ IP address, but for DHCP request I think it uses the given ‘10.2.1.*’ IP address which may be dropped. Will DHCP succeed and client have correct IP address? Thank you in advance.

  10. ki
    September 28th, 2010

    Sorry, I checked the doc and it does not use the IP address during IP address negotiation

  11. ipmasters
    September 29th, 2010

    pls dnt’ forget to share your experience after your exam with us here.
    Wish you the best!
    Taking my exam next week.

  12. gazza
    September 30th, 2010

    Thanks Adoga for your response..I want to know if the TT comes in the order listed on this sites..if not how do we know the Technology listed with each question…Naveed or any other helpful person should help me…thanks

  13. Adoga
    October 1st, 2010

    @ gazza, ure welcome. the trouble tickets in the real exam exam does not come in the exact format as mentioned here, so please do not cram the format. All you need to do is to know what fault is associated with which device and the right answer choices as mentioned on networktut.com. hope this helps…………….. Try to link the trouble tickets with the devices and not concentrate on the series, cuz the arrangement is defferent in the real exam.
    i.e asw1=3tts
    r2=ipv6 tt
    thats a total of 12 tts.
    go through the tts i just listed and associate/identify tickets using the devices specied and the technology involved, all the answers are on this forum.
    wish you all the best, by the way my exam is on monday 4/10/2010

  14. gazza
    October 2nd, 2010

    thanks man(Adoga)…am still going thru the Video..shud be writing the exam first week of November

  15. Sam
    October 5th, 2010

    Guys i found some problem in this ticket in my exam…. There was no any option given related to vlan access map or vlan acl/ port acl in DSW1.. i saw the running config n found that the client1’s ip was getting blocked due to vlan access map.. But there was no any related option is available..

  16. Ditto…
    October 14th, 2010

    I have to agree with Sam, there was no option on the list, and in the one for Access-list, didn’t appear to have anything relating.

  17. Donchichi
    October 28th, 2010


    I took the exam recently and i saw the option there. If you scrolled down, u would have seen it. But it is irrelevant now if you have passed the exam…:)

  18. Guest
    November 3rd, 2010

    Today i’ve failed exam :( Examination software is very bad. Three times i’ve had an error and relaunched it with help of certification manager.

    One TT was about vlan filter. It was VACL in DSW1, 100% ! But i didn’t find the VACL/PACL in answers.

  19. cisco guru
    November 5th, 2010

    take it with all this god willing shit , half you lot are cheating Muslims.. read the Koran brother and you will see that the profit said ” at the point of stealing, cheating the Muslim is no longer a believer”

    you have just become a infidel for the sake of a cert. well done

  20. cisco guru
    November 5th, 2010

    @guest you gotta be one think mother ? the give you the answers and you failed… a nearly fell of my chair laughing at your misfortune

  21. cisco guru
    November 5th, 2010

    @ guest. billions of sperm and you was the fastest….

  22. hi
    November 6th, 2010

    plz guys send me a valid dumps

  23. Naveed
    November 8th, 2010

    @CCIE interested people
    This is an open invitation for the serious people about CCIE. You are advised to send an email to the below mentioned address for enrolling your willingness. We’ll be utilizing the concept of 1+1 = 11 by putting our minds together to study/practice the right thing. Here it doesn’t require a mention for a CCIE candidate but let me clear one thing, ‘THERE IS NO SHORTCUT TO CCIE’, so any body looking for shortcuts, please accept my advance excuse. However, we’ll try to do our best to find out the fastest way and most effective material of practice/study.
    Kindly, enroll your willingness at following email address. Also if you have any question, send to the same address.

    I wish you could have a managed discussion forum for CCIE as you have for CCNP

  24. biggy
    November 10th, 2010

    what show command is appropriate to troubleshoot NAT ACL, R1 ACL and Vlan Filter? any suggestion? Thanks

  25. jijo
    November 11th, 2010

    in client ipconfig-,then ping not sucess.
    so problem is in asw1 or dswi
    check asw1
    1. int fa 1/0/1- switchport access vlan 10-if yes
    2.int fa 1/0/1-port condition-error disabled-if no
    3.int fa 1/0/13 and 23 allowed vlan 10-if yes
    check dsw1
    1.check VACL or any filter in vlan 10
    2.check stand by status of track command is wrong

    MY DOUBT IS WHICH ALL COMMANDS I CAN USE HERE TO FIND (I MEAN SUPPORT HERE).here the prioblem is VACL.so which command i should use in dsw1 to find the filter list .the only show run or any other commands.

  26. Anonymous
    November 30th, 2010

    I see alot of references to using the specific commands to find the portions of the configs where you’ll find the answer, but if in doubt can’t we just run “sh run” on any device to get the entire config? Alot of times in Cisco exams, they have certain commands disabled or shortcuts (I.E. Cisco exam usually doesn’t let you run “sh run | i …. or sh run | be …)

    To rephrase, on this exam can I just run “sh run” on any device if I don’t know or have forgotten the specific command????


  27. Bob
    December 2nd, 2010


    If you asking if you can show run on all devices, then yes you moron.

  28. Cozzmo
    December 2nd, 2010

    This makes no sense… and would drop the packet before reading the access-list.
    vlan access-map test1 10
    match ip address 10

    I think it would look more like this…
    vlan access-map test1 10
    match ip address 10
    action drop

  29. naggi
    December 5th, 2010

    hi guys somebody help i am tr to do the demo but there is only 4 tt qu and all releated to l3 topology plz help is there more or just this is it
    and how i know this q releated to which topology my cordial thanks to u guys

  30. Abolayan
    December 7th, 2010


    Remove vlan filter test1 vlan-list 10





  31. Goose
    December 9th, 2010


    you will see vlan filter test1 vlan-list 10 from ASW1 switch. so remove it from ASW1. However, kindly double check it both on DSW1 and ASW1.

    Already passsed TSHOOT. 1000/1000. thanks last DEC 06

  32. Abolayan
    December 12th, 2010



    but if I remove it from ASW1 should be can not able to ping ASW1

    Is it right

  33. Naveed
    December 16th, 2010

    You cannot use “sh run | i or sh run | be” or any type of such option to narrow down your results in TSHOOT exam simulator. So in exam, what u have is only basic version of ‘sh run’.

  34. David
    December 19th, 2010


    I agree with u.

    Based on: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html

    The sequence of creating VLAN ACL [VACL] is:
    (1)Define VLAN access map

    (2)Configure a Match Clause in a VLAN access map

    (3)configure an Action clause in a VLAN access map

    (4)Apply a VLAN access map using ‘vlan filter’ command

    Based on the config given at the begining of this thread:
    -IP range in ACL 10 is
    -action ‘drop’ in access-map test1 will block all IP with 10.2.x.x

    If there is an option in the solution to change the action of ‘drop’ to ‘forward’, that would be correct.

    Though simply removing ‘vlan filter test1 vlan-list 10’ is also a Righ answer.

  35. simple
    December 20th, 2010

    to All;

    just want to confirm, is VLAN ACL is only for L3 switch?

    or can be applied to pure L2 switch… please confirm,,,, thanks….

  36. Name
    December 22nd, 2010

    I guess VLAN ACL filter works on L3 and PACL filters on L2.
    so that means VACL can work only on L3 switch not on L2 switch.

    correct me if i am wrong
    what say naveed, am I right?

  37. simple
    December 22nd, 2010

    @ naveed

    pls reply…. we’re waiting ,,,, thnks….

  38. simple
    December 22nd, 2010


    do u have sample of PACL, thnx a lot…

  39. Name
    December 23rd, 2010


    I did some study on this ACLs and found this.

    VACL apply on VLAN and PACL apply on L2 port or L2 channel(L2 etherchannel). In L2 switch we can have vlan so i guess we could apply VACL on L2 switch.
    We don’t need in in/out direction command in VACL because it is direction less. that mean it applies to all traffic comming in or out.
    PACL is like a normal ACL and you have to specify direction on which you want to apply.following is simplified explainantion of PACL config.

    Step 1 Create the standard or extended IP ACLs or named MAC extended ACLs that you want to apply to the interface.

    Step 2 Use the ip access-group or mac access-group interface command to apply a IP ACL or MAC ACL to one or more Layer 2 interfaces.

    if want more details on ACLs, I found following list very useful


  40. kumar
    December 26th, 2010

    In exam i dont find

    vlan filter test1 vlan-list 10 –.cmd , what will be the solution for this ticket

  41. Ipv6
    December 28th, 2010

    @Naveed you say we cannot use “sh run | i or sh run | be”;
    are you saying that we cannot use “show running-config” for the Tshoot exam?

  42. David
    December 29th, 2010

    In Tshoot exam, we can use ‘show running-config’ [‘sh run’ in abbreviation].

    More specific parameters under ‘sh run’ are not supported. e.g. ‘sh run | i xxx’ or ‘sh run | beg xxx’ are NOT supported.

    But we can execute other troubleshooting commands such as PING, Traceroute, ‘sh route’, ‘sh ip route ospf’, ‘sh ip route eigrp’, ‘sh ip route bgp’, ‘sh ip ospf nei’, ‘sh ip eigrp nei’, ‘sh ip bgp nei’ etc.

  43. Ipv6
    December 30th, 2010

    is this the area that I will find the line:

    (vlan filter test1 vlan-list 10)


    interface Vlan10
    ip address
    ip helper-address
    standby 10 ip
    standby 10 priority 150
    standby 10 preempt
    standby 10 track 10 decrement 60
    interface Vlan20
    ip address

    This is my last TT to prepare for before my test, and I could use a little help on this one.

    I am not finding any of the configuration entries from the top of this page in any of the pre-configured TT folder files.

    Thanks dave

  44. David
    December 30th, 2010


    No, u will not find it under VLAN 10 & 20 config.

    Its under the Global Config, not under any specific VLAN config. Its provided by networktut at the very begining of this webpage.

  45. babiker
    January 9th, 2011

    I Ask about the series of tt if in vlan filter (firstly search in DSW1)
    if not found problem (Secondly search in DSW2) or
    Search in all deviece

  46. beeecoo
    January 9th, 2011

    I Ask about the series of tt if in vlan filter (firstly search in DSW1)
    if not found problem (Secondly search in DSW2) or
    Search in all deviece

  47. BW
    January 13th, 2011

    I got out-of marks today…..thanks 9tut.com
    In Exam vlan filter problem is very confusing que…..
    but dont get confused.
    If client 1 is able to ping but not able to ping means problem is related to vlan filter, that time u check “sh running-Config on DSW1”

    I found in Exam under configuration:-

    vlan access-map test 1 10
    action drop
    match ip add 10
    vlan access-map test 1 20
    action drop
    match ip add 20
    vlan access-map test 1 30
    action forward
    match ip add 30
    vlan access-map test 1 40
    action forward
    match ip add 40
    vlan filter test 1 vlan-list 10

    1)Device is DSW1,
    2)Technology is vacl / pacl,
    3)Solution:remove vlan filter test 1 from DSW1

  48. Nirmala
    February 9th, 2011

    Hi everyone! I’m going to take the exam next week. Guys please let me know if there is anything changed or updated.

    Are these questions still valid?

    Please help me……!

    Thank you

  49. Nirmala
    February 19th, 2011

    I did the exam yesterday and got 1000……………..!

    Thanks for everybody here supporting me for this achievement.

    All the questions in the exam are the things appear here. Nothing has been changed.

    But i would like to give an important advice for the people who wish to take the exam soon.

    Please read the comments in following link by Geno and Lisa. Those instructions were really

    helpful to me…!


  50. Nirmala
    February 19th, 2011

    For this question, there was a bug in the exam. In order to correctly answer 2nd and 3rd MCQ, i had to select the wrong device – ASW1. When i chose the correct device DSW1, the correct options for 2nd and 3rd MCQ not there. I checked few times and there is no vlan filter applied on ASW1, its on DSW1. After completing all other trouble tickets, i spent around 45 minutes to check if there something else wrong.
    Finally at the last few minutes, i chose ASW1 for the 1st question and correctly selected the other two. I got 1000.

Comment pages
1 2 3 14 24