Networking Featured

Differences between PACL, VACL, and RACL

Verbal Kint

2 min read
Differences between PACL, VACL, and RACL

Summary:

When a PACL, a VACL, and a RACL are all configured in the same VLAN, the
ACLs are applied in a specific order, depending on whether the incoming traffic needs to be bridged or routed:

Bridged traffic processing order (within the same VLAN)

1. Inbound PACL on the switchport (for example, VLAN 10)
2. Inbound VACL on the VLAN (for example, VLAN 10)
3. Outbound VACL on the VLAN (for example, VLAN 10)

Routed traffic processing order (across VLANs):

1. Inbound PACL on the switchport (for example, VLAN 10)
2. Inbound VACL on the VLAN (for example, VLAN 10)
3. Inbound ACL on the SVI (for example, SVI 10)
4. Outbound ACL on the SVI (for example, SVI 20)
5. Outbound VACL on the VLAN (for example, VLAN 20

Explanation

first of all we need to define the two different scenarios:

Bridged traffic

1. Bridged Traffic: This refers to traffic within the same Layer 2 broadcast domain, such as communication between two hosts on the same IP subnet and VLAN. The hosts resolve each other's MAC addresses using ARP, and the SVI for VLAN 10 remains uninvolved. In this scenario, L3 ACLs (RACL) applied to the SVI are bypassed and not utilized.

2. ACL Processing Order: The most specific object, the port ACL, is applied first. Following that, the inbound VACL (if present) is evaluated, and then the outbound VACL (if any) is applied.

Routed traffic

In this scenario, hosts H1 and H2 are on different IP subnets and VLANs, requiring inter-VLAN routing. Here, RACLs (L3 ACLs) applied to the SVIs play a role.

The sequence of ACL processing reflects that the SVI behaves like a host connected to the Layer 2 broadcast domain, even though it's internal to the multilayer switch:

1.The most specific Port ACL is evaluated first.
2.Then, the inbound VACL for VLAN 10 is checked.
3.Next, the inbound IP ACL (RACL) for the SVI interface of VLAN 10 is applied.
4.Inter-VLAN routing occurs at this point.
5.Afterward, the outbound IP ACL for the SVI interface of VLAN 20 is applied.
6. Finally, before reaching the destination host, the outgoing VACL for VLAN 20 is checked.

Example

ACL3.drawio.png