|Exam 400-101||Question id=769||Infrastructure Security|
Which of the following can be applied on a switch to filter inbound traffic on nonrouted ports?
VLAN access control lists (VACL) and port access control lists (PACL) can be applied on a switch to filter inbound traffic on nonrouted ports. Access control lists (ACL) are security mechanisms that are used to determine whether inbound and outbound packets should be forwarded or blocked. Unlike standard and extended ACLs, which are typically used to filter Layer 3 traffic, VACL and PACL can be used to filter nonrouted Layer 2 traffic. However, PACL cannot filter outbound traffic; they can filter only inbound traffic.
VACLs are used to filter traffic within a virtual LAN (VLAN). VACL can be used to prevent malicious users from gaining access to other resources on the same VLAN. Unlike most ACL, VACL do not filter packets as they reach an interface. Instead, VACLs filter packetsacross the entire VLAN, even if it spans multiple interfaces.
PACLs are used to filter inbound traffic on Layer 2 switch ports. When PACLs are applied on a switch, all packets are reviewed as they reach a port. PACLs take precedence over VACLs and Layer 3 ACLs. Like VACLs, PACLs can be used to filter VLAN traffic, including voice and data VLAN traffic, if the PACLs are applied to a trunk port.
Router ACL (RACL) cannot be applied on a switch to filter inbound traffic on nonrouted ports. RACL provide similar functionality as VACL and PACL, except they cannot be applied to Layer 2 traffic. RACLs are limited to use on Layer 3 interfaces, such as those on routers or multilayer switches configured for Layer 3 routing.