Table Of ContentConfiguring IP ACLs
ThischapterdescribeshowtoconfigureIPaccesscontrollists(ACLs)onCiscoNX-OS.
Unlessotherwisespecified,thetermIPACLreferstoIPv4ACLs.
Note TheCiscoNX-OSreleasethatisrunningonamanagedmaynotsupportalldocumentedfeaturesor
settings.Forthelatestfeatureinformationandcaveats,seethedocumentationandreleasenotesforyour
platformandsoftwarerelease.
Thischapterincludesthefollowingsections:
• InformationAboutACLs, page 1
• LicensingRequirementsforIPACLs, page 8
• PrerequisitesforIPACLs, page 9
• GuidelinesandLimitationsforIPACLs, page 9
• DefaultSettingsforIPACLs, page 10
• ConfiguringIPACLs, page 10
• VerifyingIPACLConfigurations, page 27
• MonitoringandClearingIPACLStatistics, page 28
• ConfigurationExamplesforIPACLs, page 28
Information About ACLs
AnACLisanorderedsetofrulesthatyoucanusetofiltertraffic.Eachrulespecifiesasetofconditionsthat
apacketmustsatisfytomatchtherule.WhenthedevicedeterminesthatanACLappliestoapacket,ittests
thepacketagainsttheconditionsofallrules.Thefirstmatchingruledetermineswhetherthepacketispermitted
ordenied.Ifthereisnomatch,thedeviceappliestheapplicableimplicitrule.Thedevicecontinuesprocessing
packetsthatarepermittedanddropspacketsthataredenied.
YoucanuseACLstoprotectnetworksandspecifichostsfromunnecessaryorunwantedtraffic.Forexample,
youcoulduseACLstodisallowHTTPtrafficfromahigh-securitynetworktotheInternet.Youcouldalso
Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2)
OL-25780-01 1
Configuring IP ACLs
ACL Types and Applications
useACLstoallowHTTPtrafficbutonlytospecificsites,usingtheIPaddressofthesitetoidentifyitinan
IPACL.
ACL Types and Applications
ThedevicesupportsthefollowingtypesofACLsforsecuritytrafficfiltering:
IPv4ACLs ThedeviceappliesIPv4ACLsonlytoIPv4traffic.
IPACLshavethefollowingtypesofapplications:
PortACL FiltersLayer2traffic
RouterACL FiltersLayer3traffic
VLANACL FiltersVLANtraffic
VTYACL Filtersvirtualteletype(VTY)traffic
ThistablesummarizestheapplicationsforsecurityACLs.
Table 1: Security ACL Applications
Application Supported Interfaces Types of ACLs Supported
PortACL
•Layer2interfaces •IPv4ACLs
•Layer2Ethernetport-channel
interfaces
WhenaportACLisappliedtoa
trunkport,theACLfilterstraffic
onallVLANsonthetrunkport.
RouterACL
•VLANinterfaces •IPv4ACLs
•PhysicalLayer3interfaces
•Layer3Ethernet
subinterfaces
•Layer3Ethernetport-channel
interfaces
•Layer3Ethernetport-channel
subinterfaces
•Managementinterfaces
Note YoumustenableVLAN
interfacesgloballybefore
youcanconfigurea
VLANinterface.
VLANACL
•VLANs •IPv4ACLs
Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2)
2 OL-25780-01
Configuring IP ACLs
Order of ACL Application
Application Supported Interfaces Types of ACLs Supported
VTYACL
•VTYs •IPv4ACLs
Order of ACL Application
Whenthedeviceprocessesapacket,itdeterminestheforwardingpathofthepacket.Thepathdetermines
whichACLsthatthedeviceappliestothetraffic.ThedeviceappliestheACLsinthefollowingorder:
1 PortACL
2 IngressVACL
3 IngressrouterACL
4 IngressVTYACL
5 EgressVTYACL
6 EgressrouterACL
7 EgressVACL
IfthepacketisbridgedwithintheingressVLAN,thedevicedoesnotapplyrouterACLs.
ThefollowingfigureshowstheorderinwhichthedeviceappliesACLs.
Figure 1: Order of ACL Application
ThefollowingfigureshowswherethedeviceappliesACLs,dependinguponthetypeofACL.Theredpath
indicatesapacketsenttoadestinationonadifferentinterfacethanitssource.Thebluepathindicatesapacket
thatisbridgedwithinitsVLAN.
ThedeviceappliesonlytheapplicableACLs.Forexample,iftheingressportisaLayer2portandthetraffic
isonaVLANthatisaVLANinterface,aportACLandarouterACLbothcanapply.Inaddition,ifaVACL
isappliedtotheVLAN,thedeviceappliesthatACLtoo.
Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2)
OL-25780-01 3
Configuring IP ACLs
About Rules
Figure 2: ACLs and Packet Flow
About Rules
Rulesarewhatyoucreate,modify,andremovewhenyouconfigurehowanACLfiltersnetworktraffic.Rules
appearintherunningconfiguration.WhenyouapplyanACLtoaninterfaceorchangearulewithinanACL
Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2)
4 OL-25780-01
Configuring IP ACLs
About Rules
thatisalreadyappliedtoaninterface,thesupervisormodulecreatesACLentriesfromtherulesintherunning
configurationandsendsthoseACLentriestotheapplicableI/Omodule.Dependinguponhowyouconfigure
theACL,theremaybemoreACLentriesthanrules,especiallyifyouimplementpolicy-basedACLsbyusing
objectgroupswhenyouconfigurerules.
Youcancreaterulesinaccess-listconfigurationmodebyusingthepermitordenycommand.Thedevice
allowstrafficthatmatchesthecriteriainapermitruleandblockstrafficthatmatchesthecriteriainadeny
rule.Youhavemanyoptionsforconfiguringthecriteriathattrafficmustmeetinordertomatchtherule.
Thissectiondescribessomeoftheoptionsthatyoucanusewhenyouconfigurearule.Forinformationabout
everyoption,seetheapplicablepermitanddenycommandsintheCiscoNexus7000SeriesNX-OSSecurity
CommandReference.
Protocols
IPv4ACLsallowyoutoidentifytrafficbyprotocol.Foryourconvenience,youcanspecifysomeprotocols
byname.Forexample,inanIPv4ACL,youcanspecifyICMPbyname.
Youcanspecifyanyprotocolbynumber.
InIPv4,youcanspecifyprotocolsbytheintegerthatrepresentstheInternetprotocolnumber.Forexample,
youcanuse115tospecifyLayer2TunnelingProtocol(L2TP)traffic.
ForalistoftheprotocolsthateachtypeofACLsupportsbyname,seetheapplicablepermitanddeny
commandsintheCiscoNexus3000SeriesNX-OSSecurityCommandReference.
Source and Destination
Ineachrule,youspecifythesourceandthedestinationofthetrafficthatmatchestherule.Youcanspecify
boththesourceanddestinationasaspecifichost,anetworkorgroupofhosts,oranyhost.Howyouspecify
thesourceanddestinationdependsonwhetheryouareconfiguringIPv4ACLs.
Implicit Rules
IPandMACACLshaveimplicitrules,whichmeansthatalthoughtheserulesdonotappearintherunning
configuration,thedeviceappliesthemtotrafficwhennootherrulesinanACLmatch.Whenyouconfigure
thedevicetomaintainper-rulestatisticsforanACL,thedevicedoesnotmaintainstatisticsforimplicitrules.
AllIPv4ACLsincludethefollowingimplicitrule:
deny ip any any
ThisimplicitruleensuresthatthedevicedeniesunmatchedIPtraffic.
Thisimplicitruleensuresthatthedevicedeniestheunmatchedtraffic,regardlessoftheprotocolspecifiedin
theLayer2headerofthetraffic.
Additional Filtering Options
Youcanidentifytrafficbyusingadditionaloptions.TheseoptionsdifferbyACLtype.Thefollowinglist
includesmostbutnotalladditionalfilteringoptions:
•IPv4ACLssupportthefollowingadditionalfilteringoptions:
Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2)
OL-25780-01 5
Configuring IP ACLs
About Rules
◦Layer4protocol
◦AuthenticationHeaderProtocol
◦EnhancedInteriorGatewayRoutingProtocol(EIGRP)
◦OpenShortestPathFirst(OSPF)
◦PayloadCompressionProtocol
◦Protocol-independentmulticast(PIM)
◦TCPandUDPports
◦ICMPtypesandcodes
◦Precedencelevel
◦DifferentiatedServicesCodePoint(DSCP)value
◦TCPpacketswiththeACK,FIN,PSH,RST,SYN,orURGbitset
◦EstablishedTCPconnections
◦Packetlength
Sequence Numbers
Thedevicesupportssequencenumbersforrules.Everyrulethatyouenterreceivesasequencenumber,either
assignedbyyouorassignedautomaticallybythedevice.SequencenumberssimplifythefollowingACL
tasks:
Addingnewrules Byspecifyingthesequencenumber,youspecifywhereintheACLanewrule
betweenexistingrules shouldbepositioned.Forexample,ifyouneedtoinsertarulebetweenrules
numbered100and110,youcouldassignasequencenumberof105tothenew
rule.
Removingarule Withoutusingasequencenumber,removingarulerequiresthatyouenterthewhole
rule,asfollows:
switch(config-acl)# no permit tcp 10.0.0.0/8 any
However,ifthesamerulehadasequencenumberof101,removingtherulerequires
onlythefollowingcommand:
switch(config-acl)# no 101
Movingarule Withsequencenumbers,ifyouneedtomovearuletoadifferentpositionwithin
anACL,youcanaddasecondinstanceoftheruleusingthesequencenumberthat
positionsitcorrectly,andthenyoucanremovetheoriginalinstanceoftherule.
Thisactionallowsyoutomovetherulewithoutdisruptingtraffic.
Ifyouenterarulewithoutasequencenumber,thedeviceaddstheruletotheendoftheACLandassignsa
sequencenumberthatis10greaterthanthesequencenumberoftheprecedingruletotherule.Forexample,
ifthelastruleinanACLhasasequencenumberof225andyouaddarulewithoutasequencenumber,the
deviceassignsthesequencenumber235tothenewrule.
Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2)
6 OL-25780-01
Configuring IP ACLs
Statistics and ACLs
Inaddition,CiscoNX-OSallowsyoutoreassignsequencenumberstorulesinanACL.Resequencingis
usefulwhenanACLhasrulesnumberedcontiguously,suchas100and101,andyouneedtoinsertoneor
morerulesbetweenthoserules.
Logical Operators and Logical Operation Units
IPACLrulesforTCPandUDPtrafficcanuselogicaloperatorstofiltertrafficbasedonportnumbers.The
devicestoresoperator-operandcouplesinregisterscalledlogicaloperatorunits(LOUs).
TheLOUusageforeachtypeofoperatorisasfollows:
eq IsneverstoredinanLOU
gt Uses1LOU
lt Uses1LOU
neq Uses1LOU
range Uses1LOU
Statistics and ACLs
ThedevicecanmaintainglobalstatisticsforeachrulethatyouconfigureinIPv4,IPv6,andMACACLs.If
anACLisappliedtomultipleinterfaces,themaintainedrulestatisticsarethesumofpacketmatches(hits)
onalltheinterfacesonwhichthatACLisapplied.
Note Thedevicedoesnotsupportinterface-levelACLstatistics.
ForeachACLthatyouconfigure,youcanspecifywhetherthedevicemaintainsstatisticsforthatACL,which
allowsyoutoturnACLstatisticsonoroffasneededtomonitortrafficfilteredbyanACLortohelp
troubleshoottheconfigurationofanACL.
ThedevicedoesnotmaintainstatisticsforimplicitrulesinanACL.Forexample,thedevicedoesnotmaintain
acountofpacketsthatmatchtheimplicitdenyipanyanyruleattheendofallIPv4ACLs.Ifyouwantto
maintainstatisticsforimplicitrules,youmustexplicitlyconfiguretheACLwithrulesthatareidenticaltothe
implicitrules.
VTY Support
CiscoNX-OSdoesnotsupportapplyinganACLdirectlytoaVTYline;however,youcanusecontrolplane
policing(CoPP)tofilterVTYtraffic.Todoso,youmustdefinetwoACLsforusewithfilteringVTYtraffic:
oneACLthatpermitstrafficthatyouwanttoallowandanotherACLthatpermitstrafficthatyouwantto
drop.ThenyoucanconfigureCoPPtotransmitthepacketsthatarepermittedbytheACLthatmatches
desirabletrafficandtodropthepacketsthatarepermittedbytheACLthatmatchesundesirabletraffic.
Inthefollowingexample,theACLcopp-system-acl-allowexplicitlyallowsTelnet,SSH,SNMP,NTP,
RADIUS,andTACACS+trafficthatisinboundfromthe10.30.30.0/24networkandallowsanytraffic
outboundfromthedevicetothe10.30.30.0/24network.Thecopp-system-acl-denyexplicitlyallowsalltraffic.
Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2)
OL-25780-01 7
Configuring IP ACLs
Session Manager Support for IP ACLs
Thepolicingpoliciesareconfiguredtotransmitthetrafficpermittedbythecopp-system-acl-allowACLand
todropthetrafficpermittedbythecopp-system-acl-denyACL.
ip access-list copp-system-acl-allow
10 remark ### ALLOW TELNET from 10.30.30.0/24
20 permit tcp 10.30.30.0/24 any eq telnet
30 permit tcp 10.30.30.0/24 any eq 107
40 remark ### ALLOW SSH from 10.30.30.0/24
50 permit tcp 10.30.30.0/24 any eq 22
60 remark ### ALLOW SNMP from 10.30.30.0/24
70 permit udp 10.30.30.0/24 any eq snmp
80 remark ### ALLOW TACACS from 10.30.30.0/24
90 permit tcp 10.30.30.0/24 any eq tacacs
100 remark ### ALLOW RADIUS from 10.30.30.0/24
110 permit udp 10.30.30.0/24 any eq 1812
120 permit udp 10.30.30.0/24 any eq 1813
130 permit udp 10.30.30.0/24 any eq 1645
140 permit udp 10.30.30.0/24 any eq 1646
150 permit udp 10.30.30.0/24 eq 1812 any
160 permit udp 10.30.30.0/24 eq 1813 any
170 permit udp 10.30.30.0/24 eq 1645 any
180 permit udp 10.30.30.0/24 eq 1646 any
190 remark ### ALLOW NTP from 10.30.30.0/24
200 permit udp 10.30.30.0/24 any eq ntp
210 remark ### ALLOW ALL OUTBOUND traffic TO 10.30.30.0/24
220 permit ip any 10.30.30.0/24
statistics # keep statistics on matches
ip access-list copp-system-acl-deny
10 remark ### this is a catch-all to match any other traffic
20 permit ip any any
statistics # keep statistics on matches
class-map type control-plane match-any copp-system-class-management-allow
match access-group name copp-system-acl-allow
class-map type control-plane match-any copp-system-class-management-deny
match access-group name copp-system-acl-deny
policy-map type control-plane copp-system-policy
class copp-system-class-management-allow
police cir 60000 kbps bc 250 ms conform transmit violate drop
class copp-system-class-management-deny
police cir 60000 kbps bc 250 ms conform drop violate drop
control-plane
service-policy input copp-system-policy
Session Manager Support for IP ACLs
SessionManagersupportstheconfigurationofIPandMACACLs.ThisfeatureallowsyoutoverifyACL
configurationandconfirmthattheresourcesrequiredbytheconfigurationareavailablepriortocommitting
themtotherunningconfiguration.FormoreinformationaboutSessionManager,seethe.
Licensing Requirements for IP ACLs
Thefollowingtableshowsthelicensingrequirementsforthisfeature:
Product License Requirement
CiscoNX-OS NolicenseisrequiredtouseIPACLs.Howeverto
supportupto128KACLentriesusinganXLline
card,youmustinstallthescalableserviceslicense.
Anyfeaturenotincludedinalicensepackageis
bundledwiththeCiscoNX-OSsystemimagesand
Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2)
8 OL-25780-01
Configuring IP ACLs
Prerequisites for IP ACLs
Product License Requirement
isprovidedatnoextrachargetoyou.Foran
explanationoftheCiscoNX-OSlicensingscheme,
seetheCiscoNX-OSLicensingGuide.
Prerequisites for IP ACLs
IPACLshavethefollowingprerequisites:
•YoumustbefamiliarwithIPaddressingandprotocolstoconfigureIPACLs.
•YoumustbefamiliarwiththeinterfacetypesthatyouwanttoconfigurewithACLs.
Guidelines and Limitations for IP ACLs
IPACLshavethefollowingconfigurationguidelinesandlimitations:
•WerecommendthatyouperformACLconfigurationusingtheSessionManager.Thisfeatureallows
youtoverifyACLconfigurationandconfirmthattheresourcesrequiredbytheconfigurationareavailable
priortocommittingthemtotherunningconfiguration.ThisisespeciallyusefulforACLsthatinclude
morethanabout1000rules.
•Inmostcases,ACLprocessingforIPpacketsoccursontheI/Omodules,whichusehardwarethat
acceleratesACLprocessing.Insomecircumstances,processingoccursonthesupervisormodule,which
canresultinslowerACLprocessing,especiallyduringprocessingthatinvolvesanACLwithalarge
numberofrules.Managementinterfacetrafficisalwaysprocessedonthesupervisormodule.IfIP
packetsinanyofthefollowingcategoriesareexitingaLayer3interface,theyaresenttothesupervisor
moduleforprocessing:
◦PacketsthatfailtheLayer3maximumtransmissionunitcheckandthereforerequirefragmenting.
◦IPv4packetsthathaveIPoptions(additionalIPpacketheaderfieldsfollowingthedestination
addressfield).
Ratelimiterspreventredirectedpacketsfromoverwhelmingthesupervisormodule.
Note PriortoCiscoNX-OSRelease4.2(3),ACLloggingdoesnotsupportACLprocessing
thatoccursonthesupervisormodule.
•WhenyouapplyanACLthatusestimeranges,thedeviceupdatestheACLentriesontheaffectedI/O
moduleswheneveratimerangereferencedinanACLentrystartsorends.Updatesthatareinitiatedby
timerangesoccuronabest-effortpriority.Ifthedeviceisespeciallybusywhenatimerangecausesan
update,thedevicemaydelaytheupdatebyuptoafewseconds.
•ToapplyanIPACLtoaVLANinterface,youmusthaveenabledVLANinterfacesglobally.
•ThemaximumnumberofsupportedIPACLentriesis64KfordeviceswithoutanXLlinecardand
128KfordeviceswithanXLlinecard.
Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2)
OL-25780-01 9
Configuring IP ACLs
Default Settings for IP ACLs
•IfyoutrytoapplytoomanyACLentriestoanon-XLlinecard,theconfigurationisrejected.
•EachforwardingengineonanF1Seriesmodulesupports1KingressACLentries,with984entries
availableforuserconfiguration.ThetotalnumberofIPACLentriesfortheF1Seriesmodulesisfrom
1Kto16K,dependingonwhichforwardingenginesthepoliciesareapplied.
•F1SeriesmodulesdonotsupportrouterACLs.
•F1SeriesmodulesdonotsupportACLlogging.
•F1Seriesmodulesdonotsupportbankchaining.
•EachportACLcansupportuptofourdifferentLayer4operationsforF1Seriesmodules.
•Eachofthe16forwardingenginesinanF1Seriesmodulesupportsupto250IPv6addressesacross
multipleACLs.
•TheVTYACLfeaturerestrictsalltrafficforallVTYlines.Youcannotspecifydifferenttrafficrestrictions
fordifferentVTYlines.
•AnyrouterACLcanbeconfiguredasaVTYACL.
•ACLpoliciesarenotsupportedontheFabricExtenderfabricportchannel.
Default Settings for IP ACLs
ThistableliststhedefaultsettingsforIPACLparameters.
Table 2: Default IP ACL Parameters
Parameters Default
IPACLs NoIPACLsexistbydefault
ACLrules ImplicitrulesapplytoallACLs
Objectgroups Noobjectgroupsexistbydefault
Timeranges Notimerangesexistbydefault
Configuring IP ACLs
Creating an IP ACL
YoucancreateanIPv4ACLACLonthedeviceandaddrulestoit.
Before You Begin
WerecommendthatyouperformACLconfigurationusingtheSessionManager.Thisfeatureallowsyouto
verifyACLconfigurationandconfirmthattheresourcesrequiredbytheconfigurationareavailablepriorto
Cisco Nexus 3000 Series NX-OS Security Configuration Guide, Release 5.0(3)U2(2)
10 OL-25780-01
Description:This chapter describes how to configure IP access control lists (ACLs) on Cisco NX-OS . Specifies the virtual terminal and enters line configuration.
