Table of Contents
ACL or access control lists are an important aspect of access management. They streamline access management and provide an extra layer of security to organization networks. However, managing multiple access lists could be a challenge for large and complex networks.
Cisco Inc. supports various access control lists (ACLs) to manage permissions on networks. Network security tasks such as user permissions, data protection and intrusion prevention are achieved via ACLs. PACL or port access control lists control traffic at inbound layer 2. RACL or router access control lists control traffic at layer 3 and VACL or VLAN access control lists are used to control traffic flow within the VLAN.
In today’s article we will understand the difference between Cisco ACL types, namely, PACL, VACL and RACL, their key differences, how they are used and what is in store for the future.
What is PACL
PACL or packet control access lists are used to control traffic in layer 2 interfaces. They support only inbound traffic filtering. Port ACLs can be configured as standard, extended and MAC-extended types. The switch examines the ACL and permits or denies packet forwarding based on criteria defined in PACL. PACL applied on trunk port filters traffic for all VLANs configured on that trunk port. It can filter both voice and data if applied as voice VLAN on port. It can traffic both IP based traffic (using IP access list) and non IP based traffic (Using MAC access list) simultaneously. PACLs are not supported on Ethernet channel interfaces.
What is VACL
VLAN ACL or VACL does all types of filtering on traffic that is bridged within a VLAN or routed in/out of VLAN. It is not defined by direction hence all packets entering via VLAN are verified with applied VACL. VACL can be combined with a private VLAN feature to filter traffic based on direction. They are processed in hardware and also called wire-speed ACLs. The forwarding rate will remain unchanged irrespective of the size of ACL due to lookup performed on hardware. VACL can be configured for IP, IPX, Mac-layer traffic.
What is RACL
It’s a type of ACL (Access Control List) applied on a Cisco router to control traffic between networks, rather than within a single switch or VLAN. Router ACLs or RACL provides filtering at layer 3 or network layer on switched virtual interfaces (SVI) ; it supports both standard and extended ACLs. RACL can be used for both inbound and outbound traffic.
Comparison Cisco ACL Types: PACL vs VACL vs RACL
| Features | PACL | VACL | RACL |
|---|---|---|---|
| OSI later | Operates at layer 2 (only inbound) | Operates at layer 2 | Operates at layer 3 (network layer) |
| Function | Traffic filtering at switch individual port | Traffic filtering within VLAN affects all ports assigned to that VLAN | Traffic filtering between VLANs (Both inbound / outbound) |
| Direction | Supports only inbound | Supports both inbound / outbound traffic | Supports traffic is specific direction on Layer 3 |
| Configuration | Configured on layer 2 interface | Configured on VLAN | Configured on layer 3 interface (SVI) |
| Uses | Traffic filtering on specific access port such as user facing port | Traffic filtering on same VLANs between two ports. To configure baseline security policy for all traffic to a VLAN | Traffic denied or allowed from one VLAN to another VLAN based on access policies |
| Features | Used for edge port security | Used for security within VLAN | Used for security across VLANs |
| Processing priority | It is first in order | This is processed before RACLs and after PACLs | This is processed before outbound VACL and later with VACLs |
Download the comparison table: PACL vs VACL vs RACL
ABOUT THE AUTHOR
You can learn more about her on her linkedin profile – Rashmi Bhardwaj
