05-18-2020 03:48 PM
I recently ran across this ACL material while studying for the ENCOR exam:
PACL, VACL, and RACL Interaction
When a PACL, a VACL, and a RACL are all configured in the same VLAN, the
ACLs are applied in a specific order, depending on whether the incoming traffic
needs to be bridged or routed:
Bridged traffic processing order (within the same VLAN):
1. Inbound PACL on the switchport (for example, VLAN 10)
2. Inbound VACL on the VLAN (for example, VLAN 10)
3. Outbound VACL on the VLAN (for example, VLAN 10)
Routed traffic processing order (across VLANs):
1. Inbound PACL on the switchport (for example, VLAN 10)
2. Inbound VACL on the VLAN (for example, VLAN 10)
3. Inbound ACL on the SVI (for example, SVI 10)
4. Outbound ACL on the SVI (for example, SVI 20)
5. Outbound VACL on the VLAN (for example, VLAN 20)
I was a bit confused, because I do not understand how this order of choosing what type of ACL to use first was derived. What is the reasoning behind the order?
Any input is appreciated. Ratings will be given when due.
Jason
Solved! Go to Solution.
05-19-2020 12:48 AM
Hello @UncleJP ,
first of all we need to define the two different scenarios:
a) bridged traffic this is traffic that is local to the L2 broadcast domain example traffic between two hosts in the same IP subnet in the same Vlan. The two hosts find their respective MAC address using ARP and the SVI for Vlan 10 is never involved.
For this type of traffic so the RACL = L3 ACL applied to the SVI are skipped = never used.
The most specific object the port ACL applies first then the inbound VACL if any , then the outbound VACL if any.
b) routed traffic
In this case hosts H1 and H2 belong to different IP subnets and to two different Vlans. Inter Vlan routing happens and in this case RACL = L3 ACL applied to SVIs come to play a role.
The resulting order reflects the fact that the SVI acts like an host connected to the corresponding L2 broadcast domain even if it is internal to the multilayer switch.
So the most specific Port ACL is checked first
Then the inbound VACL for VLAN 10
Then the inbound IP ACL = RACL for SVI interface Vlan 10
Inter Vlan routing happens here
Then the outbound IP ACL of SVI interface vlan 20 is checked
Before reaching the final host the outgoing VACL of Vlan 20 is checked.
Hope to help
Giuseppe
05-19-2020 12:48 AM
Hello @UncleJP ,
first of all we need to define the two different scenarios:
a) bridged traffic this is traffic that is local to the L2 broadcast domain example traffic between two hosts in the same IP subnet in the same Vlan. The two hosts find their respective MAC address using ARP and the SVI for Vlan 10 is never involved.
For this type of traffic so the RACL = L3 ACL applied to the SVI are skipped = never used.
The most specific object the port ACL applies first then the inbound VACL if any , then the outbound VACL if any.
b) routed traffic
In this case hosts H1 and H2 belong to different IP subnets and to two different Vlans. Inter Vlan routing happens and in this case RACL = L3 ACL applied to SVIs come to play a role.
The resulting order reflects the fact that the SVI acts like an host connected to the corresponding L2 broadcast domain even if it is internal to the multilayer switch.
So the most specific Port ACL is checked first
Then the inbound VACL for VLAN 10
Then the inbound IP ACL = RACL for SVI interface Vlan 10
Inter Vlan routing happens here
Then the outbound IP ACL of SVI interface vlan 20 is checked
Before reaching the final host the outgoing VACL of Vlan 20 is checked.
Hope to help
Giuseppe
05-19-2020 07:02 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide