RACL, VACL, and PACL: Abounding Types of ACLs
ACLs begin on Ethernet switches generally appear in abounding shapes and forms, mostly because
of the differences in accouterments and software architectures on those platforms, but also
because the functionality provided by ACLs has acquired over time. You are acceptable to come
across three types of ACLs on an Ethernet switch:
• Router ACL (RACL). An IP-based ACL that is activated to a baffled interface. It is the
most accepted blazon of ACL. The ACL acclimated in Archetype 16-1 is a RACL.
• VLAN ACL (VACL). Applies to cartage entering and abrogation a VLAN. It is globally
applied to all ports in a accustomed VLAN. It can clarify both on Layer 2 belief (MAC
addresses) and Layer 3 and 4 parameters, aloof like a RACL.
• Port-based ACL (PACL). A VACL activated to an alone about-face anchorage central a
VLAN.
Several switches additionally address with options to accomplish added operations on packets than the
standard permit/deny. For example, it is accepted for LAN switches to accommodate the
capability to abduction cartage akin by an ACL and accelerate it off a abduction anchorage area a traffic
analyzer resides. Addition blazon of activity includes redirecting analogous cartage from its
incoming anchorage to addition port.
Table 16-1 summarizes the differences and nuances of the three ACL types, which are
detailed in the afterward sections.
Table 16-1 VACL/RACL/PACL: Summary
RACL VACL PACL
Permits or denies the
movement of cartage between
Layer 3 subnets
Permits or denies the
movement of cartage between
Layer 3 subnets/VLANs or
within a VLAN
Permits or denies the
movement of cartage between
Layer 3 subnets/VLANs or
within a VLAN
Applied as an ascribe or output
policy to a Layer 3 interface
Applied as a action to a
VLAN interface; inherently
applied to both entering and
outbound traffic
Applied as a action to a Layer
2 about-face anchorage interface;
applied for entering traffic
only