Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3360
Views
6
Helpful
2
Replies

PACL, VACL, and RACL Interaction

Go to solution
UncleJP
Level 1
Level 1

‎05-18-2020 03:48 PM

I recently ran across this ACL material while studying for the ENCOR exam:

 

PACL, VACL, and RACL Interaction
When a PACL, a VACL, and a RACL are all configured in the same VLAN, the
ACLs are applied in a specific order, depending on whether the incoming traffic
needs to be bridged or routed:


Bridged traffic processing order (within the same VLAN):
1. Inbound PACL on the switchport (for example, VLAN 10)
2. Inbound VACL on the VLAN (for example, VLAN 10)
3. Outbound VACL on the VLAN (for example, VLAN 10)


Routed traffic processing order (across VLANs):
1. Inbound PACL on the switchport (for example, VLAN 10)
2. Inbound VACL on the VLAN (for example, VLAN 10)
3. Inbound ACL on the SVI (for example, SVI 10)
4. Outbound ACL on the SVI (for example, SVI 20)
5. Outbound VACL on the VLAN (for example, VLAN 20)

 

 

I was a bit confused, because I do not understand how this order of choosing what type of ACL to use first was derived. What is the reasoning behind the order?

 

Any input is appreciated. Ratings will be given when due.

 

Jason

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-19-2020 12:48 AM

Hello @UncleJP ,

first of all we need to define the two different scenarios:

a) bridged traffic this is traffic that is local to the L2 broadcast domain example traffic between two hosts in the same IP subnet in the same Vlan. The two hosts find their respective MAC address using ARP and the SVI for Vlan 10 is never involved.

For this type of traffic so the RACL = L3 ACL applied to the SVI are skipped = never used.

The most specific object the port ACL applies first then the inbound VACL if any , then the outbound VACL if any.

 

b) routed traffic

In this case hosts H1 and H2 belong to different IP subnets and to two different Vlans. Inter Vlan routing happens and in this case RACL = L3 ACL applied to SVIs come to play a role.

The resulting order reflects the fact that the SVI acts like an host connected to the corresponding L2 broadcast domain even if it is internal to the multilayer switch.

So the most specific Port ACL is checked first

Then the inbound VACL for VLAN 10

Then the inbound IP ACL = RACL for SVI interface Vlan 10

Inter Vlan routing happens here

Then the  outbound IP ACL of SVI interface vlan 20 is checked

Before reaching the final host the outgoing VACL of Vlan 20 is checked.

 

Hope to help

Giuseppe

 

View solution in original post

2 Replies 2

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-19-2020 12:48 AM

Hello @UncleJP ,

first of all we need to define the two different scenarios:

a) bridged traffic this is traffic that is local to the L2 broadcast domain example traffic between two hosts in the same IP subnet in the same Vlan. The two hosts find their respective MAC address using ARP and the SVI for Vlan 10 is never involved.

For this type of traffic so the RACL = L3 ACL applied to the SVI are skipped = never used.

The most specific object the port ACL applies first then the inbound VACL if any , then the outbound VACL if any.

 

b) routed traffic

In this case hosts H1 and H2 belong to different IP subnets and to two different Vlans. Inter Vlan routing happens and in this case RACL = L3 ACL applied to SVIs come to play a role.

The resulting order reflects the fact that the SVI acts like an host connected to the corresponding L2 broadcast domain even if it is internal to the multilayer switch.

So the most specific Port ACL is checked first

Then the inbound VACL for VLAN 10

Then the inbound IP ACL = RACL for SVI interface Vlan 10

Inter Vlan routing happens here

Then the  outbound IP ACL of SVI interface vlan 20 is checked

Before reaching the final host the outgoing VACL of Vlan 20 is checked.

 

Hope to help

Giuseppe

 

Go to solution
UncleJP
Level 1
Level 1
In response to Giuseppe Larosa

‎05-19-2020 07:02 AM

Wow! Excellent answer. You completely cleared up my confusion. Thanks!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card