Issue with VLAN Access Map

Unanswered Question
Jul 19th, 2009
User Badges:


in my LAN i have two 4503(distribution) and 10 switch (access).I applied this VACL on two 4500.This was worked well.

vlan access-map Guest-wifi 10

action drop

match ip address deny-guest-wifi

vlan access-map Guest-wifi 20

action forward


vlan filter Guest-wifi vlan-list 22

ip access-list extended deny-guest-wifi

permit ip

But what I want to know how this VACL is going to deny the data of both users who have same subnet and vlan and they are located on the same access switch.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Giuseppe Larosa Sun, 07/19/2009 - 09:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Youssef,

your configuration look like fine.

what are the two client vlans IP subnets?

this happens on a single access switch?

I see you want to know if it is effective if two users are on the same access switch:

the VACL is effective if the access switch is providing only L2 services: in that case when a user tries to contact someone outside its subnet it sends traffic to its default gateway that should be one of the distribution nodes and so the VACL comes to play its role for users of vlan22 in that ip subnet.

If someone using a device with two NICs place a device able to perform inter vlan routing and taking the role of default gateway on vlan (using gratuitous ARPs for example) this security feature can be defeated.

For additional security you could deploy the guest vlan inside a VRF in a VRF lite context giving them only internet access.

But it is a more complex solution

Hope to help


youssef_1985 Mon, 07/20/2009 - 02:38
User Badges:

Hi thanks for reply

But i want know how VACL take effect in switch access when two users and Want to communicate without passing by distribution nodes.


This Discussion