Solved: Re: PACL and VACL processing order

Mitrixsen · ‎02-16-2025

Hello, everyone.

My ENCOR book mentions the following when it comes to how ACLs are processed when a PACL and a VACL are both configured.

I don't quite understand the last two points. When it comes to configuring VLAN ACLs, they look like this:

SW1(config)#vlan access-map VACL
SW1(config-access-map)#match ip address VACL
SW1(config-access-map)#action drop
SW1(config-access-map)#exit
SW1(config)#vlan filter VACL vlan-list 10

You don't apply these in an inbound/outbound direction, or do you? Once a packet is received, if a VACL is configured for the VLAN, it is checked. So what does my book mean when it says that an Inbound VACL is processed before an Outbound VACL?

Thank you.

David

MHM Cisco World · ‎02-16-2025

View solution in original post

M02@rt37 · ‎02-16-2025

Hello David,

VACL do not follow the traditional inbound and outbound logic of standard ACL applied to interfaces. Instead, they are applied at the VLAN level and affect all traffic within that VLAN, whether the traffic is being switched within the VLAN or routed to another VLAN. This makes the phrasing in this ENCOR book a bit confusing because VACLs themselves do not have explicit "inbound" or "outbound" directions like PACL or RACL.

When this book states that an "Inbound VACL is processed before an Outbound VACL," it is referring to the sequence in which ACLs are checked in a multi-layer switching environment where PACLs, VACLs, and RACLs may all be present. When a packet arrives at a switch port, the first check is an inbound PACL (if applied). If the packet is permitted by the PACL, it is then checked against the inbound VACL when it enters the VLAN. At this stage, the VACL determines whether the packet can remain in the VLAN and be forwarded to another device within that VLAN. If the packet is allowed and requires routing (inter-VLAN forwarding), it is processed by a L3 ACL (or RACL) at the routing decision point. If the packet is then forwarded out of a different VLAN, the outbound VACL is checked before final delivery, followed by any outbound PACL applied to the egress port.

@MHM Cisco World picture is just perfect.

In practical terms, this means that if a packet is denied by a VACL when it first enters the VLAN (inbound VACL processing), it is dropped immediately and never forwarded further. If a packet is permitted and later needs to be forwarded to another VLAN, the outbound VACL is checked again before it leaves. This mechanism ensures that traffic filtering applies at both the ingress and egress stages within a VLAN, even though VACLs do not follow the typical interface-bound ACL structure.

For example, if you configure a VACL to block traffic to a specific IP address in VLAN 10, any packet entering VLAN 10 destined for that IP address will be dropped as part of inbound VACL processing. Similarly, if a packet is being forwarded out of VLAN 10 to another VLAN, the same VACL will apply again before forwarding the packet out (outbound VACL processing). This ensures that unwanted traffic is filtered regardless of whether it is originating from within the VLAN or coming in from another network.

Ultimately, the key takeaway is that VACLs operate at the VLAN level and apply to all traffic entering or leaving the VLAN, not per physical interface. The mention of "inbound" and "outbound" VACL processing simply refers to the different points where the VACL is checked as traffic moves through the switch.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

MHM Cisco World · ‎02-16-2025

paul driver · ‎02-16-2025

Hello
vacls-maps control traffic within a vlan but you can also apply routed acls to a vlan so to control traffic in/out of the vlan
So based on what you have posted it may mean the above
Just remember for traffic between two hosts in the same vlan the traffic isn’t routed it’s switched only so vlan acls -maps will be appropriate
when traffic is between hosts in different vlans this is when routing is applicable and routed acls are applicable and NOT vacls-maps

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

M02@rt37 · ‎02-16-2025

Hello David,

VACL do not follow the traditional inbound and outbound logic of standard ACL applied to interfaces. Instead, they are applied at the VLAN level and affect all traffic within that VLAN, whether the traffic is being switched within the VLAN or routed to another VLAN. This makes the phrasing in this ENCOR book a bit confusing because VACLs themselves do not have explicit "inbound" or "outbound" directions like PACL or RACL.

When this book states that an "Inbound VACL is processed before an Outbound VACL," it is referring to the sequence in which ACLs are checked in a multi-layer switching environment where PACLs, VACLs, and RACLs may all be present. When a packet arrives at a switch port, the first check is an inbound PACL (if applied). If the packet is permitted by the PACL, it is then checked against the inbound VACL when it enters the VLAN. At this stage, the VACL determines whether the packet can remain in the VLAN and be forwarded to another device within that VLAN. If the packet is allowed and requires routing (inter-VLAN forwarding), it is processed by a L3 ACL (or RACL) at the routing decision point. If the packet is then forwarded out of a different VLAN, the outbound VACL is checked before final delivery, followed by any outbound PACL applied to the egress port.

@MHM Cisco World picture is just perfect.

In practical terms, this means that if a packet is denied by a VACL when it first enters the VLAN (inbound VACL processing), it is dropped immediately and never forwarded further. If a packet is permitted and later needs to be forwarded to another VLAN, the outbound VACL is checked again before it leaves. This mechanism ensures that traffic filtering applies at both the ingress and egress stages within a VLAN, even though VACLs do not follow the typical interface-bound ACL structure.

For example, if you configure a VACL to block traffic to a specific IP address in VLAN 10, any packet entering VLAN 10 destined for that IP address will be dropped as part of inbound VACL processing. Similarly, if a packet is being forwarded out of VLAN 10 to another VLAN, the same VACL will apply again before forwarding the packet out (outbound VACL processing). This ensures that unwanted traffic is filtered regardless of whether it is originating from within the VLAN or coming in from another network.

Ultimately, the key takeaway is that VACLs operate at the VLAN level and apply to all traffic entering or leaving the VLAN, not per physical interface. The mention of "inbound" and "outbound" VACL processing simply refers to the different points where the VACL is checked as traffic moves through the switch.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.