Which Catalyst 6500 feature provides network-security enforcement based on Layer 2, Layer 3, and Layer 4 information on a VLAN?

A. NAM

B. SPAN

C. VACL

D. 802.1X








 

Suggested Answer: C

VLAN access control lists (VACLs) provide network-security enforcement based on Layer 2, Layer 3, and Layer 4 information on a VLAN.
VACLs can be used to provide security based on MAC address, source and destination IP address, Layer 4 protocols, or port numbers. The VACL will act on all traffic of a select VLAN whether bridged or switched. The actions performed on a packet can include permit, redirect, or deny. The VACL entries are checked in sequence, which is similar in concept to route-map structures. The following procedure is used to create VACLs:
Define a VLAN access map:
switch(config)# vlan access-map name [seq#]
Configure a match clause:
switch(config-access-map)# match {ip address {1-99 | 1300-2699 | acl_name} | mac address acl_name}
Configure an action clause:
switch(config-access-map)# action {drop | forward | redirect}
Apply the map to a VLAN:
switch(config)# vlan filter map_name vlan-list list
Once created, you should verify the VACLs using the following commands: switch# show vlan access-map map_name switch# show vlan filter
In the sample configuration shown below, all VLAN traffic in VLANS 1 through 3 that match access list SAFE will be forwarded. All other traffic will be dropped. switch(config)# vlan access-map cisco 10 switch(config-access-map)# match ip-address SAFE switch(config-access-map)# action forward switch(config)# vlan filter cisco vlan-list 1-3
If access list cisco were configured as shown below, for example, traffic with a source address of 172.16.10.8 would be dropped.
Switch# show ip access-list cisco 10
Extended ip access list cisco 10
10 permit 10.0.0.0 255.255.255.0 any
Objective:
Infrastructure Security -
Sub-Objective:
Configure and verify switch security features
References:
Cisco > Home > Support > Product Support > End-of-Sale and End-of-Life Products > Cisco Catalyst 6000 Series Switches > Configure > Configuration Examples and Technotes > Securing Networks with Private VLANs and VLAN Access Control Lists
Cisco > Cisco IOS LAN Switching Command Reference > vlan access-map
Cisco > Cisco IOS LAN Switching Command Reference > match (vlan access-map)

This question is in 300-115 Implementing Cisco IP Switched Networks (SWITCH) Exam
For getting Cisco Certified Network Professional (CCNP) Routing and Switching Certificate





Disclaimers:
The website is not related to, affiliated with, endorsed or authorized by Cisco.
Trademarks, certification & product names are used for reference only and belong to Cisco.
The website does not contain actual questions and answers from Cisco's Certification Exam.