VLAN Access Map

VLAN Access Map gives you the ability to control traffic between users in the same VLAN. It is configured in the same way as a route map is configured. If you have VLAN 100 of which subnet is, and you want to deny access from host to host Here is how you configure your switch.

First, you create the VLAN map. In the global configuration mode, enter the command “vlan access-map” the syntax of the command is

Vlan access-map WORD NUMBER

WORD: the name of the access-map
NUMBER: the sequence number of the statement. You can later insert another statements with sequence number lower or higher than your current one.

After you enter the “vlan access-map” command, you will be in the access-map configuration level. Here, you can specify what to match and the action is, just like a route-map.

If you enter the command match and hit the question mark, you will be listed by two options, ip and mac. You guessed it, you can permit or deny access based on ip address or the mac address. We need to create an access-list, either ip access-list or mac access-list, that match the criteria of what we need to be matched. We will create the access-list later, but here we will configure the access-map to match ip access-list numbered 101. and the action is to drop (the action is either drop or forward. Drop for deny and forward for permit) the packet.

Match ip address 101

Action drop

For this scenario, you will want to match the ip of source and destination Therefore, we will create an ip access-list numbered 101 as what it is the access-list number we have configured in the access-map. Exit the access-map configuration and enter access-list command.

Access-list 101 permit ip host host

The last thing to do is to apply to which vlan does the access-map applies to. To do this, we use the command “vlan filter” at the global configuration mode. The syntax is

Vlan filter WORD vlan-list NUMBER

WORD: the name of the access-map
NUMBER: the number of the vlan you want the access-map to be applied to. You could use a number for the vlan or a vlan list for more than one vlan.


Anonymous said...

Thank you, this was really helpful before my CCNP TSHOOT exam. Very concise and clear.