Solved: Router based Access-List (RACL) vs Vlan Access Control List (VACL)

Steph1963 · ‎05-25-2010

Hi,

I am a little bit confused on the difference between a Router based Access List (RACL) and a Vlan Acccess Control List (VACL). What is the typical case where we should used a VACL.

Question 1:

Can we applied an RACL under a VLAN interface on a 2950 and expect that it can prevent some specific hosts to access a server with layer 3 Access-list if every hosts and server are using the same VLAN or should we used a VACL.

Question 2:

Where can we used a layer 3 access-list on a 2950. My understanding is that we cannot put a layer 3 access-list on a switchport but can we put a layer 3 access-list on a switchport. Can we put it on a Trunk Port or on the Gigi Port of a 2950 and expect a similar behavior as a router.

Thanks

Stéphane

Giuseppe Larosa · ‎05-25-2010

Hello Stephane,

be aware that a C2950 is a L2 LAN switch only it cannot perform L3 switching.

As a result of this, you have no router ACL option (n routed traffic to process between Vlans) on SVIs on it and I doubt also about VACL support

However, Some support of ACLs is present see

The switch does not support these Cisco IOS router ACL-related features:

•Non-IP protocol ACLs (see Table 28-2)

•Bridge-group ACLs

•IP accounting

•ACL support on the outbound direction

•Inbound and outbound rate limiting (except with QoS ACLs)

•IP packets that have a header length of less than 5 bytes

•Reflexive ACLs

•Dynamic ACLs (except for certain specialized dynamic ACLs used by the switch clustering feature)

•ICMP-based filtering

•Interior Gateway Routing Protocol (IGMP)-based filtering

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/swacl.html

you can apply a "router" ACL to a L2 port:

>>>>The interface must be a Layer 2 or management interface or a management interface VLAN ID.

(only one SVI is supported for management purposes)

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎05-25-2010

Hello Stephane,

be aware that a C2950 is a L2 LAN switch only it cannot perform L3 switching.

As a result of this, you have no router ACL option (n routed traffic to process between Vlans) on SVIs on it and I doubt also about VACL support

However, Some support of ACLs is present see

The switch does not support these Cisco IOS router ACL-related features:

•Non-IP protocol ACLs (see Table 28-2)

•Bridge-group ACLs

•IP accounting

•ACL support on the outbound direction

•Inbound and outbound rate limiting (except with QoS ACLs)

•IP packets that have a header length of less than 5 bytes

•Reflexive ACLs

•Dynamic ACLs (except for certain specialized dynamic ACLs used by the switch clustering feature)

•ICMP-based filtering

•Interior Gateway Routing Protocol (IGMP)-based filtering

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/swacl.html

you can apply a "router" ACL to a L2 port:

>>>>The interface must be a Layer 2 or management interface or a management interface VLAN ID.

(only one SVI is supported for management purposes)

Hope to help

Giuseppe

Steph1963 · ‎05-25-2010

Hi Giusepe,

Thanks for the answer.

Done a quick test on a 2950 & ME-3400 and you can put a layer 3 access-list on a port that is defined as a switch port. Can you confirm my conclusions:

You can prevent any user from connecting via a switchport (layer 2) to access a server with an access-group in comand under the interface and with a proper layer 3 Access-list.

VLAN access-list are more like an hardware Layer 2 or 3 access-list on higher platform like the Catalyst 6000.

Question:

What is the utilisation of putting an access-list under a VLAN interface. Could you used an access-list under a VLAN interface to prevent a list of users from pinging the switch

Thanks
Stéphane

Jon Marshall · ‎05-25-2010

Steph1963 wrote:

Hi Giusepe,

Thanks for the answer.

Done a quick test on a 2950 & ME-3400 and you can put a layer 3 access-list on a port that is defined as a switch port. Can you confirm my conclusions:

You can prevent any user from connecting via a switchport (layer 2) to access a server with an access-group in comand under the interface and with a proper layer 3 Access-list.

VLAN access-list are more like an hardware Layer 2 or 3 access-list on higher platform like the Catalyst 6000.

Question:

What is the utilisation of putting an access-list under a VLAN interface. Could you used an access-list under a VLAN interface to prevent a list of users from pinging the switch

Thanks
Stéphane

Stephane

Yes you can use a L3 access-list on a switchport to restrict traffic in the inbound direction on that port although you need to read all the restrictions eg. on the 2950 the subnet mask used must be the same for all entries in the access-list.

Vlan access-lists are more concerned with controlling traffic within a vlan ie. from a host in the same vlan to another in the same vlan rather than controlling traffic between vlans which is where racls are usually used.

You can use an access-list on a L2 switch under the vlan interface to control who can connect to the actual switch or ping it etc.. Utilisation should not be that great.

Jon

Steph1963 · ‎05-31-2010

Hi,

Is there any special restrictions on the utilisation of access-list on the outbond direction of a 2950.

Thanks

Stéphane

Giuseppe Larosa · ‎05-31-2010

Hello Stephane,

between the known restrictions of ACLs over a C2950 there is the fact that outbound ACLs are not supported on a switch port

>> •ACL support on the outbound direction

see my first post on this thread, so if you are facing issues attempting to apply an ACL outbound this is a known limitation

Hope to help

Giuseppe