Product guide
10-35
Access Control Lists (ACLs)
Planning an ACL Application
■ VACLs: These filter any IP traffic entering the switch through any
port belonging to the designated VLAN. VACLs do not filter IP traffic
leaving the switch or being routed from another VLAN.
■ VACLs and RACLs Operate On Static VLANs: You can assign an
ACL to any VLAN that is statically configured on the switch. ACLs do
not operate with dynamic VLANs.
■ A VACL or RACL Affects All Physical Ports in a Static VLAN:
A VACL or RACL assigned to a VLAN applies to all physical ports on
the switch belonging to that VLAN, including ports that have dynam-
ically joined the VLAN.
■ RACLs Screen Routed IP Traffic Entering or Leaving the
Switch on a Given VLAN Interface: This means that the following
traffic is subject to ACL filtering:
• IP traffic arriving on the switch through one VLAN and leaving the
switch through another VLAN
• IP traffic arriving on the switch through one subnet and leaving the
switch through another subnet within the same, multinetted VLAN
Filtering the desired, routed IP traffic requires assigning an RACL to
screen IP traffic inbound or outbound on the appropriate VLAN(s). In the
case of a multinetted VLAN, it means that IP traffic inbound from different
subnets in the same VLAN is screened by the same inbound RACL, and IP
traffic outbound from different subnets is screened by the same outbound
RACL. (Refer to figure 10-1 on page 10-17.)
■ RACLs Do Not Filter Switched IP Traffic Unless the Switch
Itself is the SA or DA: RACLs do not filter IP traffic moving between
ports belonging to the same VLAN or subnet (in the case of a
subnetted VLAN). (IP traffic moving between ports in different
subnets of the same VLAN can be filtered.)
Note RACLs do filter routed or switched IP traffic having an SA or DA on the
switch itself.