Using VLAN Maps

September 23, 2016 | Views: 5003

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

VLAN Maps are used to filter or redirect traffic in a VLAN, giving you more granular control over the traffic.


Steps to Configuring a VLAN Map


  1. Determine what you want to accomplish : It is vital to know what you want to achieve prior the configuration. This will save you lots of headaches in the actual implementation.
  2.  Write an Access List : What kind of access list you will use depends on what you want to do. The most common is the IP Access List. Of course, if you want to match just the source IP address, a Standard Access List is sufficient. However, for protocol filtering an Extended Access List is needed. Keep in mind that an access list permits the traffic you want to manipulate.
  3. Create a VLAN Map: This is where you will use your access list to match the traffic you want to handle, and set actions for that traffic. Keep in mind that the VLAN Map works similar with route maps and access lists. By default it discards traffic that has no match, so be sure to allow the traffic that needs to traverse your VLAN.
  4. Apply the VLAN Map to a VLAN: Here you can apply your VLAN Map to one or a list of VLANs. The VLAN Map will not work unless applied to a VLAN.



Your Company policy states that telnet traffic should not be allowed on VLAN 10 for security purposes, but all other traffic should be allowed.

This is where you get to configure a VLAN map to meet the requirements:

(step 1) Objectives: Telnet traffic should be restricted for all hosts in VLAN 10.


We will need an extended access list to match telnet traffic.


A VLAN map name will also be required: It will be named “NO_TELNET


Next we must ensure that other traffic will be allowed.


Lastly, we will apply our VLAN map to VLAN 10


(step 2) Implementation: 

SwitchABC(config)#access-list 101 permit tcp any any eq telnet
// here we created an access list that permits the traffic we want to filter
SwitchABC(config)#vlan access-map NO_TELNET 10
// we have created the VLAN map
SwitchABC(config-access-map)#match ip address 101
// we are using the access list we created before
SwitchABC(config-access-map)#action drop
// anything that matches the access list will be dropped 
SwitchABC(config-access-map)#vlan access-map NO_TELNET  20
SwitchABC(config-access-map)#action forward
// if there is no match statement anything matches and based on the action we have set all other traffic will be allowed.
SwitchABC(config)#vlan filter NO_TELNET vlan-list 10
// now we have applied the VLAN map to the VLAN 10 and our job is done 🙂

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?