What Is VLAN Access Map in Networking?
Also known as: VLAN Access Map, Cisco VLAN Access Map, inter-VLAN filtering, CCNP ENCOR, Cisco access map
On This Page
Quick Definition
A VLAN Access Map is like a set of traffic rules for a specific VLAN inside a network switch. It decides which packets are allowed to move from one VLAN to another and which are blocked. It works similarly to a security guard checking IDs at a door, letting some people through and stopping others based on the rules you set. This helps network engineers control traffic without needing a separate firewall for every VLAN.
Must Know for Exams
The VLAN Access Map topic is specifically tested in the Cisco CCNP Enterprise core exam 350-401 ENCOR, under the section 'Infrastructure Security' or 'Layer 2 Security'. Cisco expects candidates to understand the difference between VLAN Access Maps, VACLs (VLAN ACLs), and standard ACLs as they apply to inter-VLAN routing. Exam objectives include configuring and verifying VLAN Access Maps to filter traffic between VLANs.
Multiple-choice questions often present a scenario where traffic between two VLANs is being blocked, and the candidate must identify that a VLAN Access Map with a default drop action is the cause. In simulation or lab-style questions, candidates may be asked to configure a VLAN Access Map to allow specific traffic (e.g.
, HTTP from VLAN 10 to VLAN 20) while denying all other traffic. The exam also tests understanding of the order of operations: VLAN Access Maps are applied to source VLANs and evaluated before the routing decision. They also test the default behaviour: if no match is found in any entry, the packet is dropped, which is opposite to standard ACLs.
Candidates must know the configuration sequence: create ACL, create VLAN access map with sequence, assign match clause, assign action, then apply with vlan filter. The term may appear in questions about troubleshooting inter-VLAN connectivity. A typical exam trap is to confuse VLAN Access Maps with VACLs.
VACLs filter traffic within a VLAN (both intra-VLAN and inter-VLAN) and are applied using a different command (vlan access-map is not used for VACLs). Another trap is forgetting that VLAN Access Maps only affect routed traffic between VLANs, not traffic that stays within the same VLAN. The ENCOR exam blueprint explicitly mentions 'VLAN Access Maps' as a topic, so it is high priority for study.
Additionally, the SCOR (Security) exam may touch on this as part of network segmentation. Therefore, learners should practice configuration and verification commands on packet tracer or real equipment to be exam-ready.
Simple Meaning
Imagine you work in a large office building with many different departments, each on a separate floor. Each floor is like a VLAN, a virtual local area network that keeps each department's network traffic separate for security and organization. Now, sometimes people on different floors need to share documents, send emails, or access a shared printer.
But you do not want everyone to have free access to every floor because the finance department has sensitive data that the marketing team should not see. A VLAN Access Map is like a security checkpoint at the stairwell door between floors. You can write a policy: Only allow people with a blue badge (meaning they are from engineering) to enter the server room floor, but block anyone with a red badge from the finance floor.
In networking terms, a VLAN Access Map uses rules that say: If a packet comes from VLAN 10 and matches certain conditions (like a specific IP address or type of traffic), then forward it to VLAN 20. If it matches other conditions, drop it. This is more flexible than a simple yes-or-no rule because you can have multiple conditions and actions.
For example, you can let HTTP traffic pass but block FTP traffic. You can also log when someone tries to send a forbidden packet. This gives network administrators fine-grained control over inter-VLAN traffic without needing a router or firewall for every pair of VLANs.
It is a powerful tool for enforcing security policies inside a switched network, especially in enterprise environments where many departments share the same physical switches but need strict separation.
Full Technical Definition
A VLAN Access Map is a Cisco proprietary feature available on Catalyst switches running IOS or IOS-XE. It provides a mechanism to filter traffic within a VLAN that is being routed between VLANs, known as Inter-VLAN routing. Unlike a standard ACL (Access Control List) that is applied to an interface or a VLAN interface (SVI), a VLAN Access Map is applied to the VLAN itself, affecting all traffic that enters or leaves that VLAN when routed to another VLAN.
The map consists of one or more map entries, each with a sequence number for ordering. Each entry has a match clause and an action clause. The match clause can reference an IP ACL or MAC ACL, or match on L3/L4 fields directly.
The action clause can be either forward or drop. Multiple entries are evaluated in order of their sequence numbers, similar to a route map or a policy map. When a packet enters a VLAN and is destined for another VLAN (i.
e., it requires routing), the switch checks the VLAN Access Map assigned to the source VLAN. If the packet matches an entry, the corresponding action is taken. If no match is found, the default action is to drop the packet.
This is different from standard ACLs, which have an implicit permit at the end for most cases. The explicit default drop makes VLAN Access Maps more secure by design. Configuration involves three steps: first, define the access list(s) that specify traffic patterns.
Second, create the VLAN Access Map using the global configuration command vlan access-map <map-name> [sequence number]. Third, assign the map to a VLAN using the command vlan filter <map-name> vlan-list <vlan-id>. VLAN Access Maps operate at Layer 3 and Layer 4 of the OSI model, inspecting packet headers for source/destination IP, protocol, and port numbers.
They can also match on MAC addresses using MAC ACLs. This feature is commonly used to enforce security policies in campus networks, such as blocking certain traffic from guest VLANs to internal VLANs, or restricting access to sensitive servers. It is part of the Cisco Catalyst switch security toolkit, alongside Private VLANs, VACLs (VLAN ACLs – which are different from VLAN Access Maps), and PACLs (Port ACLs).
It is important to note that VLAN Access Maps do not affect traffic within the same VLAN (intra-VLAN traffic); they only apply to routed traffic between VLANs. For intra-VLAN filtering, a VACL or port ACL is used.
Real-Life Example
Think of a large hospital with different wings: the Emergency Wing (VLAN 10), the Surgery Wing (VLAN 20), and the Pharmacy Wing (VLAN 30). Each wing has its own network for staff, patients, and equipment. Doctors from Surgery sometimes need to access patient records stored in the Emergency Department’s database, but nurses from Emergency should not have access to the Pharmacy’s controlled substance inventory system.
To enforce these rules, the hospital security team sets up a VLAN Access Map. This map acts like a security desk at the entrance of each wing. For VLAN 10 (Emergency), the map says: If a packet comes from a Surgery doctor’s device (identified by its IP address), allow it to pass to the database server in VLAN 10.
But if a packet comes from a Pharmacy device trying to reach the patient records, block it because it is not authorized. Similarly, on VLAN 30 (Pharmacy), the map allows only authorized pharmacy staff to access the inventory system and blocks all other traffic. The security desk does not check every single packet – that would be too slow – but it checks the first packet of every connection.
Once allowed, the connection proceeds. This is exactly how a VLAN Access Map works: it filters inter-VLAN traffic at the switch level, using match conditions and forward/drop actions. The hospital can change the rules quickly without rewiring the network, just by updating the access map.
This is much easier than installing a physical firewall between every pair of wings. The VLAN Access Map provides centralised, flexible traffic control that scales to the entire network.
Why This Term Matters
In real IT work, especially in enterprise and campus networks, security and traffic segmentation are critical. VLANs separate broadcast domains and create logical groups, but they do not inherently block traffic between VLANs. Routers or Layer 3 switches forward inter-VLAN traffic by default.
Without additional controls, a user in a guest VLAN could potentially reach a server in a finance VLAN. VLAN Access Maps give network engineers a way to enforce security policies at the switch level, close to the traffic source. This reduces latency compared to sending traffic through a central firewall.
It also offloads filtering from the router or firewall, preserving those devices for other tasks. VLAN Access Maps are particularly useful for implementing micro-segmentation in environments where a full firewall architecture is too expensive or complex. For example, a school network might have separate VLANs for students, teachers, and administrative staff.
A VLAN Access Map can allow teachers to access student records but block students from accessing admin systems. In cloud and data centre environments, while VLANs are less common, the concept is analogous to security groups or network policies used in virtualised networks. Understanding VLAN Access Maps is essential for passing Cisco CCNP Enterprise exams such as ENCOR, where configuring advanced security features on switches is a core objective.
It also appears in troubleshooting scenarios where inter-VLAN connectivity fails unexpectedly. A network engineer who knows how VLAN Access Maps work can quickly diagnose whether a filter is blocking traffic. They can also design networks that are both secure and efficient.
Moreover, VLAN Access Maps are a step up from basic ACLs. They allow more granular control because the same map can contain multiple match sequences with different actions. This makes them a versatile tool for security policy enforcement.
In summary, VLAN Access Maps matter because they enable precise inter-VLAN filtering without additional hardware, directly impacting network security and performance in real-world deployments.
How It Appears in Exam Questions
Exam questions about VLAN Access Maps appear in several formats. The most common is the scenario-based multiple-choice question. For example: 'A network administrator notices that hosts in VLAN 10 cannot reach a server in VLAN 20 even though routing is configured correctly.
The administrator checks the configuration and finds a VLAN Access Map applied to VLAN 10. What is the most likely cause?' The answer choices might include 'The VLAN Access Map drops all traffic by default', 'The ACL in the map does not match the server IP', or 'The map is missing a forward entry'.
Another type is the ordering question: 'Which action does a switch take if a packet does not match any entry in a VLAN Access Map?' The correct answer is 'Drop the packet'. Configuration questions ask candidates to select the correct commands to permit traffic.
For instance: 'Given the requirement to allow only HTTPS traffic from VLAN 10 to VLAN 20, which configuration steps are correct?' Candidates must know that you first create an extended ACL permitting TCP port 443, then create a VLAN access map with a match clause referencing that ACL, and assign the action forward. Another variation is the verification question: 'Which command shows the VLAN Access Map configuration and which VLAN it is applied to?'
The answer is 'show vlan access-map' or 'show vlan filter'. Troubleshooting questions often present a truncated show running-config and ask why certain traffic fails. For example, the config shows 'vlan access-map FILTER 10 match ip address 100 action drop' but there is no entry 20 to permit anything.
The question: 'Hosts on VLAN 10 can only communicate with which networks?' Understanding that the default action is drop helps answer that they cannot communicate with any other VLAN. Some advanced questions combine VLAN Access Maps with route maps or PBR (Policy Based Routing) to test differentiation.
For the CCNP ENCOR exam, candidates should also be prepared for drag-and-drop ordering tasks where they match command parts to their functions. The key is to know the configuration workflow and the implicit default drop. Practice with simulation software is highly recommended to solidify these concepts.
Study encor
Test your understanding with exam-style practice questions.
Example Scenario
A small company has three departments: Sales (VLAN 10), Engineering (VLAN 20), and Management (VLAN 30). The company uses a single Layer 3 switch that routes between these VLANs. The network administrator wants to allow the Engineering team to access a file server in the Management VLAN, but block all other inter-VLAN traffic for security reasons.
The administrator configures a VLAN Access Map called SECURE. First, they create an extended ACL named ENG-TO-MGMT that permits traffic from the Engineering network (192.168.20.0/24) to the Management file server (192.
168.30.10) on TCP port 445 (SMB). Then they create the VLAN Access Map: 'vlan access-map SECURE 10 match ip address ENG-TO-MGMT action forward'. This means for packets entering VLAN 20 that match the ACL, they will be forwarded.
Since there are no other entries, any other traffic from VLAN 20 to other VLANs will be dropped by default. Next, they assign the map to VLAN 20 with 'vlan filter SECURE vlan-list 20'. Now, when an Engineering user tries to access the file server, the switch checks the VLAN Access Map on source VLAN 20, finds a match, and forwards the traffic.
If a Sales user tries to reach the Management server, the source VLAN is 10, and no VLAN Access Map is applied to VLAN 10, so normal routing rules apply. But if the administrator wants to also block other traffic from VLAN 10, they can apply a different map to VLAN 10. This scenario demonstrates how VLAN Access Maps provide targeted filtering at the source VLAN level, giving precise control without affecting other traffic flows.
Common Mistakes
Assuming VLAN Access Maps filter traffic within the same VLAN (intra-VLAN traffic).
VLAN Access Maps only apply to traffic that is routed between VLANs. Traffic that stays within the same VLAN (same broadcast domain) is not processed by this feature. For intra-VLAN filtering, a VACL or port ACL is needed.
Remember: VLAN Access Maps are for inter-VLAN routing. If you need to block traffic between two hosts in the same VLAN, use a VACL or a port ACL.
Forgetting that the default action in a VLAN Access Map is to drop packets that do not match any entry.
Many learners compare VLAN Access Maps to standard ACLs, which have an implicit permit at the end. VLAN Access Maps have an implicit deny (drop) as the default. This means if you configure a map with only a drop entry, all traffic (except matched traffic, if any) will be dropped.
Always include a 'forward' entry for the traffic you want to permit. If you need to permit all other traffic after applying specific denies, add a final entry with 'match ip address any action forward'.
Applying the VLAN Access Map to the destination VLAN instead of the source VLAN.
The 'vlan filter' command with a VLAN Access Map must specify the VLAN where the traffic originates. The map filters traffic as it exits the source VLAN to be routed to another VLAN. Applying it to the destination VLAN would not filter traffic from other VLANs entering that VLAN effectively.
Identify the VLAN that contains the hosts or devices initiating the traffic. Apply the VLAN filter to that specific source VLAN list.
Confusing VLAN Access Maps with VACLs (VLAN ACLs).
Though similar in name, VLAN Access Maps and VACLs are different features. VLAN Access Maps are configured using 'vlan access-map' and 'vlan filter' commands, and they filter routed traffic. VACLs use the 'vlan access-map' command as well, but are applied with 'vlan filter' to control both bridged and routed traffic within a VLAN. The term 'VACL' is an older term for VLAN ACL, and Cisco's newer documentation distinguishes them.
In modern Cisco IOS, remember: 'vlan access-map' + 'vlan filter' = VLAN Access Map for inter-VLAN routing. If you need to filter all traffic entering or leaving a VLAN (including intra-VLAN), research VACLs separately.
Thinking that VLAN Access Maps can filter traffic based on MAC addresses only.
While VLAN Access Maps can reference MAC ACLs, they are primarily designed for IP-based filtering (Layer 3/4). Using MAC ACLs limits the granularity and is less common in exam scenarios. The default match clause uses IP ACLs.
Stick with IP ACLs for VLAN Access Maps unless the exam specifically mentions MAC filtering. MAC ACLs are better suited for VACLs or port ACLs.
Exam Trap — Don't Get Fooled
The exam presents a configuration where a VLAN Access Map has a single entry that denies certain traffic, and then asks what happens to other traffic. Learners often think that because one deny entry exists, all other traffic is permitted. They forget the implicit default drop at the end of a VLAN Access Map.
Memorise this rule: VLAN Access Maps have an implicit deny (drop) at the end unless you explicitly add a permit entry. Always read the full configuration. When troubleshooting, check the 'show vlan access-map' output for all sequence numbers.
If there is no final 'forward' entry for all traffic, any unmatched packet is dropped.
Commonly Confused With
VLAN Access Maps filter traffic between VLANs during routing, while VACLs filter traffic within a VLAN (both intra-VLAN and inter-VLAN) using the same configuration command 'vlan access-map' but with different application. VACLs are applied to all traffic entering or leaving a VLAN, while VLAN Access Maps are specifically for routed traffic between VLANs.
To block a specific host from accessing the internet through VLAN 10, you use a VACL. To block traffic from VLAN 10 to VLAN 20 except for email, you use a VLAN Access Map.
Standard ACLs filter based only on source IP address and are applied to interfaces (routed interfaces or SVIs). VLAN Access Maps filter based on source/destination IP, protocol, and port, and are applied to the VLAN itself. Also, standard ACLs implicitly permit all unmatched traffic, while VLAN Access Maps implicitly drop.
A standard ACL on interface VLAN 10 permits traffic from 192.168.1.0/24. A VLAN Access Map on VLAN 10 can permit HTTP to 10.0.0.1 and drop everything else to any destination.
Private VLANs provide Layer 2 isolation within a VLAN by designating ports as isolated, community, or promiscuous. VLAN Access Maps work at Layer 3/4 to control routed traffic between VLANs. PVLANs restrict traffic at Layer 2, while VLAN Access Maps work after routing occurs.
PVLANs prevent a user in a community VLAN from talking to another user in the same community. VLAN Access Maps allow or block traffic from that community VLAN to a server VLAN based on application type.
Route maps are used for policy-based routing and route redistribution. They can match on attributes like next hop or route tag and set attributes like metric. VLAN Access Maps only allow forward or drop actions on packets, not route manipulation.
A route map can send HTTP traffic from VLAN 10 to a different next hop. A VLAN Access Map can only decide to forward or drop that same HTTP traffic.
Step-by-Step Breakdown
Identify source VLAN and traffic flow
Determine which VLAN will be filtered. The VLAN Access Map is applied to the source VLAN of inter-VLAN traffic. For example, if you want to control traffic from VLAN 10 to VLAN 20, the map is applied to VLAN 10.
Create an IP ACL to match the traffic
Define an extended ACL (or standard ACL) that specifies the exact traffic to be filtered. This includes source/destination IP addresses, protocols (TCP/UDP/ICMP), and port numbers. The ACL is the match condition for the VLAN Access Map.
Create the VLAN Access Map with a sequence number
Use the global command 'vlan access-map MAP_NAME 10'. This creates an entry with sequence number 10. The sequence number determines evaluation order. Multiple entries can be added with different sequence numbers.
Add match and action clauses to the map entry
Use 'match ip address ACL_NAME' to link the ACL. Then use 'action forward' or 'action drop' to specify what happens to matched packets. For example, match traffic from the ACL and forward it.
Apply the map to the source VLAN using vlan filter
Execute 'vlan filter MAP_NAME vlan-list VLAN_ID'. This applies the VLAN Access Map to all traffic exiting the specified VLAN when routed to another VLAN. The map takes effect immediately.
Verify the configuration
Use 'show vlan access-map' to see the map entries and their actions. Use 'show vlan filter' to confirm which VLANs have maps applied. Also, test connectivity between VLANs to confirm the filtering works as intended.
Practical Mini-Lesson
A VLAN Access Map is an essential tool for network security in multi-VLAN environments. To master it, you need to understand its role as a traffic filter for inter-VLAN routing. Start by recognising that any Layer 3 switch can route between VLANs through SVIs (Switched Virtual Interfaces).
By default, routing between VLANs is unrestricted. VLAN Access Maps add a security layer without requiring an external firewall. In practice, you will often use VLAN Access Maps in campus networks to enforce policies like 'Guest VLAN can only access internet, not internal servers' or 'IoT VLAN can only talk to management server on specific ports'.
Configuration is done in global configuration mode. First, create a standard or extended ACL. For example, 'ip access-list extended GUEST_TO_INTERNET permit ip 192.168.100.0 0.0.0.255 any'.
Then create the VLAN Access Map: 'vlan access-map GUEST_FILTER 10 match ip address GUEST_TO_INTERNET action forward'. This allows guest traffic to go anywhere on the internet. If you want to block everything else, you do not need another entry because the default is drop.
But if you want to allow guest to reach a DNS server, add another entry with a higher sequence number, like 'vlan access-map GUEST_FILTER 20 match ip address GUEST_TO_DNS action forward' and then add a final entry 'vlan access-map GUEST_FILTER 30 match ip address any action drop' to explicitly block other traffic. Apply to the guest VLAN: 'vlan filter GUEST_FILTER vlan-list 100'. One common pitfall is forgetting that VLAN Access Maps do not affect traffic within the same VLAN.
If two hosts in VLAN 100 need to be isolated, use private VLANs or a VACL. Also, note that VLAN Access Maps can cause unexpected drops if the ACL does not include necessary protocols, such as ARP (which is Layer 2 and not affected). For troubleshooting, use 'show vlan filter' and 'show vlan access-map' to check application and entries.
Use 'debug vlan access-map' cautiously on a lab device. In production, verify via test pings and traffic flows. The broader IT context is that VLAN Access Maps complement other security tools like firewalls, NAC (Network Access Control), and 802.
1X. They are a first layer of defence at the switch level. Understanding them deepens your knowledge of how switches process traffic and enforces the principle of least privilege in network design.
Practising on Cisco Packet Tracer or GNS3 with VLAN configurations is highly recommended to build muscle memory for exam and real-world scenarios.
Memory Tip
Think of the default action as 'Drop all unless specifically allowed'. The acronym 'A-MAP' can help: Apply to source VLAN, Match with ACL, Action forward/drop, Packet filtered.
Covered in These Exams
Related Glossary Terms
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
An A record is a DNS record that maps a domain name to the IPv4 address of the server hosting that domain.
Frequently Asked Questions
Can a VLAN Access Map be applied to a range of VLANs?
Yes, the 'vlan filter' command allows you to specify a list of VLANs, such as 'vlan filter MAP vlan-list 10,20,30'. The map applies to each VLAN in the list individually.
Does a VLAN Access Map affect traffic that is not being routed (same VLAN)?
No, VLAN Access Maps only apply to traffic that is being routed between VLANs. Intra-VLAN traffic (same VLAN) is switched at Layer 2 and is not processed by the map.
What is the default action if a packet does not match any entry in a VLAN Access Map?
The default action is to drop the packet. This is different from standard ACLs that have an implicit permit at the end.
Can I use a VLAN Access Map to filter traffic based on MAC addresses?
Yes, you can use MAC ACLs with VLAN Access Maps, but they are less common. The 'match mac address' clause allows you to reference a MAC ACL. However, for exam and practice, IP-based ACLs are standard.
How do I verify if a VLAN Access Map is applied to a VLAN?
Use the command 'show vlan filter' to see which VLANs have an access map applied. Use 'show vlan access-map' to view the map details and entries.
Can a VLAN Access Map be used with voice VLANs?
Yes, it can be applied to any VLAN, including voice VLANs, to control inter-VLAN traffic. However, be careful not to block essential services like DHCP or call signalling.
What is the difference between VLAN Access Map and VACL?
In modern Cisco terminology, VLAN Access Maps filter routed traffic between VLANs, while VACLs (VLAN ACLs) filter all traffic entering or leaving a VLAN, including bridged and routed traffic. Both use the 'vlan access-map' command but the application context differs.
Summary
A VLAN Access Map is a Cisco switching feature that provides granular control over inter-VLAN routed traffic by applying match-action rules to packets exiting a source VLAN. It uses IP ACLs to define traffic patterns and allows actions of forward or drop, with an implicit drop for unmatched packets. This feature is critical for network security in campus and enterprise environments where multiple VLANs need selective communication.
For the Cisco CCNP ENCOR exam, understanding how to configure, verify, and troubleshoot VLAN Access Maps is essential, as it appears in scenario-based questions and configuration simulations. The common mistakes include confusing it with VACLs, forgetting the default drop action, and applying the map to the wrong VLAN. By mastering this concept, you gain a deeper insight into switch-based security and become better prepared for both the exam and real-world network administration.
Always remember to think of VLAN Access Maps as security checkpoints at the VLAN boundaries, ensuring only authorised traffic passes through.