First time I heard about VLAN Access Lists (VACLs) I was pretty intimidated. What's this access-list that can affect traffic at the L2 level? Must be pretty fancy, huh? Turns out not so fancy. The problem: Under normal operations, ACLs can only filter traffic at L3 (i.e. they have to be applied to an interface in a specific direction. The solution: VACLs use ACLs too, but they stand on the powerful shoulders of the Access-Map format (Route-Map-Looking statements). Configuration Steps Create an ACL Create a VLAN access-map and specify an action Apply the access-map to a SVI Configuration commands: ip access-list extended vacl_test permit ip host 10.1.1.1 192.168.2.0 0.0.0.255 exit ! vlan access-map vacl_test_map match ip address list vact_test action drop vlan access-map vacl_test_map 20 (the 20's just a sequence number) action forward exit ! vlan filter vacl_test_map vlan-list 1 Warning: Note that there may be a need to apply another ACL in the
During my review of the Infrastructure Security section of the 300-115 Cisco exam, I was a little confused about the purpose of DHCP Option 82. Why would the controller (or other relay agent) need to check that option before forwarding the DHCP request to the server? This didn't click until I read Cisco's configuration guide on this. Here's how it works: DHCP Option 82 Step 1: Configure Option 82 in the DHCP server Step 2: Configure the relay agent with appropriate Option 82 Step 3: Client requests a DHCP address Step 4: The DHCP relay agent adds option 82 information before encapsulating the DISCOVER into a Unicast packet to the DHCP server Step 5: The DHCP server receives the relayed request, checks Option 82 and sends OFFER accordingly. Step 6: The relay agent receives the OFFER, strips Option 82 info (deploys policy if-applicable), then forwards IP address assignment to the client. If you're studying the topic, I hope this helps.