Security Configuration Guide, Cisco DCNM for LAN, Release 6.x
Configuring IP ACLs
Downloads: This chapterpdf (PDF - 880.0KB) The complete bookPDF (PDF - 4.66MB) | The complete bookePub (ePub - 1.6MB) | Feedback

Configuring IP ACLs

Contents

Configuring IP ACLs

This chapter describes how to configure IP access control lists (ACLs) on Cisco NX-OS devices.

Unless otherwise specified, the term IP ACL refers to IPv4 and IPv6 ACLs.


Note


The Cisco NX-OS release that is running on a managed device may not support all documented features or settings. For the latest feature information and caveats, see the documentation and release notes for your platform and software release.


This chapter includes the following sections:

Information About ACLs

An ACL is an ordered set of rules that you can use to filter traffic. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When the device determines that an ACL applies to a packet, it tests the packet against the conditions of all rules. The first matching rule determines whether the packet is permitted or denied. If there is no match, the device applies the applicable implicit rule. The device continues processing packets that are permitted and drops packets that are denied.

You can use ACLs to protect networks and specific hosts from unnecessary or unwanted traffic. For example, you could use ACLs to disallow HTTP traffic from a high-security network to the Internet. You could also use ACLs to allow HTTP traffic but only to specific sites, using the IP address of the site to identify it in an IP ACL.

ACL Types and Applications

The device supports the following types of ACLs for security traffic filtering:

IPv4 ACLs
The device applies IPv4 ACLs only to IPv4 traffic.
IPv6 ACLs
The device applies IPv6 ACLs only to IPv6 traffic.
MAC ACLs
The device applies MAC ACLs only to non-IP traffic by default; however, you can configure Layer 2 interfaces to apply MAC ACLs to all traffic.

IP and MAC ACLs have the following types of applications:

Port ACL
Filters Layer 2 traffic
Router ACL
Filters Layer 3 traffic
VLAN ACL
Filters VLAN traffic

This table summarizes the applications for security ACLs.



Table 1 Security ACL Applications

Application

Supported Interfaces

Types of ACLs Supported

Port ACL

  • Layer 2 interfaces
  • Layer 2 Ethernet port-channel interfaces

When a port ACL is applied to a trunk port, the ACL filters traffic on all VLANs on the trunk port.

  • IPv4 ACLs
  • IPv6 ACLs
  • MAC ACLs

Router ACL

  • VLAN interfaces
  • Physical Layer 3 interfaces
  • Layer 3 Ethernet subinterfaces
  • Layer 3 Ethernet port-channel interfaces
  • Layer 3 Ethernet port-channel subinterfaces
  • Tunnels
  • Management interfaces
  • IPv4 ACLs
  • IPv6 ACLs

VLAN ACL

  • VLANs
  • IPv4 ACLs
  • IPv6 ACLs
  • MAC ACLs

Order of ACL Application

When the device processes a packet, it determines the forwarding path of the packet. The path determines which ACLs that the device applies to the traffic. The device applies the ACLs in the following order:

  1. Port ACL
  2. Ingress VACL
  3. Ingress router ACL
  4. Egress router ACL
  5. Egress VACL

If the packet is bridged within the ingress VLAN, the device does not apply router ACLs.

Figure 1. Order of ACL Application. The following figure shows the order in which the device applies ACLs.

Figure 2. ACLs and Packet Flow .

The following figure shows where the device applies ACLs, depending upon the type of ACL. The red path indicates a packet sent to a destination on a different interface than its source. The blue path indicates a packet that is bridged within its VLAN.

The device applies only the applicable ACLs. For example, if the ingress port is a Layer 2 port and the traffic is on a VLAN that is a VLAN interface, a port ACL and a router ACL both can apply. In addition, if a VACL is applied to the VLAN, the device applies that ACL too.



About Rules

Rules are what you create, modify, and remove when you configure how an ACL filters network traffic. Rules appear in the running configuration. When you apply an ACL to an interface or change a rule within an ACL that is already applied to an interface, the supervisor module creates ACL entries from the rules in the running configuration and sends those ACL entries to the applicable I/O module. Depending upon how you configure the ACL, there may be more ACL entries than rules, especially if you implement policy-based ACLs by using object groups when you configure rules.

You can create rules in ACLs and the device allows traffic that matches the criteria in a permit rule and blocks traffic that matches the criteria in a deny rule. You have many options for configuring the criteria that traffic must meet in order to match the rule.

This section describes some of the options that you can use when you configure a rule.

Protocols for IP ACLs

IPv4, IPv6, and MAC ACLs allow you to identify traffic by protocol. For your convenience, you can specify some protocols by name. For example, in an IPv4 or IPv6 ACL, you can specify ICMP by name.

You can specify any protocol by number. In MAC ACLs, you can specify protocols by the EtherType number of the protocol, which is a hexadecimal number. For example, you can use 0x0800 to specify IP traffic in a MAC ACL rule.

In IPv4 and IPv6 ACLs, you can specify protocols by the integer that represents the Internet protocol number. For example, you can use 115 to specify Layer 2 Tunneling Protocol (L2TP) traffic.

Source and Destination

In each rule, you specify the source and the destination of the traffic that matches the rule. You can specify both the source and destination as a specific host, a network or group of hosts, or any host. How you specify the source and destination depends on whether you are configuring IPv4, IPv6, or MAC ACLs.

Implicit Rules for IP and MAC ACLs

IP and MAC ACLs have implicit rules, which means that although these rules do not appear in the running configuration, the device applies them to traffic when no other rules in an ACL match. When you configure the device to maintain per-rule statistics for an ACL, the device does not maintain statistics for implicit rules.

All IPv4 ACLs include the following implicit rule:

deny ip any any


This implicit rule ensures that the device denies unmatched IP traffic.

All IPv6 ACLs include the following implicit rules:

permit icmp any any nd-na 
permit icmp any any nd-ns 
permit icmp any any router-advertisement 
permit icmp any any router-solicitation 
deny ipv6 any any

Unless you configure an IPv6 ACL with a rule that denies ICMPv6 neighbor discovery messages, the first four rules ensure that the device permits neighbor discovery advertisement and solicitation messages. The fifth rule ensures that the device denies unmatched IPv6 traffic.


Note


If you explicitly configure an IPv6 ACL with a deny ipv6 any any rule, the implicit permit rules can never permit traffic. If you explicitly configure a deny ipv6 any any rule but want to permit ICMPv6 neighbor discovery messages, explicitly configure a rule for all five implicit IPv6 ACL rules.


All MAC ACLs include the following implicit rule:

deny any any protocol

This implicit rule ensures that the device denies the unmatched traffic, regardless of the protocol specified in the Layer 2 header of the traffic.

Additional Filtering Options

You can identify traffic by using additional options. These options differ by ACL type. The following list includes most but not all additional filtering options:

  • IPv4 ACLs support the following additional filtering options:
    • Layer 4 protocol
    • Authentication Header Protocol
    • Enhanced Interior Gateway Routing Protocol (EIGRP)
    • Encapsulating Security Payload
    • General Routing Encapsulation (GRE)
    • KA9Q NOS-compatible IP-over-IP tunneling
    • Open Shortest Path First (OSPF)
    • Payload Compression Protocol
    • Protocol-independent multicast (PIM)
    • TCP and UDP ports
    • ICMP types and codes
    • IGMP types
    • Precedence level
    • Differentiated Services Code Point (DSCP) value
    • TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set
    • Established TCP connections
    • Packet length
  • IPv6 ACLs support the following additional filtering options:
    • Layer 4 protocol
    • Authentication Header Protocol
    • Encapsulating Security Payload
    • Payload Compression Protocol
    • Stream Control Transmission Protocol (SCTP)
    • SCTP, TCP, and UDP ports
    • ICMP types and codes
    • IGMP types
    • Flow label
    • DSCP value
    • TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set
    • Established TCP connections
    • Packet length
  • MAC ACLs support the following additional filtering options:
    • Layer 3 protocol
    • VLAN ID
    • Class of Service (CoS)

Logical Operators and Logical Operation Units

IP ACL rules for TCP and UDP traffic can use logical operators to filter traffic based on port numbers. The device stores operator-operand couples in registers called logical operator units (LOUs). Cisco Nexus 7000-series devices support 104 LOUs.

The LOU usage for each type of operator is as follows:

eq
Is never stored in an LOU
gt
Uses 1/2 LOU
lt
Uses 1/2 LOU
neq
Uses 1/2 LOU
range
Uses 1 LOU

The following guidelines determine when the devices store operator-operand couples in LOUs:

  • If the operator or operand differs from other operator-operand couples that are used in other rules, the couple is stored in an LOU. For example, the operator-operand couples "gt 10" and "gt 11" would be stored separately in half an LOU each. The couples "gt 10" and "lt 10" would also be stored separately.
  • Whether the operator-operand couple is applied to a source port or a destination port in the rule affects LOU usage. Identical couples are stored separately when one of the identical couples is applied to a source port and the other couple is applied to a destination port. For example, if a rule applies the operator-operand couple "gt 10" to a source port and another rule applies a "gt 10" couple to a destination port, both couples would also be stored in half an LOU, resulting in the use of one whole LOU. Any additional rules using a "gt 10" couple would not result in further LOU usage.

Logging

You can enable the device to create an informational log message for packets that match a rule. The log message contains the following information about the packet:

  • Protocol
  • Status of whether the packet is a TCP, UDP, or ICMP packet, or if the packet is only a numbered packet.
  • Source and destination address
  • Source and destination port numbers, if applicable

Time Ranges

You can use time ranges to control when an ACL rule is in effect. For example, if the device determines that a particular ACL applies to traffic arriving on an interface, and a rule in the ACL uses a time range that is not in effect, the device does not compare the traffic to that rule. The device evaluates time ranges based on its clock.

When you apply an ACL that uses time ranges, the device updates the affected I/O module whenever a time range referenced in the ACL starts or ends. Updates that are initiated by time ranges occur on a best-effort priority. If the device is especially busy when a time range causes an update, the device may delay the update by up to a few seconds.

IPv4, IPv6, and MAC ACLs support time ranges. When the device applies an ACL to traffic, the rules in effect are as follows:

  • All rules without a time range specified
  • Rules with a time range that includes the second when the device applies the ACL to traffic

The device supports named, reusable time ranges, which allows you to configure a time range once and specify it by name when you configure many ACL rules. Time range names have a maximum length of 64 alphanumeric characters.

A time range contains one or more rules. The two types of rules are as follows:

Absolute

A rule with a specific start date and time, specific end date and time, both, or neither. The following items describe how the presence or absence of a start or end date and time affect whether an absolute time range rule is active:

  • Start and end date and time both specified—The time range rule is active when the current time is later than the start date and time and earlier than the end date and time.
  • Start date and time specified with no end date and time—The time range rule is active when the current time is later than the start date and time.
  • No start date and time with end date and time specified—The time range rule is active when the current time is earlier than the end date and time.
  • No start or end date and time specified—The time range rule is always active.

For example, you could prepare your network to allow access to a new subnet by specifying a time range that allows access beginning at midnight of the day that you plan to place the subnet online. You can use that time range in ACL rules that apply to the subnet. After the start time and date have passed, the device automatically begins applying the rules that use this time range when it applies the ACLs that contain the rules.

Periodic

A rule that is active one or more times per week. For example, you could use a periodic time range to allow access to a lab subnet only during work hours on weekdays. The device automatically applies ACL rules that use this time range only when the range is active and when it applies the ACLs that contain the rules.


Note


The order of rules in a time range does not affect how a device evaluates whether a time range is active.


Time ranges also allow you to include remarks, which you can use to insert comments into a time range. Remarks have a maximum length of 100 alphanumeric characters.

The device determines whether a time range is active as follows:

  • The time range contains one or more absolute rules—The time range is active if the current time is within one or more absolute rules.
  • The time range contains one or more periodic rules—The time range is active if the current time is within one or more periodic rules.
  • The time range contains both absolute and periodic rules—The time range is active if the current time is within one or more absolute rules and within one or more periodic rules.

When a time range contains both absolute and periodic rules, the periodic rules can only be active when at least one absolute rule is active.

Statistics and ACLs

The device can maintain global statistics for each rule that you configure in IPv4, IPv6, and MAC ACLs. If an ACL is applied to multiple interfaces, the maintained rule statistics are the sum of packet matches (hits) on all the interfaces on which that ACL is applied.


Note


The device does not support interface-level ACL statistics.


For each ACL that you configure, you can specify whether the device maintains statistics for that ACL, which allows you to turn ACL statistics on or off as needed to monitor traffic filtered by an ACL or to help troubleshoot the configuration of an ACL.

The device does not maintain statistics for implicit rules in an ACL. For example, the device does not maintain a count of packets that match the implicit deny ip any any rule at the end of all IPv4 ACLs. If you want to maintain statistics for implicit rules, you must explicitly configure the ACL with rules that are identical to the implicit rules.

Atomic ACL Updates

By default, when a supervisor module of a Cisco Nexus 7000 Series device updates an I/O module with changes to an ACL, it performs an atomic ACL update. An atomic update does not disrupt traffic that the updated ACL applies to; however, an atomic update requires that an I/O module that receives an ACL update has enough available resources to store each updated ACL entry in addition to all pre-existing entries in the affected ACL. After the update occurs, the additional resources used for the update are freed. If the I/O module lacks the required resources, the device generates an error message and the ACL update to the I/O module fails.

If an I/O module lacks required resources, you can disable atomic updates by using the command-line interface of the device. DCNM cannot configure the atomic ACL update feature.

Licensing Requirements for IP ACLs

The following table shows the licensing requirements for this feature:

Product

License Requirement

Cisco DCNM

IP ACLs require no license. Any feature not included in a license package is bundled with the Cisco DCNM and is provided at no charge to you. For an explanation of the Cisco DCNM licensing scheme, see the Cisco DCNM Installation and Licensing Guide, Release 5.x.

Cisco NX-OS

No license is required to use IP ACLs. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme for your platform, see the licensing guide for your platform.

Platform Support for IP ACLs

The following platforms support these features but may implement them differently. For platform-specific information, including guidelines and limitations, system defaults, and configuration limits, see the corresponding documentation.

Feature Platform Documentation
IPv4 ACLs Cisco Nexus 1000V Series Switches Cisco Nexus 1000V Series Switches Documentation
Cisco Nexus 3000 Series Switches Cisco Nexus 3000 Series Switches Documentation
Cisco Nexus 4000 Series Switches Cisco Nexus 4000 Series Switches Documentation
Cisco Nexus 5000 Series Switches Cisco Nexus 5000 Series Switches Documentation
Cisco Nexus 7000 Series Switches Cisco Nexus 7000 Series Switches Documentation
IPv6 ACLs Cisco Nexus 5000 Series Switches Cisco Nexus 5000 Series Switches Documentation
Cisco Nexus 7000 Series Switches Cisco Nexus 7000 Series Switches Documentation
Time range Cisco Nexus 7000 Series Switches Cisco Nexus 7000 Series Switches Documentation
Object group Cisco Nexus 7000 Series Switches Cisco Nexus 7000 Series Switches Documentation

Configuring IP ACLs

Creating an IP ACL

You can create an IP ACL on the device and add rules to it.

Procedure
    Step 1   From the Feature Selector pane, choose Security > Access Control > IPv4 ACL or IPv6 ACL.

    The available devices appear in the Summary pane.

    Step 2   From the Summary pane, double-click the device to which you want to add an ACL.
    Step 3   (Optional) From the menu bar, choose File > New > IPv4 ACL or IPv6 ACL.

    A new row appears in the S tummary pane. The Details tab appears in the Details pane.

    Step 4   From the Details tab, in the Name field, type a name for the ACL.
    Step 5   (Optional)If you want the device to maintain global statistics for rules in this MAC ACL, check Statistics.
    Step 6   For each rule that you want to add to the ACL, from the menu bar, choose File > New and choose the type of rule. From the Details tab, configure fields as needed.
    Step 7   (Optional) From the menu bar, choose File > Deploy to apply your changes to the device.

    Changing an IP ACL

    You can change, reorder, add, and remove rules in an existing IP ACL.

    Procedure
      Step 1   From the Feature Selector pane, choose Security > Access Control > IPv4 ACL or IPv6 ACL.

      The available devices appear in the Summary pane.

      Step 2   (Optional) From the Summary pane, double-click the device that has the ACL that you want to change and then double-click the ACL.

      The ACLs on the device and the rules of the ACL that you double-clicked appear in the Summary pane.

      Step 3   (Optional)If you change whether the device maintains global statistics for rules in this IP ACL, click the ACL in the Summary pane and then, on the Details tab, check or uncheck Statistics as needed.
      Step 4   (Optional)If you want to change the details of a rule, click the rule in the Summary pane. From the Details tab, configure fields as needed.
      Step 5   (Optional)If you want to add a rule, click the ACL in the Summary pane and then from the menu bar, choose File > New and choose the type of rule. On the Details tab, configure fields as needed.
      Step 6   (Optional)If you want to remove a rule, click the rule and then from the menu bar, choose Actions > Delete.
      Step 7   (Optional) If you want to move a rule to a different position in the ACL, click the rule in the Summary pane and then from the menu bar, choose one of the following, as applicable:
      • Actions > Move Up

      • Actions > Move Down

      The rule swaps places and sequence numbers with the rule above it or below it, as you chose.

      Step 8   (Optional) From the menu bar, choose File > Deploy to apply your changes to the device.

      Changing Sequence Numbers in an IP ACL

      You can change all the sequence numbers assigned to the rules in an IP ACL.

      Procedure
        Step 1   From the Feature Selector pane, choose Security > Access Control > IPv4 ACL or IPv6 ACL.

        The available devices appear in the Summary pane.

        Step 2   From the Summary pane, double-click the device that has the ACL that you want to change and then double-click the ACL.

        The ACLs on the device and the rules of the ACL that you double-clicked appear in the Summary pane. The Seq No column shows the sequence number assigned to each rule.

        Step 3   Click the rule whose sequence number you want to change.

        The Details pane shows the Sequence Number field for the rule.

        Step 4   Click the Sequence Number field, edit the number, and press Tab.

        In the Summary pane, the new sequence number appears and, if applicable, the rule moves to the position determined by the new sequence number.

        Step 5   From the menu bar, choose File > Deploy to apply your changes to the device.

        Removing an IP ACL

        You can remove an IP ACL from the device.

        Before You Begin

        Ensure that you know whether the ACL is applied to an interface. The device allows you to remove ACLs that are currently applied. Removing an ACL does not affect the configuration of interfaces where you have applied the ACL. Instead, the device considers the removed ACL to be empty.

        Procedure
          Step 1   From the Feature Selector pane, choose Security > Access Control > IPv4 ACL or IPv6 ACL.

          The available devices appear in the Summary pane.

          Step 2   From the Summary pane, double-click the device from which you want to remove an ACL.

          The ACLs currently on the device appear in the Summary pane.

          Step 3   Click the ACL that you want to remove.
          Step 4   From the menu bar, choose Actions > Delete.

          The ACL disappears from the Summary pane.

          Step 5   (Optional) From the menu bar, choose File > Deploy to apply your changes to the device.

          Applying an IP ACL to a Physical Port

          You can apply an IP ACL to a physical Ethernet port.

          DCNM allows you to apply IP ACLs directionally; that is, you can specify separate ACLs for incoming traffic and outgoing traffic on a physical Ethernet port.

          Before You Begin

          Ensure that the ACL that you want to apply exists and that it is configured to filter traffic in the manner that you need for this application.

          Procedure
            Step 1   From the Feature Selector pane, choose Interfaces > Physical > Ethernet.

            Available devices appear in the Summary pane.

            Step 2   From the Summary pane, double-click the applicable device and then double-click the slot that contains the port.

            The ports in the slot that you double-clicked appear in the Summary pane.

            Step 3   Click the port to which you want to apply an IP ACL.
            Step 4   From the Details pane, click the Port Details tab and expand the Advanced Settings section, if necessary.

            The following drop-down lists appear in the Advanced Settings section:

            • Incoming Ipv4 Traffic
            • Outgoing Ipv4 Traffic
            • Incoming Ipv6 Traffic
            • Outgoing Ipv6 Traffic
            Step 5   For each ACL type and traffic direction that you want to apply an ACL, from the applicable drop-down list, choose the ACL that you want to apply.
            Step 6   From the menu bar, choose File > Deploy to apply your changes to the device.

            Related Tasks

            Applying an IP ACL to a Virtual Ethernet Interface

            You can apply an IP ACL to a virtual Ethernet port.

            DCNM allows you to apply IP ACLs directionally; that is, you can specify separate ACLs for incoming traffic and outgoing traffic on a physical Ethernet port.

            Before You Begin

            Ensure that the ACL that you want to apply exists and that it is configured to filter traffic in the manner that you need for this application.

            Procedure
              Step 1   From the Feature Selector pane, choose Interfaces > Logical > Virtual Ethernet.

              Available devices appear in the Summary pane.

              Step 2   From the Summary pane, double-click the applicable device and then double-click the slot that contains the port.

              The ports in the slot that you double-clicked appear in the Summary pane.

              Step 3   Click the interface to which you want to apply an IP ACL.

              Settings for the interface that you clicked appear in the Details pane.

              Step 4   From the Details pane, click the Port Details tab and expand the Advanced Settings section, if necessary.

              The following drop-down lists appear in the Advanced Settings section:

              • Incoming Ipv4 Traffic
              • Outgoing Ipv4 Traffic
              Step 5   For traffic direction that you want to apply an ACL, from the applicable drop-down list, choose the ACL that you want to apply.
              Step 6   From the menu bar, choose File > Deploy to apply your changes to the device.

              Applying an IP ACL to a Port Channel

              You can apply IP ACLs to an Ethernet port channel.

              DCNM allows you to apply IP ACLs directionally; you can specify separate ACLs for incoming traffic and outgoing traffic on an Ethernet port channel.

              Before You Begin

              Ensure that the ACL you want to apply exists and that it is configured to filter traffic in the manner that you need for this application.

              Procedure
                Step 1   From the Feature Selector pane, choose Ports > Logical > Port Channel.

                Available devices appear in the Summary pane.

                Step 2   From the Summary pane, double-click the applicable device.

                Port channels on the device that you double-clicked appear in the Summary pane.

                Step 3   Click the port channel to which you want to apply an IP ACL.

                Settings about the port channel appear in the Details pane.

                Step 4   From the Details pane, click the Port Channel Advanced Settings tab and expand the Advanced Settings section, if necessary.

                In the Advanced Settings section, the IPv4 ACL and IPv6 ACL areas each contain an Incoming Traffic drop-down list and an Outgoing Traffic drop-down list.

                Step 5   For each ACL type and traffic direction that you want to apply an ACL, from the applicable drop-down list, choose the ACL that you want to apply.
                Step 6   From the menu bar, choose File > Deploy to apply your changes to the device.

                Related Tasks

                Applying an IP ACL as a VACL

                You can apply an IP ACL as a VACL.

                Displaying IP ACL Statistics

                The following window appears in the Statistics tab:

                Access Rule Statistics Chart
                Information about the number of packets that match the selected IP ACL rule.

                See the Cisco DCNM Fundamentals Guide, Release 5.x, for more information on collecting statistics for this feature.

                Field Descriptions for IPv4 ACLs

                IPv4 ACL: Details Tab

                Table 2 IPv4 ACL: Details Tab

                Field

                Description

                Name

                Name of the IPv4 ACL. Names can be a maximum of 64 alphanumeric characters but must begin with an alphabetic character. No name is assigned by default.

                Statistics

                Whether the device logs statistics about traffic filtered by the ACL. This check box is unchecked by default.

                IPv4 Access Rule: Details Tab

                Table 3  IPv4 Access Rule: Details Tab

                Field

                Description

                Sequence Number

                Display only. Sequence number assigned to the rule.

                Action

                Action taken by the device when it determines that the rule applies to the packet. Valid values are as follows:

                • Deny—Stops processing the packet and drops it. This is the default value.
                • Permit—Continues processing the packet.

                IPv4 Access Rule: Details: Source and Destination Section

                Table 4  IPv4 Access Rule: Details: Source and Destination Section

                Field

                Description

                Source

                Type of source. Valid values are as follows:

                • Any—The rule matches packets from any IPv4 source. This is the default value. When you choose Any, the IP Address and Wildcard Mask fields below this list are unavailable because you do not need to specify either of them.
                • Host—The rule matches packets from a specific IPv4 address. When you choose Host, the IP Address field below this list is available but the Wildcard Mask field remains unavailable.
                • Network—The rule matches packets from an IPv4 network. When you choose Network, the IP Address and Wildcard Mask fields below this list are both available.

                IP Address (Source)

                IPv4 address of a host or a network. Valid addresses are in dotted decimal format. This field is available when you choose Host or Network from the Source drop-down list. This field is unavailable by default.

                Wildcard Mask (Source)

                Wildcard mask of an IPv4 network. Valid masks are in dotted decimal format. For example, if you specified 192.168.0.0 in the IP Address field, you would enter 0.0.255.255 in this field. This field is available when you choose Network from the Source drop-down list. This field is unavailable by default.

                Destination

                Type of destination. Valid values are as follows:

                • Any—The rule matches packets sent to any IPv4 source. This is the default value. When you choose Any, the IP Address and Wildcard Mask fields below this list are unavailable because you do not need to specify either of them.
                • Host—The rule matches packets sent to a specific IPv4 address. When you choose Host, the IP Address field below this list is available but the Wildcard Mask field remains unavailable.
                • Network—The rule matches packets sent to an IPv4 network. When you choose Network, the IP Address and Wildcard Mask fields below this list are both available.

                IP Address (Destination)

                IPv4 address of a host or a network. Valid addresses are in dotted decimal format. This field is available when you choose Host or Network from the Destination drop-down list. This field is unavailable by default.

                Wildcard Mask (Destination)

                Wildcard mask of an IPv4 network. Valid masks are in dotted decimal format. For example, if you specified 192.168.0.0 in the IP Address field, you would enter 0.0.255.255 in this field. This field is available when you choose Network from the Destination drop-down list. This field is unavailable by default.

                IPv4 Access Rule: Details: Protocol and Others Section

                Table 5 IPv4 Access Rule: Details: Protocol and Others Section

                Field

                Description

                All Access Rules

                Protocol

                Display only. Protocol of the access rule. Possible values are as follows:

                Time range

                Named time range that applies to the access rule. If you want the rule to be always in effect, do not specify a time range. This field is blank by default.

                Log this entry

                Whether the device logs statistics about traffic to which the access rule applies. This check box is unchecked by default.

                IP Access Rule

                IP Protocol

                Type of traffic that the access rule applies to. The default value is Ip, which applies to all IP protocols. To specify a well-known protocol, choose the protocol name. The list is ordered by the protocol number. For the IANA list of assigned internet protocol numbers, see http://www.iana.org/assignments/protocol-numbers.

                TCP and UDP Access Rules

                Source Port

                Source port or range of source ports to which the access rule applies. By default, no source port is assigned.

                The left list specifies the operator that the device uses when comparing the source port of packets to the port or ports specified in the access rule.

                The right field is either a drop-down list or a pair of text fields. When the operator is not Range, the drop-down list allows you to specify a well-known port by name.

                When the operator is Range, the text fields allow you to enter the beginning and ending port numbers of the range. Valid port numbers in both fields are from 0 to 65535.

                To specify a single port by number, choose Range from the operator drop-down list and enter the port number in both source port fields.

                Destination

                Destination port or range of destination ports to which the access rule applies. By default, no source port is assigned.

                The left list specifies the operator that the device uses when comparing the destination port of packets to the port or ports specified in the access rule.

                The right field is either a drop-down list or a pair of text fields. When the operator is not Range, the drop-down list allows you to specify a well-known port by name.

                When the operator is Range, the text fields allow you to enter the beginning and ending port numbers of the range. Valid port numbers in both fields are from 0 to 65535.

                To specify a single port by number, choose Range from the operator drop-down list and enter the port number in both source port fields.

                ICMP Access Rule

                ICMP Message

                Rule filters based on the ICMP message that you choose in the drop-down list. By default, the radio button is selected and the list is blank.

                ICMP Type

                Rule filters based on the values that you specify in the drop-down list and ICMP Code field. By default, the radio button is not selected and the list is unavailable.

                ICMP Code

                ICMP message code that the rule uses to filter ICMP traffic. Valid input for this field varies depending upon the ICMP Type drop-down list. By default, the list is unavailable.

                IGMP Access Rule

                IGMP Message

                Rule filters based on the IGMP message that you choose in the IGMP Message drop-down list. The radio button is selected by default. The default value for the list is 0 (zero).

                IGMP Type

                Rule filters based on the IGMP message type. By default, the radio button is not selected and the list is unavailable.

                IPv4 Access Rule: Details: Advanced Section

                Table 6 IPv4 Access Rule: Details: Advanced Section

                Field

                Description

                All Access Rules

                DSCP

                Differentiated services value of the DSCP header field in IP packets. The rule applies only to packets with a matching value. No value is selected by default.

                Precedence

                IP Precedence field value. The rule applies only to packets with a matching value. No value is selected by default.

                Fragments

                Rule that can only match packets that are noninitial fragments. This check box is unchecked by default.

                TCP Access Rules

                Established

                Rule that can only match packets that belong to an established TCP connection. The device considers TCP packets with the ACK or RST bits set to belong to an established connection. This check box is unchecked by default.

                Fin

                Rule that can only match TCP packets that have the FIN control bit flag set. This check box is unchecked by default.

                Psh

                Rule that can only match TCP packets that have the PSH control bit flag set. This check box is unchecked by default.

                Rst

                Rule that can only match TCP packets that have the RST control bit flag set. This check box is unchecked by default.

                Syn

                Rule that can only match TCP packets that have the SYN control bit flag set. This check box is unchecked by default.

                Urg

                Rule that can only match TCP packets that have the URG control bit flag set. This check box is unchecked by default.

                Ack

                Rule that can only match TCP packets that have the ACK control bit flag set. This check box is unchecked by default.

                IPv4 ACL Remark: Remark Details Tab

                Table 7 IPv4 ACL Remark: Remark Details Tab

                Field

                Description

                Sequence Number

                Display only. Sequence number assigned to the remark.

                Remark Description

                Remark text, with a maximum length of 100 alphanumeric characters. By default, this field is empty.

                Field Descriptions for IPv6 ACLs

                IPv6 ACL: Details Tab

                Table 8 IPv6 ACL: Details Tab

                Field

                Description

                Name

                Name of the IPv6 ACL. Names can be a maximum of 64 alphanumeric characters but must begin with an alphabetic character. No name is assigned by default.

                Statistics

                Whether the device logs statistics about traffic filtered by the ACL. This check box is unchecked by default.

                IPv6 Access Rule: Details Tab

                Table 9 IPv6 Access Rule: Details Tab

                Field

                Description

                Sequence Number

                Display only. The sequence number assigned to the rule.

                Action

                Action taken by the device when it determines that the rule applies to the packet. Valid values are as follows:

                • Deny—Stops processing the packet and drops it.
                • Permit—Continues processing the packet.

                IPv6 Access Rule: Details: Source and Destination Section

                Table 10 IPv6 Access Rule: Details: Source and Destination Section

                Field

                Description

                Source

                Type of source. Valid values are as follows:

                • Any—The rule matches packets from any IPv6 source. This is the default value. When you choose Any, the IP Address and Wildcard Mask fields below this list are unavailable because you do not need to specify either of them.
                • Host—The rule matches packets from a specific IPv6 address. When you choose Host, the IPv6 Address field below this list is available but the IPv6 Prefix Length field remains unavailable.
                • Network—The rule matches packets from an IPv6 network. When you choose Network, the IPv6 Address and IPv6 Prefix Length fields below this list are both available.

                IPv6 Address (Source)

                IPv6 address of a source host or a network. This field is available when you choose Host or Network from the Source drop-down list. By default, this field is unavailable.

                IPv6 Prefix Length (Source)

                Variable-length subnet mask for the source address given in the IPv6 Address field. Valid entries are whole numbers from 1 to 128. For example, if you choose Network from the Source drop-down list and specify 2001:0db8:85a3:: in the IPv6 Address field, you would enter 128 in this field.

                This field is available when you choose Network from the Source drop-down list. By default, this field is unavailable.

                Destination

                Type of destination. Valid values are as follows:

                • Any—The rule matches packets sent to any IPv6 destination. This is the default value. When you choose Any, the IP Address and Wildcard Mask fields below this list are unavailable because you do not need to specify either of them.
                • Host—The rule matches packets sent to a specific IPv6 address. When you choose Host, the IPv6 Address field below this list is available but the IPv6 Prefix Length field remains unavailable.
                • Network—The rule matches packets sent to an IPv6 network. When you choose Network, the IPv6 Address and IPv6 Prefix Length fields below this list are both available.

                IPv6 Address (Destination)

                IPv6 address of a destination host or a network. This field is available when you choose Host or Network from the Source drop-down list. By default, this field is unavailable.

                IPv6 Prefix Length (Destination)

                Variable-length subnet mask for the destination address given in the IPv6 Address field. Valid entries are whole numbers from 1 to 128. For example, if you choose Network from the Source drop-down list and specify 2001:0db8:85a3:: in the IPv6 Address field, you would enter 128 in this field.

                This field is available when you choose Network from the Source drop-down list. By default, this field is unavailable.

                IPv6 Access Rule: Details: Protocol and Others Section

                Table 11 IPv6 Access Rule: Details: Protocol and Others Section

                Field

                Description

                All Access Rules

                Protocol

                Display only. Protocol of the access rule. Possible values are as follows:

                Time range

                Named time range that applies to the access rule. If you want the rule to be always in effect, do not specify a time range. By default, this list is blank.

                Log this entry

                Whether the device logs statistics about traffic to which the access rule applies. By default, this check box is unchecked.

                Flow Label

                Flow label value of traffic that the access rule applies to. The flow label value is in the Flow Label header field of IPv6 packets. The flow label value can be a whole number from 0 to 1048575. By default, this field is blank.

                IPv6 Access Rule

                IP Protocol

                IP protocol of traffic that the access rule applies to. The default value is Ipv6, which applies to all IPv6 protocols. To specify a well-known protocol, choose the protocol name. The list is ordered by the protocol number. For the IANA list of assigned internet protocol numbers, see http://www.iana.org/assignments/protocol-numbers.

                TCP and UDP Access Rules

                Source Port

                Source port or range of source ports to which the access rule applies. By default, no source port is assigned.

                The left list specifies the operator that the device uses when comparing the source port of packets to the port or ports specified in the access rule.

                The right field is either a drop-down list or a pair of text fields. When the operator is not Range, the drop-down list allows you to specify a well-known port by name.

                When the operator is Range, the text fields allow you to enter the beginning and ending port numbers of the range. Valid port numbers in both fields are from 0 to 65535.

                To specify a single port by number, choose Range from the operator drop-down list and enter the port number in both source port fields.

                Destination

                Destination port or range of destination ports that the access rule applies to. By default, no source port is assigned.

                The left list specifies the operator that the device uses when comparing the destination port of packets to the port or ports specified in the access rule.

                The right field is either a drop-down list or a pair of text fields. When the operator is not Range, the drop-down list allows you to specify a well-known port by name.

                When the operator is Range, the text fields allow you to enter the beginning and ending port numbers of the range. Valid port numbers in both fields are from 0 to 65535.

                To specify a single port by number, choose Range from the operator drop-down list and enter the port number in both source port fields.

                ICMP Access Rule

                ICMP Message

                Rule filters based on the ICMP message that you choose in the ICMP Message drop-down list. By default, the radio button is selected but the list is blank.

                ICMP Type

                Rule filters based on the values that you specify in the ICMP Type drop-down list and ICMP Code field. By default, the radio button is not selected and the list is unavailable.

                ICMP Code

                ICMP message code that the rule uses to filter ICMP traffic. Valid input for this field varies depending upon the ICMP Type drop-down list. By default, this list is unavailable.

                SCTP Access Rule

                Source Port

                Source port or range of source ports to which the access rule applies. By default, no source port is assigned.

                The left list specifies the operator that the device uses when comparing the source port of packets to the port or ports specified in the access rule.

                The right field is either a drop-down list or a pair of text fields. When the operator is not Range, the drop-down list allows you to specify a well-known port by name.

                When the operator is Range, the text fields allow you to enter the beginning and ending port numbers of the range. Valid port numbers in both fields are from 0 to 65535.

                To specify a single port by number, choose Range from the operator drop-down list and enter the port number in both source port fields.

                Destination

                Destination port or range of destination ports that the access rule applies to. By default, no source port is assigned.

                The left list specifies the operator that the device uses when comparing the destination port of packets to the port or ports specified in the access rule.

                The right field is either a drop-down list or a pair of text fields. When the operator is not Range, the drop-down list allows you to specify a well-known port by name.

                When the operator is Range, the text fields allow you to enter the beginning and ending port numbers of the range. Valid port numbers in both fields are from 0 to 65535.

                To specify a single port by number, choose Range from the operator drop-down list and enter the port number in both source port fields.

                IPv6 Access Rule: Details: Advanced Section

                Table 12  IPv6 Access Rule: Details: Advanced Section

                Field

                Description

                All Access Rules

                DSCP

                Differentiated services value of the DSCP header field in IP packets. The rule applies only to packets with a matching value. By default, this list is blank.

                Fragments

                Rule that can only match packets that are noninitial fragments. By default, this check box is unchecked.

                TCP Access Rules

                Established

                Rule that can only match packets belong to an established TCP connection. The device considers TCP packets with the ACK or RST bits set to belong to an established connection. By default, this check box is unchecked.

                Fin

                Rule that can only match TCP packets that have the FIN control bit flag set. By default, this check box is unchecked.

                Psh

                Rule that can only match TCP packets that have the PSH control bit flag set. By default, this check box is unchecked.

                Rst

                Rule that can only match TCP packets that have the RST control bit flag set. By default, this check box is unchecked.

                Syn

                Rule that can only match TCP packets that have the SYN control bit flag set. By default, this check box is unchecked.

                Urg

                Rule that can only match TCP packets that have the URG control bit flag set. By default, this check box is unchecked.

                Ack

                Rule that can only match TCP packets that have the ACK control bit flag set. By default, this check box is unchecked.

                IPv6 ACL Remark: Remark Details Tab

                Table 13 IPv6 ACL Remark: Remark Details Tab

                Field

                Description

                Remark Sequence Number

                Display only. Sequence number assigned to the remark.

                Remark Description

                Remark text, with a maximum length of 100 alphanumeric characters. By default, this field is blank.

                Configuring Object Groups

                You can use object groups to specify source and destination addresses and protocol ports in IPv4 ACL and IPv6 ACL rules.

                Creating an Address Object Group

                You can create an IPv4 or IPv6 address object group and add entries to it.

                Procedure
                  Step 1   From the Feature Selector pane, choose Security > Object Group > Address Group.

                  The Summary pane displays available devices.

                  Step 2   From the Summary pane, double-click the device to which you want to add an address object group.
                  Step 3   Click IPv4 or IPv6, as needed, and then from the menu bar, choose Actions > New > Address Group.

                  The cursor appears in a blank row for the new address object group.

                  Step 4   Type a name for the address object group and press Enter.
                  Step 5   For each address object group entry that you want to create, follow these steps:
                  1. Click the address object group and then from the menu bar choose Actions > New > Address Group Entry.

                    A new address object group entry appears below other entries in the group, if any. The Details pane shows the Entry Details tab for the type of address object group that you created.

                  2. On the Details tab, configure fields as needed.
                  Step 6   From the menu bar, choose File > Deploy to apply your changes to the device.

                  Cisco DCNM creates the address object group and its entries on the device.


                  Creating a Port Object Group

                  You can create a port object group and add entries to it.

                  Procedure
                    Step 1   From the Feature Selector pane, choose Security > Object Group > Port Group.

                    The Summary pane displays available devices.

                    Step 2   From the Summary pane, click the device to which you want to add a port object group.
                    Step 3   From the menu bar, choose Actions > New > Port Group.

                    The cursor appears in a blank row for the new port object group.

                    Step 4   Type a name for the port object group and press Enter.
                    Step 5   For each port object group entry that you want to create, follow these steps:
                    1. Click the port object group and then from the menu bar choose Actions > New > Port Group Entry.

                      A new port object group entry appears below other entries in the group, if any. The Details pane shows the Details tab for the port object group entry that you created.

                    2. On the Details tab, configure fields as needed.
                    Step 6   From the menu bar, choose File > Deploy to apply your changes to the device.

                    Cisco DCNM creates the port object group and its entries on the device.


                    Changing an Object Group

                    You can change, reorder, add, and remove entries in an existing object group.

                    Procedure
                      Step 1   From the Feature Selector pane, choose Security > Access Control > Object Group and then choose the applicable object group type: Address Group or Port Group.

                      The available devices appear in the Summary pane.

                      Step 2   From the Summary pane, double-click the device that has the object group that you want to change.
                      Step 3   (Optional)If you are changing an address object group, double-click the type of address object group: IPv4 or IPv6.
                      Step 4   Double-click the object group.

                      The entries of the object group that you double-clicked appear in the Summary pane.

                      Step 5   (Optional)If you want to change the details of an object group entry, click the entry in the Summary pane. From the Details tab, configure fields as needed.
                      Step 6   (Optional)If you want to add an entry, click the object group in the Summary pane and then from the menu bar, choose Action > New > Address Group Entry or Port Group Entry. On the Details tab, configure fields as needed.
                      Step 7   (Optional)If you want to remove an object group entry, click the object group entry and then from the menu bar, choose Actions > Delete.
                      Step 8   (Optional) If you want to move an object group entry to a different position in the object group, click the entry in the Summary pane and then from the menu bar, choose one of the following, as applicable:
                      • Actions > Move Up

                      • Actions > Move Down

                      The entry swaps places and sequence numbers with the rule above it or below it, as you chose.

                      Step 9   (Optional) From the menu bar, choose File > Deploy to apply your changes to the device.

                      Changing Sequence Numbers in an Object Group

                      You can change all the sequence numbers assigned to the entries in an object group.

                      Procedure
                        Step 1   From the Feature Selector pane, choose Security > Access Control > Object Group and then choose the applicable object group type: Address Group or Port Group.

                        The available devices appear in the Summary pane.

                        Step 2   From the Summary pane, double-click the device that has the object group that you want to change.
                        Step 3   (Optional)If you are changing an address object group, double-click the type of address object group: IPv4 or IPv6.
                        Step 4   Double-click the object group.

                        The entries of the object group that you double-clicked appear in the Summary pane. The Sequence Number column shows the sequence number assigned to each entry.

                        Step 5   Click the entry whose sequence number you want to change.

                        The Details pane shows the Sequence Number field for the entry.

                        Step 6   Click the Sequence Number field, edit the number, and press Tab.

                        In the Summary pane, the new sequence number appears and, if applicable, the entry moves to the position determined by the new sequence number.

                        Step 7   From the menu bar, choose File > Deploy to apply your changes to the device.

                        Configuring Time Ranges

                        Figure 3. Time-range Content Pane.

                        This figure shows the Time-range content pane.



                        Creating a Time Range

                        You can create a time range on the device and add rules to it.

                        Procedure
                          Step 1   From the Feature Selector pane, choose Security > Access Control > Time-range.

                          The available devices appear in the Summary pane.

                          Step 2   From the Summary pane, double-click the device to which you want to add a time range.

                          The time ranges present on the device, if any, appear in the Summary pane.

                          Step 3   From the menu bar, choose File > New > New Time-range.

                          A blank row appears in the Summary pane.

                          Step 4   In the row, enter a name for the time range.
                          Step 5   For each rule or remark that you want to add to the time range, from the menu bar, choose File > New and choose the type of rule or remark. On the Time Range Details tab, configure fields as needed.
                          Step 6   (Optional) From the menu bar, choose File > Deploy to apply your changes to the device.

                          Changing a Time Range

                          You can change, reorder, add, and remove rules in an existing time range.

                          Procedure
                            Step 1   From the Feature Selector pane, choose Security > Access Control > Time-range.

                            The available devices appear in the Summary pane.

                            Step 2   (Optional) From the Summary pane, double-click the device that has the time range that you want to change and then double-click the time range. Time ranges on the device and the rules of the time range that you double-clicked appear in the Summary pane.
                            Step 3   (Optional)If you want to change the details of a rule, click the rule in the Summary pane and then, on the Time Range Details tab, configure fields as needed.
                            Step 4   (Optional) If you want to move a rule to a different position in the time range, click the rule and then from the menu bar, choose one of the following, as applicable:
                            • Actions > Move Up

                            • Actions > Move Down

                            The rule moves up or down, as you chose. The sequence number of the rules adjust accordingly.

                            Step 5   (Optional) If you want to add a rule, click the time range in the Summary pane and then from the menu bar, choose File > New and choose the type of rule. On the Time Range Details tab, configure fields as needed.
                            Step 6   (Optional)If you want to remove a rule, click the rule in the Summary pane and then from the menu bar, choose Actions > Delete.
                            Step 7   From the menu bar, choose File > Deploy to apply your changes to the device.

                            Removing a Time Range

                            You can remove a time range from the device.

                            Before You Begin

                            Ensure that you know whether the time range is used in any ACL rules. The device allows you to remove time ranges that are used in ACL rules. Removing a time range that is in use in an ACL rule does not affect the configuration of interfaces where you have applied the ACL. Instead, the device considers the ACL rule using the removed time range to be empty.

                            Procedure
                              Step 1   From the Feature Selector pane, choose Security > Access Control > Time-range.

                              The available devices appear in the Summary pane.

                              Step 2   From the Summary pane, double-click the device from which you want to remove a time range.

                              Time ranges currently on the device appear in the Summary pane.

                              Step 3   From the Summary pane, click the time range that you want to remove.
                              Step 4   From the menu bar, choose Actions > Delete.

                              DCNM removes the time range from the device and the time range disappears from the Summary pane.


                              Field Descriptions for Time Ranges

                              This table describes the fields for time range rules and remarks.



                              Table 14 Time Range Rule or Remark: Time Range Details Tab

                              Field

                              Description

                              All Time Range Rules and Remarks

                              Seq No

                              Display only. Sequence number assigned to the rule.

                              Remarks

                              Description

                              Remark text, with a maximum length of 100 alphanumeric characters. By default, this field is blank.

                              Absolute Rules

                              Date (Start)

                              Time and date that the absolute time range becomes active. By default, this list is blank.

                              You must configure either the start Date drop-down list, the end Date drop-down list, or both.

                              Date (End)

                              Time and date that the absolute time range becomes inactive. By default, this list is blank.

                              You must configure either the start Date drop-down list, the end Date drop-down list, or both.

                              Periodic Rules

                              Days

                              Days of the week that the periodic rule is active. You can choose one of the following radio buttons:

                              • Daily: The range is active every day of the week.
                              • Weekdays: The range is active Monday through Friday only.
                              • Weekend: The range is active Saturday and Sunday only.
                              • Specific Days: The range is active on the days specified in the Days of the week check boxes. This is the default value. The Day drop-down list (End) is available only when you choose this radio button and choose only one day in the Days of the week check boxes.

                              Days of the week

                              Days of the week that the periodic rule is active. These check boxes are available only if the Specific Days radio button is selected. By default, these check boxes are unchecked.

                              Time (Start)

                              Time that the range becomes active. The time in this spin box must be before the time in the Time (End) spin box. The default value is 00:00:00.

                              Day

                              Day of the week that the time range becomes inactive. This drop-down list is available only if you select the Specific Days radio button and select only one of the check boxes under Days of the week. By default, this list is unavailable.

                              Time (End)

                              Time that the range becomes inactive. The time in this spin box must be after the time in the Time (End) spin box. The default value is 00:00:00.

                              Additional References for IP ACLs

                              Standards

                              Standards

                              Title

                              No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

                              Feature History for IP ACLs

                              This table lists the release history for this feature.



                              Table 15  Feature History for IP ACLs

                              Feature Name

                              Releases

                              Feature Information

                              IPv4 ACLs

                              5.2(1)

                              Added support for the Cisco Nexus 3000 Series Switches.

                              IP ACLs

                              5.1(1)

                              No change from Release 5.0.

                              IP ACLs

                              5.0(2)

                              Added support for object groups.

                              IP ACLs

                              4.2(1)

                              Added support for MAC packet classification on Layer 2 interfaces.