Working with VACL
VLAN-based ACLs fabricated their addition on LAN switches some time afterwards RACLs.
VACLs accommodate the adequacy to clarify cartage amid hosts amid in the aforementioned VLAN.
They administer to IP and non-IP cartage alike. For example, application VACLs, it is accessible to permit
or abjure cartage based on its antecedent or destination MAC address. Naturally, IP addresses,
User Datagram Protocol (UDP), and TCP ports can additionally be acclimated as a addition criteria.
Contrary to a VACL, a RACL cannot bout intra-VLAN cartage because cartage between
hosts central a accepted VLAN does not alteration through a baffled interface at all.
Figure 16-2 shows the VACL concept.
Figure 16-2 VACL Example
NOTE VACLs about chase the aforementioned architecture as RACLs; it’s aloof their operation assumption that
differs.
VACLs are acceptable to accommodate admission ascendancy for an absolute VLAN in one shot. For
example, if you appetite to anticipate all users in VLAN 20 from surfing the Internet, administer a
VACL on VLAN 20 to abjure all sources from communicating to any destination application TCP
port 80. Notice that we are not applying the VACL to specific ports in VLAN 20, but rather
to cartage entering and abrogation the about-face through VLAN 20. Although VACLs and RACLs
might arise to be carefully related, the key aberration amid them is that a RACL is
unable to bout cartage that is Layer 2 switched amid two ports central the aforementioned VLAN,
while a VACL can.
Unlike RACLs, VACLs are directionless. That is, they bout admission and departure cartage to
and from the VLAN. Figure 16-3 illustrates how they administer to cartage entering and exiting
the VLAN.
VACL Applied to Cartage Bridged Within a VLAN
VLAN 10
VACL Switch
266 Chapter 16: Wire Speed Admission Ascendancy Lists
Figure 16-3 VACLs Are Directionless
A VACL acclimated in affiliation with the abduction advantage is frequently acclimated to accelerate specific
traffic from a VLAN to a arrangement analyzer, as Figure 16-4 shows, for example. Acknowledgment to
the careful VACL bout syntax, alone a atom of the absolute cartage in alteration through the
VLAN is beatific to the analyzer.
Figure 16-4 VACL Capture
Oftentimes, the cardinal of port-mirroring sessions accessible per about-face is limited.
Therefore, a VACL abduction presents an advantageous addition to anchorage mirroring.
Furthermore, anchorage apery unselectively copies all cartage from a anchorage or VLAN to another,
while a VACL abduction offers added granularity (thanks to the ACL match).
It is accessible to amalgamate both RACLs and VACLs on a accustomed VLAN, as Figure 16-5 shows.
This aggregate gives you the adaptability to ascendancy both intra-VLAN bridged cartage and
traffic baffled alfresco of the VLAN.
Packets Arriving on Layer 2
Interface Have the VACL
Processed on Admission and
Egress
VACL Applied at Admission VACL Applied at Egress
Switch
Destination
Source
Capture Port
The VACL Abduction Is Especially Useful for
Forwarding Packets for Inspection by a LAN
Analyzer or Intrusion Prevention System
Intrusion Prevention System
VLAN 10
VACL Capture
Switch
Technology Behind Fast ACL Lookups 267
Figure 16-5 Combining RACLs and VACLs
It Is Accessible to Amalgamate the Use of RACL and VACL at the Aforementioned Time for Layer 3 Switched Packets
Layer 3 Input Interface
IP Abode 10.10.50.1
Layer 3 Output Interface
IP Abode 10.10.60.1
Input RACL Output RACL
Packet Bridged Packet Bridged
Packet Routed
Layer 2 Interface
in VLAN 50
Layer 2 Interface in VLAN 60
Input VACL Output VACL
Data Data
Layer 2 Engine