Try our training for free.

Gain instant access to our entire IT training library for 1 week. Train anytime on your desktop, tablet, or mobile devices.

Employers know that CCNP-certified job applicants have a real-world knowledge of networking.  They also know that Cisco awards big discounts to companies that hire Cisco-certified staff. 

After watching Jeremy Cioara's new CCNP 642-813 SWITCH training, you'll be a master-level consultant on Cisco switched networks. You'll also have brighter career prospects and be an important step closer to CCNP certification.

Jeremy covers everything you ever wanted to know about switching in this update to his existing BCMSN course.  In no time, you'll be designing your network for maximum uptime and preparing it for advanced services like WiFi, VoIP and Video over IP. 

Jeremy's training maps to Cisco CCNP certification exam 642-813....
Employers know that CCNP-certified job applicants have a real-world knowledge of networking.  They also know that Cisco awards big discounts to companies that hire Cisco-certified staff. 

After watching Jeremy Cioara's new CCNP 642-813 SWITCH training, you'll be a master-level consultant on Cisco switched networks. You'll also have brighter career prospects and be an important step closer to CCNP certification.

Jeremy covers everything you ever wanted to know about switching in this update to his existing BCMSN course.  In no time, you'll be designing your network for maximum uptime and preparing it for advanced services like WiFi, VoIP and Video over IP. 

Jeremy's training maps to Cisco CCNP certification exam 642-813.
1. Welcome to Cisco Switch: Watch Me First! (17 min)
2. The Switches Domain: Core Concepts and Design (42 min)
3. VLANs: Configuration and Verification (13 min)
4. VLANs: In-Depth Trunking (35 min)
5. VLANs: VLAN Trunking Protocol (33 min)
6. STP: Foundation Per-VLAN Spanning Tree Concepts, Part 1 (23 min)
7. STP: Foundation Per-VLAN Spanning Tree Concepts, Part 2 (34 min)
8. STP: Rapid Spanning Tree Concepts and Configuration (24 min)
9. EtherChannel: Aggregating Redundant Links (24 min)
10. L3 Switching: InterVLAN Routing Extraordinaire (28 min)
11. L3 Switching: Understanding CEF Optimization (16 min)
12. Redundancy in the Campus: HSRP, VRRP, and GLBP Part 1 (43 min)
13. Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2 (23 min)
14. Campus Security: Basic Port Security and 802.1x (32 min)
15. Campus Security: VLAN and Spoofing Attacks (31 min)
16. Campus Security: STP Attacks and Other Security Considerations (15 min)
17. Campus VoIP: Overview, Considerations, and AutoQoS (44 min)
18. Wireless LAN: Foundation Concepts and Design Part 1 (26 min)
19. Wireless LAN: Foundation Concepts and Design Part 2 (22 min)
20. Wireless LAN: Frequencies and 802.11 Standards (34 min)
21. Wireless LAN: Understanding the Hardware (30 min)
22. The Switches Domain: Additional Life-Saving Technology (22 min)
23. Monitoring: Your Pulse on the Network (45 min)
24. Campus Security: VACLs (14 min)

Welcome to Cisco Switch: Watch Me First!

The Switches Domain: Core Concepts and Design

VLANs: Configuration and Verification

VLANs: In-Depth Trunking

VLANs: VLAN Trunking Protocol

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 1

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 2

STP: Rapid Spanning Tree Concepts and Configuration

EtherChannel: Aggregating Redundant Links

L3 Switching: InterVLAN Routing Extraordinaire

L3 Switching: Understanding CEF Optimization

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 1

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2

Campus Security: Basic Port Security and 802.1x

Campus Security: VLAN and Spoofing Attacks

Campus Security: STP Attacks and Other Security Considerations

Campus VoIP: Overview, Considerations, and AutoQoS

Wireless LAN: Foundation Concepts and Design Part 1

Wireless LAN: Foundation Concepts and Design Part 2

Wireless LAN: Frequencies and 802.11 Standards

Wireless LAN: Understanding the Hardware

The Switches Domain: Additional Life-Saving Technology

Monitoring: Your Pulse on the Network

Campus Security: VACLs

00:00:00

We've come to this nugget, with one objective in mind: and that is to understand this concept of VACLs. Now everybody love's Access List. I know some of you are like: "Well, I don't love Access List". Well, the more you are in Cisco, the more you are like, "well, they are kind of fun, they are pretty cool", "kind of bend your mind a little bit in logic and all that kind of stuff". Cisco found a way to take an access list and apply it

00:00:24

to a VLAN, and they called it a VACL. Now, if I were putting together a Cisco Certification Program for Switching, me Jeremy Char, personally was doing it, I would have probably left VACLs off. Simply because it is one of those concepts that you are going to see, you are going to look at it, and be like: "Ok, it is kind of cool, but I am not too sure where I would use that". And I would say, I have actually learned, and relearned,

00:00:51

and relearned VACLs many many times, and it is primarily to study for a Certification Exam, just because when you get to the real world, it is not something I have seen used very often. I am not saying you would not be able to find a situation where you would use it, it is just not something I have seen been done very often. So with all that being said, I did not write the

00:01:10

Cisco Certification Program, and someone else did, so they have decided to add VACLs, and they even went a step further...and as a matter of fact, if I just grab my pen here...They also added something on there called PACLs. You might have said, "This is just getting silly". It

00:01:24

kind of is. It is P-A-C- L. It actually stands for Port Access Control List. What it is, it is simply applying an Access List, whether be a MAC Address Access List, or an IP Access List, to a layer two switch board. Which previously was not possible, and in the old days before multi-layer switching came about.

00:01:45

So I though the best way to talk about VACLs and PACLs would just be to talk about them through a demonstration to show them to you. Here is the idea; A VACLs filters the entire VLAN landscape. So let's say we got this switch right here, and I just came up with a simple scenario, it got two VLANs: 10 and 30. And now I want to set it up in such a way that, VLAN 10 only allows the 10.1.10.0 subnet. That means that if anybody plugs in...let's say for example,

00:02:19

this guy right here plugs into the network on VLAN 10, "click" the network cable attaches, and he has the statically assigned address 192.168.1.1 As soon as he tries to get into that VLAN, essentially the network landscape, he will be blocked, denied and restricted by this VACL that has been applied. That's the idea of VACLs, is that

00:02:40

they apply to that entire landscape. I said, it is typically found in larger environments, some because it originated as a feature of the 6500 Switch. Now, the 6500 has the capability that my little 3550 here does not have. And that is the ability to use a VACL to redirect traffic. Now this would be a good use

00:03:02

for it. In my opinion, it is probably the more popular use for it. Essentially you can go in, and create a VACL, in the same way right here, that says: "I want to match this subnet on VLAN 10, and I want to redirect that traffic to, we'll say, an IPS Sensor, and IDS Blade that allows you to sort through, and filter all that traffic through your security parameters. In this example,

00:03:28

your VACL could even grab, you know, all traffic and just redirected it, filter out to an IPS Sensor, or maybe you have a DMZ VLAN, or something like that, you might want to do that, it's always very handy. The lower level switches, like my 3550, only allows you to use a VACL to permit and deny. Which again, is kind of

00:03:45

cool, it is a neat feature, so let's talk about, let's work through this example. (Just let me get rid of all my gibberish here). Here is how it works: I am going to go Switch A, and literally create 2 VLANs. Let me bring my screen here. So we got the Switch. Go to Global Config. Mode, and I am going to do VLAN 10 and VLAN 30. Show VLAN. So we go, and we got a couple of them that were hanging out in the VLAN database, but VLAN 10 and VLAN 30 are definitely in there. So they are now created. And the scenario that we are

00:04:23

working through says: "Ok, we've got clients on VLAN 10, and they should be restricted to the 10.1, 10.0. So no other IP address should be able to use on that subnet, or on that VLAN, other than this specific subnet. Same thing for VLAN 30, you got the subnet right here. Now, the way VACLs work are very similar to

00:04:43

Route Maps. If you deal with Route Maps before on Routers, or you could even go on layer-three switch, they kind of a little programming language where you have sequence numbers. I always compare them to basic programming and an old commodore amigo computer but, you can have Line 10, Line 20, Line 30, kind of process through an order, one by one. So let me how I would have accomplished

00:05:05

this scenario right here. Go to Global Config. Mode, first thing I would do is: Create a couple of Access Lists, to match these parameters. So I would say, VLAN 10, is going to match 10.1.10.0, so I am going to use, access-list; one; permit; 10.1.10.0; this is my master mask. Done. Very simple Access List, and is

00:05:32

only filtering based on the source, because that's what the scenario requires. That only these sources should be allowed on that subnet. Now you can use an extended Access List with VACLs, that's not a problem, you can even use a Mac Address Access List. For example,

00:05:47

I can go in here, and say...Mac, Access List...then we'll just say, this is an extended Access List; then I'll say the name of this is...we'll say Server. Now I can go underneath that, and use a Permit setting; Permit, we'll say "Any source Mac Address to access the destination 111"...well, actually I don't want to use a wildcard, so I'll put Host, 1111.1111.2222. Ok, so that's the Server. And that would be creating a Mac Address Access List, so I can say; this VLAN will only allow people to access that one destination Mac Address.

00:06:26

Now again, you are probably looking at it, just like I am right now, and going "Wow, that's pretty cool! SO you are saying Jeremy, that I could create a VACL that only allows people to access one Mac Address?" Again, pretty neat. But again, unfortunately,

00:06:38

I know...well, I don't know but I would assume that if you are like me, and get done with this nugget, and be like "Ok, I am ready for the exam", or for whatever you are going to apply this knowledge to, but then a couple of weeks after the exam, you will have forgotten, because, again, I haven't found a great use for this, where I am like "Oh, VACLS are so so amazing! That's kind of a buzz killer; I should come up with a great story. Well, it's too late. I've never used it in production,

00:07:07

I'm just being honest. So, let's get back to our scenario. So, let me now go back to my #do show access list-1. So there's my 2 access lists. I need to create one more access list, we'll say #access-list 2 permit 10.1.30.0 0.0.0.255. Now I have my two access lists, one for each VLAN. So here's where the VACL comes in, and I will say that the syntax is not...I mean, once you use it for a while, it's ok, but it's

00:07:44

not friendly to start with. You actually create something called a VLAN access map. So I'm going to type in #vlan access-map. Now again, if you've dealt with route maps, think exactly that same thing. When I do access map, it's going to ask me for a name, and I will say this is DEMO, we'll just name it, a case sensitive name, would you need that? And I will say here's my sequence number. So, I'll just start with sequence number 10, which if I just hit into it, would just be the default. And just

00:08:16

like a route map, I'm going to have my match in action statements. So instead of match in set, if you've dealt with route maps, we have match and then action. What do you want to do with it? So, I'll say #match ip address and we'll say that this is match access list 1. This would be for VLAN...10...actually, I should have named this differently, but you've got the concept.

00:08:41

We've got VLAN 10, so I'm going to say #match access list 1, which is the ip address in VLAN 10, and the action will be forward (#action forward). You're catching that? Now what's that doing? Let me go back here and just do a show run slash include. Let's just do begin with (#show run begin | vlan access-map).

00:09:11

So right there we've got our VLAN access-map DEMO 10 that says if it matches the ip address. The source address is to find an access to this one, which we know are the 10.1.10. subnet. Then go ahead and forward it. So, I can then go, this is not necessary,

00:09:29

because if you don't permit something, it will by default be denied. But just to show you how much like route map these are... I'm going to add another sequence number, we'll say DEMO 20. And I'll just say #action drop. You might say "What did that match?", as you don't have any match statement. Remember,

00:09:49

it's just like a route map, if there's no match statement, then it's going to match everything. So again, walking through this demo access map, says sequence number 10 if it's these guys for them. However, if you're anything else, meaning that there's no match statement, then you will be dropped. So, once this is

00:10:07

done, it's just like creating a route map, it doesn't take a fact until you apply it somewhere. So when you go back to the global config mode, I'm going to apply using the VLAN filter command. So, say #vlan filter and you'll say "What is the VLAN map name?" and I'll say the map name is DEMO. I'm going to apply

00:10:25

that to the VLAN list, and that's where I can put my VLANs in. So this is just for VLAN list 10. But you can see that we can put in multiple VLANs, like VLANs 10 through 20, or VLAN 10 comma 30, comma 90. Those kind of things, it's totally fair game to apply it to anything or all VLANs. Now we'll allow filter VLAN

00:10:45

10. Now what about VLAN 30? Same kind of thing. We've already got the access list created forward, access list number 2. So I will create another access map, I'll say #vlan access-map and I'll just call this one DEMO1 and we'll use sequence number 10. Same kind of thing. #match ip address 2 #action forward #exit Let's just add sequence 20. And I'll say #action drop. If you're looking for a nice concise demo of all of those

00:11:23

things put together, I can then go on and say #vlan filter DEMO1. It's going to be the name of the access map. The VLAN I'm going to apply to is VLAN 30. Enter, done. So that's allowing you to apply access list to an entire VLAN landscape and filter these specific subnets to be allowed on those. Now again, this is just a very

00:11:51

simple demonstration, so that you can see VACLs, see how they're used, but keep in mind that you can use extended access lists, you can use MAC address accesses, you can combine them all together with an access map. So there's all kinds of different ways that

00:12:05

this can be applied, that just being one of them. Now while we're all here, I don't have a scenario for it, because it's very simple. I want also to add one more piece on the good old PACLs. Remember, I was saying we have VACLs, which is an access list applied to a VLAN, and we have PACLs, which is really just an access list applied to a port. Now the reason they came out with the specific

00:12:28

name PACL and they didn't just call it an ACL, is because this is applying an ACL 2 layer 2 port. Now, if this is a layer 3 port, you know, you get there by going the no switch port command, and you're applying an access list to it, it's not called a PACL, it's just an AXL, an access list, it's an ACL. Around an access

00:12:50

list, it's applied to a layer 3 interface. But once it's a layer 2 interface, you can apply a PACL. Now the catch is PACLs, it's fun to say. It can only be applied inbound, in one direction. That's how they have the logic of the A 6 of the switch. So, I'm going to go into my switch and again, I'm not going to go through everything, because you just create an access list. It

00:13:12

could be a standard one, it could be an extended access list, it could be a MAC address access list. You wander whatever interface you want and it's just like a router. If I want to apply an access list, how do you do it on a router? #ip access-group 1 in You can see inbound PACLs, so that doesn't give you the option for out. And it's saying "conflict with your vlan filters" that you've

00:13:38

applied. So, it's giving me no worries, but that's now considered a PACL because it's applied there. Now if I wanted to apply a MAC address access list, I could just use #mac access-group and then you would type in the ACL name like I've created before and apply that inbound as well. Now you're filtering it based

00:13:59

on the MAC address of the server. So, again, multiple ways that you can apply ACLs on layer 3 switches, VACLs to the entire landscape and PACLs to the port. I hate it when I do that. I summarized on a non-summary slide. So when I get to the summary slide, I think "Well, what do I say now? Look at that house. Isn't it neat?" I hope this has been informative

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus
Intermediate 11 hrs 24 videos

COURSE RATING

Basic Plan Features


Speed Control
Included in this course
Play videos at a faster or slower pace.

Bookmarks
Included in this course
Pick up where you left off watching a video.

Notes
Included in this course
Jot down information to refer back to at a later time.

Closed Captions
Included in this course
Follow what the trainers are saying with ease.

NuggetLab
Files/materials that supplement the video training

Premium Plan Features


Practice Exams
These practice tests help you review your knowledge and prepare you for exams.

Virtual Lab
Use a virtual environment to reinforce what you are learning and get hands-on experience.

Offline Training
Included in this course
Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching
Included in this course
Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara
Nugget trainer since 2003