vlan filter [access-map] vlan-list [id]
Applies a VLAN access-map to filter traffic in a specified VLAN list, controlling which packets are forwarded or dropped based on configured match clauses.
vlan filter [access-map] vlan-list [id]When to Use This Command
- Restrict inter-VLAN routing by filtering specific traffic between VLANs 10 and 20 using an access-map that matches source IP subnets.
- Block all traffic from a guest VLAN (e.g., VLAN 100) to a corporate server VLAN (VLAN 200) while allowing return traffic.
- Selectively permit or deny traffic based on Layer 3 or Layer 4 criteria within a VLAN, such as blocking Telnet but allowing SSH.
- Apply a temporary security policy to a set of VLANs during a network audit without changing ACLs on interfaces.
Command Examples
Apply VLAN access-map to filter traffic in VLANs 10-20
vlan filter SECURITY_MAP vlan-list 10-20This command applies the VLAN access-map named SECURITY_MAP to VLANs 10 through 20. No output is displayed if the command is accepted; use 'show vlan filter' to verify.
Apply VLAN access-map to multiple specific VLANs
vlan filter BLOCK_GUEST vlan-list 100,200,300Applies the access-map BLOCK_GUEST to VLANs 100, 200, and 300. The command succeeds silently; verify with 'show vlan filter'.
Understanding the Output
The 'vlan filter' command itself produces no output. To verify the applied filter, use 'show vlan filter'. The output shows the access-map name and the VLAN list it is applied to. For example: 'VLAN access-map SECURITY_MAP is filtering VLANs 10-20'. If no filter is applied, the output will be empty. In a real network, you should check that the correct access-map is associated with the intended VLANs. A missing or incorrect filter could lead to security breaches or unintended traffic blocking.
CCNA Exam Tips
CCNA 200-301 may test that 'vlan filter' is applied in global config mode, not interface config.
Remember that VLAN access-maps use 'match' and 'action' statements; the filter command only activates the map on a VLAN list.
The 'vlan-list' parameter can specify ranges (e.g., 10-20) or individual VLANs separated by commas.
Be aware that 'vlan filter' does not affect traffic within the same VLAN; it filters traffic entering or leaving the VLAN (e.g., inter-VLAN routing).
Common Mistakes
Applying the filter under interface configuration mode instead of global configuration mode.
Forgetting to create the VLAN access-map before applying the filter, resulting in no filtering.
Using 'vlan filter' without specifying a VLAN list, which is required.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions