Port Access Control Lists (PACLs)


[Port Access Control Lists (PACLs)](/port-access-control-lists-pacls) are [ACLs](/access-list-acl) that can be applied to Layer 2 switchports.  However, they have certain restrictions compared to their Layer 3 counterparts.

These limitations are due to switch architecture and hardware considerations and include:

1. No Outbound (Egress) Filtering:
	- Switch [ASICs](/hardware-application-specific-integrated-circuit-asic) process traffic in the switching path at egress
	- Adding outbound filtering would require re-analysis after forwarding decisions have already been made
	- Ingress processing is prioritized for performance optimization
	- Additional [TCAM/CAM](/memory-cam-and-tcam) resources would be needed for outbound filtering
2. [Control Plane](/network-control-plane) Traffic:
	- PACLs cannot filter Layer 2 control protocols ([CDP](/cisco-discovery-protocol-cdp), [VTP](/vtp), [DTP](/dtp))
	- Control plane and [data plane](/network-data-plane) filtering must remain separate
	- [Control Plane Policing (CoPP)](/control-plane-policing-copp) should be used instead for control traffic
3. Protocol Support:
	- Support for filtering  [IPv6](/ipv6), [ARP](/arp), and [MPLS](/mpls) varies by platform
	- Hardware capabilities determine supported protocol filtering
	- Check platform documentation for specific protocol support

PACL limitations on Layer 2 are primarily driven by switch ASIC architecture, control plane separation requirements, and platform-specific hardware capabilities.

## Links

https://networklessons.com/cisco/ccie-routing-switching-written/ipv6-pacl-port-acl

Port ACL (PACL) Restrictions and Design Considerations

OSPFv3 Prefix Information Separation

OSPFv3 communication between routers and next hop addresses

OSPFv3 instance ID

Offset-list

PAT (overloading) maximum number of translations per inside global address

PAgP

PBR - Policy Based Routing

PBR - Transport Layer port number

PBR - load balancing

PBR - matching prefix lists

PBR - route-map and ACL deny statements not supported

PBR - set interface command

PBR next hop recursive

PBR next hop verify availability

PBR next-hop and default next-hop

PPPoE

PSTN

PTP - Best Master Clock Algorithm

PTP - Clock Types

PTP - Interface Roles

PTP - Offset and Delay times

Passive interface

Physical layer - Copper medium

Physical layer - Optical fiber medium

Physical layer - Wireless medium

Physical layer - encoding

Physical layer - media

Physical layer - modem

Physical layer - modulation

Physical layer Carrier Wave

Ping - Specify ToS

Ping - common reasons for failure

Ping - debug commands

Ping - extended feature

Ping - possible ping responses

Ping - specifying size

Ping - sweep range of sizes

Ping - troubleshooting concepts

Ping

PoE - Understanding Maximum Power

PoE Passive

PoE Standards-based

PoE over Gigabit Ethernet

PoE power sourcing equipment (PSE)

PoE powered device (PD)

PoE what is it

Point-to-Point Protocol (PPP)

Policy Based Routing acts on incoming traffic

Policy NAT (Conditional NAT) Use Cases

Prefix Lists - Operators

Prefix Lists

Private VLANs - non-operational type

Private VLANs and Trunks

Private WAN

Protocol Data Unit (PDU)

Protocol Independent Multicast (PIM)

Protocols with LFA support

Proxy ARP Best Practices

Pseudowire

Public Key Certificate

Public vs Private AS with multiple ISPs

Python - Parsing output of show commands

Python - Performing Tasks Concurrently

Python - viewing code using trinket.io

Python Paramiko SSH

Python stdin, stdout, stderr

QOS - Multilayer Switch QoS (MLS)

QoS - Assured Forwarding PHB values

QoS - Bc and Be bucket sizes

QoS - Classification by IP

QoS - CoS to DSCP and DSCP to CoS mapping

QoS - Hierarchical QoS

QoS - Jitter

QoS - LLQ applied only outbound

QoS - LLQ bandwidth configuration

QoS - LLQ priority commands

QoS - Nested policy maps

QoS - Policing command syntax

QoS - RSVP bandwidth and flow reservations

QoS - Recommended router images for QoS labs in GNS3

QoS - Tail Drop

QoS - Using CBWFQ with traffic shaping

QoS - WRED traffic profile thresholds

QoS - applying policies

QoS - auto qos trust

QoS - classification

QoS - effects of bandwidth interface command

QoS - is WRED really a congestion avoidance mechanism

QoS - key and nonkey fields

QoS - marking

QoS CBWFQ traffic allocation when there are empty queues

QoS CBWFQ

QoS CoS vs DSCP

QoS Groups Example

QoS Groups

QoS Hardware Queue vs Software Queue

QoS Hierarchical Queuing Framework (HQF)

QoS Impact of Priority Queue on Class-Default Traffic

Port ACL (PACL) Restrictions and Design Considerations

Links

Links to this page: