Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Router based Access-List (RACL) vs Vlan Access Control List (VACL)

Hi,

I am a little bit confused on the difference between a Router based Access List (RACL) and a Vlan Acccess Control List (VACL). What is the typical case where we should used a VACL.

Question 1:

Can we applied an RACL under a VLAN interface on a 2950 and expect that it can prevent some specific hosts to access a server with layer 3 Access-list if every hosts and server are using the same VLAN or should we used a VACL.

Question 2:

Where can we used a layer 3 access-list on a 2950. My understanding is that we cannot put a layer 3 access-list on a switchport but can we put a layer 3 access-list on a switchport. Can we put it on a Trunk Port or on the Gigi Port of a 2950 and expect a similar behavior as a router.

Thanks

Stéphane

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Router based Access-List (RACL) vs Vlan Access Control List

Hello Stephane,

be aware that a C2950 is a L2 LAN switch only it cannot perform L3 switching.

As a result of this, you have no router ACL option (n routed traffic to process between Vlans)  on SVIs on it and I doubt also about VACL support

However, Some support of ACLs is present see

The switch does not support these Cisco IOS router ACL-related features:

Non-IP protocol ACLs (see Table 28-2)

Bridge-group ACLs

IP accounting

ACL support on the outbound direction

Inbound and outbound rate limiting  (except with QoS ACLs)

IP packets that have a header length of  less than 5 bytes

Reflexive ACLs

Dynamic ACLs (except for certain  specialized dynamic ACLs used by the switch clustering feature)

ICMP-based filtering

Interior Gateway Routing Protocol  (IGMP)-based filtering

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/swacl.html

you can apply a "router" ACL to a L2 port:

>>>>The interface must be a Layer 2 or management  interface or a management interface VLAN ID.

(only one SVI is supported for management purposes)

Hope to help

Giuseppe

5 REPLIES
Hall of Fame Super Silver

Re: Router based Access-List (RACL) vs Vlan Access Control List

Hello Stephane,

be aware that a C2950 is a L2 LAN switch only it cannot perform L3 switching.

As a result of this, you have no router ACL option (n routed traffic to process between Vlans)  on SVIs on it and I doubt also about VACL support

However, Some support of ACLs is present see

The switch does not support these Cisco IOS router ACL-related features:

Non-IP protocol ACLs (see Table 28-2)

Bridge-group ACLs

IP accounting

ACL support on the outbound direction

Inbound and outbound rate limiting  (except with QoS ACLs)

IP packets that have a header length of  less than 5 bytes

Reflexive ACLs

Dynamic ACLs (except for certain  specialized dynamic ACLs used by the switch clustering feature)

ICMP-based filtering

Interior Gateway Routing Protocol  (IGMP)-based filtering

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/swacl.html

you can apply a "router" ACL to a L2 port:

>>>>The interface must be a Layer 2 or management  interface or a management interface VLAN ID.

(only one SVI is supported for management purposes)

Hope to help

Giuseppe

New Member

Re: Router based Access-List (RACL) vs Vlan Access Control List

Hi Giusepe,

Thanks for the answer.

Done a quick test on a 2950 & ME-3400 and you can put a layer 3 access-list on a port that is defined as  a switch port. Can you confirm my conclusions:

You can prevent any user from connecting via a switchport (layer 2) to access a server with an access-group in comand under the interface and with a proper layer 3 Access-list.

VLAN access-list are more like an hardware Layer 2 or 3 access-list on higher platform like the Catalyst 6000.

Question:

What is the utilisation of putting an access-list under a VLAN interface. Could you used an access-list under a VLAN interface to prevent a list of users from pinging the switch

Thanks
Stéphane

Hall of Fame Super Blue

Re: Router based Access-List (RACL) vs Vlan Access Control List

Steph1963 wrote:

Hi Giusepe,

Thanks for the answer.

Done a quick test on a 2950 & ME-3400 and you can put a layer 3 access-list on a port that is defined as  a switch port. Can you confirm my conclusions:

You can prevent any user from connecting via a switchport (layer 2) to access a server with an access-group in comand under the interface and with a proper layer 3 Access-list.

VLAN access-list are more like an hardware Layer 2 or 3 access-list on higher platform like the Catalyst 6000.

Question:

What is the utilisation of putting an access-list under a VLAN interface. Could you used an access-list under a VLAN interface to prevent a list of users from pinging the switch

Thanks
Stéphane

Stephane


Yes you can use a L3 access-list on a switchport to restrict traffic in the inbound direction on that port although you need to read all the restrictions eg. on the 2950 the subnet mask used must be the same for all entries in the access-list.

Vlan access-lists are more concerned with controlling traffic within a vlan ie. from a host in the same vlan to another in the same vlan rather than controlling traffic between vlans which is where racls are usually used.

You can use an access-list on a L2 switch under the vlan interface to control who can connect to the actual switch or ping it etc.. Utilisation should not be that great.

Jon

New Member

Re: Router based Access-List (RACL) vs Vlan Access Control List

Hi,

Is there any special restrictions on the utilisation of access-list on the outbond direction of a 2950.

Thanks

Stéphane

Hall of Fame Super Silver

Re: Router based Access-List (RACL) vs Vlan Access Control List

Hello Stephane,

between the known restrictions of ACLs over a C2950 there is the fact that outbound ACLs are not supported on a switch port

>> •ACL support on the outbound direction

see my first post on this thread, so if you are facing issues attempting to apply an ACL outbound this is a known limitation

Hope to help

Giuseppe

2954
Views
4
Helpful
5
Replies