VACL - use cases
VLAN Access Control Lists (VACLs) provide a flexible method for controlling traffic within the same VLAN. While the best practice in network design is to use separate subnets and VLANs to manage communication between hosts, VACLs offer an additional layer of control in specific scenarios:
- Budget Constraints: When there is a lack of budget for additional equipment and infrastructure to create separate subnets/VLANs, VACLs can be a cost-effective solution.
- Quick Security Solutions: VACLs can serve as a temporary security measure when a quick solution is needed.
- Intra-VLAN Traffic Filtering: VACLs are useful for filtering traffic within the same VLAN, especially when certain devices or servers should not interact using specific protocols.
- Shared Hosting Environments: In environments where multiple clients share the same VLAN, VACLs can prevent clients from accessing each other's servers, enhancing privacy and security.
- Traffic Control: VACLs can manage the flow of traffic within a VLAN to prevent congestion or prioritize certain types of traffic.
An alternative to VACLs is the use of private VLANs, which can deliver similar results. The choice between VACLs and private VLANs depends on factors such as cost, time, permanence of the solution, and convenience.
Additionally, VACLs filter traffic at both Layers 2 and 3. Any traffic that does not match the permit or redirect statements in the VACL access map is implicitly dropped, including ARP messages. This can cause communication issues if the ARP cache is cleared. To prevent this, a match statement should be added to the VACL to forward ARP messages.
Links
https://forum.networklessons.com/t/vlan-access-list-vacl/1155/62?u=lagapidis
https://networklessons.com/cisco/ccie-enterprise-infrastructure/vlan-access-list-vacl