Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
715
Views
0
Helpful
4
Replies

ACL differences

Go to solution
newtamil2011
Level 1
Level 1

‎01-27-2012 02:00 AM - edited ‎03-07-2019 04:34 AM

Hi Guys,

Could plz tell me the differences of ACL,PACL,VACL.. ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to newtamil2011

‎01-27-2012 02:20 AM

Hi,

An ACL is a collection of sequential permit and deny conditions that applies to packets. When a packet is received on an interface, the switch compares the fields in the packet against any applied ACLs to verify that the packet has the permissions required to be forwarded, based on the conditions specified in the access lists. It tests the packets against the conditions in an access list one-by-one. The first match determines whether the switch accepts or rejects the packets.

If an output PACL is configured on a Layer 2 port, then neither a VACL nor a Router ACL can be configured on the VLANs to which the Layer 2 port belongs.

If any VACL or Router ACL is configured on the VLANs to which the Layer 2 port belongs, the output PACL cannot be configured on the Layer 2 port. That is, PACLs and VLAN-based ACLs (VACL and Router ACL) are mutually exclusive on Layer 2 ports.

You can use the access group mode to change the way PACLs interact with other ACLs. For example, if a Layer 2 interface belongs to VLAN100, VACL (VLAN filter) V1 is applied on VLAN100, and PACL P1 is applied on the Layer 2 interface. In this situation, you must specify how P1 and V1 impact the traffic with the Layer 2 interface on VLAN100. In a per-interface fashion, the access-group mode command can be used to specify one of the desired behaviors that are defined below.

Hope the above clear and understand you...

Please rate all the helpfull posts.
Regards,
Naidu.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎01-27-2012 02:10 AM

Hi,

on a switch:

-ACL can only be applied inbound and on L2 port

-PACL: like a regular router ACL can be applied both ways on routed ports or SVIs

-VACL: this is applied for all ports in a particular VLAN using a route-map construct

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

Go to solution
newtamil2011
Level 1
Level 1
In response to cadet alain

‎01-27-2012 02:13 AM

Hi,

Thanks..could u elaborate more...

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to newtamil2011

‎01-27-2012 02:20 AM

Hi,

An ACL is a collection of sequential permit and deny conditions that applies to packets. When a packet is received on an interface, the switch compares the fields in the packet against any applied ACLs to verify that the packet has the permissions required to be forwarded, based on the conditions specified in the access lists. It tests the packets against the conditions in an access list one-by-one. The first match determines whether the switch accepts or rejects the packets.

If an output PACL is configured on a Layer 2 port, then neither a VACL nor a Router ACL can be configured on the VLANs to which the Layer 2 port belongs.

If any VACL or Router ACL is configured on the VLANs to which the Layer 2 port belongs, the output PACL cannot be configured on the Layer 2 port. That is, PACLs and VLAN-based ACLs (VACL and Router ACL) are mutually exclusive on Layer 2 ports.

You can use the access group mode to change the way PACLs interact with other ACLs. For example, if a Layer 2 interface belongs to VLAN100, VACL (VLAN filter) V1 is applied on VLAN100, and PACL P1 is applied on the Layer 2 interface. In this situation, you must specify how P1 and V1 impact the traffic with the Layer 2 interface on VLAN100. In a per-interface fashion, the access-group mode command can be used to specify one of the desired behaviors that are defined below.

Hope the above clear and understand you...

Please rate all the helpfull posts.
Regards,
Naidu.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Latchum Naidu

‎01-27-2012 06:26 AM

Hi Latchum,

I explained RACL instead of PACL    if I hadn't seen your answer I wouldn't have found my mistake.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card