## PACL Port Access-Control Lists are the same as RACLs (Router Access-Control Lists), just they are applied to a `switchport`. See the below example of a PACL: ``` interface Ethernet1/1 ip access-group 100 in ``` What is the difference then? **PACLs can filter MAC addresses.** > PACLs will only affect traffic in the INBOUND direction, despite how configured. ## VACL VACL is a feature that allows access-control filtering to be applied **across an entire VLAN**, including: - Traffic between ports in the same VLAN (even if not routed) - Trunk ports - Access ports - SVI (Switched Virtual Interface) Unlike standard port ACLs or router ACLs, **VACLs inspect all traffic within a VLAN**, regardless of L2/L3 boundaries. > Best Practice: **Avoid relying on implicit deny** in VACLs. Explicitly forward all non-matched traffic using a separate sequence to avoid unintentionally dropping critical traffic. ### Step 1: Create an Extended ACL The ACL defines the **target traffic** to match. In this example, we target **Telnet** traffic (TCP port 23). ```plaintext ip access-list extended TELNET 10 permit tcp any any eq telnet ``` > Note: In the context of a VACL, the ACL's **permitted** traffic is the traffic that will be acted upon by the access-map. Denied traffic is ignored. ### Step 2: Create a VLAN Access Map VLAN access-maps act like policy maps. They take actions (e.g. drop or forward) based on access-list matches. ```plaintext vlan access-map DROP_TELNET 10 match ip address TELNET action drop log vlan access-map DROP_TELNET 20 action forward ``` Explanation: - **Sequence 10**: Matches the `TELNET` ACL and drops matching traffic. - **Sequence 20**: Forwards all other traffic. ### Step 3: Apply the Access Map Apply the VLAN access-map to one or more VLANs: ```plaintext vlan filter DROP_TELNET vlan-list 10 ``` This enables the access-map on VLAN 10. ### Verifying VACLs ```plaintext show vlan access-map show vlan filter ```