Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Issue with VLAN Access Map


in my LAN i have two 4503(distribution) and 10 switch (access).I applied this VACL on two 4500.This was worked well.

vlan access-map Guest-wifi 10

action drop

match ip address deny-guest-wifi

vlan access-map Guest-wifi 20

action forward


vlan filter Guest-wifi vlan-list 22

ip access-list extended deny-guest-wifi

permit ip

But what I want to know how this VACL is going to deny the data of both users who have same subnet and vlan and they are located on the same access switch.

Hall of Fame Super Silver

Re: Issue with VLAN Access Map

Hello Youssef,

your configuration look like fine.

what are the two client vlans IP subnets?

this happens on a single access switch?

I see you want to know if it is effective if two users are on the same access switch:

the VACL is effective if the access switch is providing only L2 services: in that case when a user tries to contact someone outside its subnet it sends traffic to its default gateway that should be one of the distribution nodes and so the VACL comes to play its role for users of vlan22 in that ip subnet.

If someone using a device with two NICs place a device able to perform inter vlan routing and taking the role of default gateway on vlan (using gratuitous ARPs for example) this security feature can be defeated.

For additional security you could deploy the guest vlan inside a VRF in a VRF lite context giving them only internet access.

But it is a more complex solution

Hope to help


New Member

Re: Issue with VLAN Access Map

Hi thanks for reply

But i want know how VACL take effect in switch access when two users and Want to communicate without passing by distribution nodes.