Configuring Access Control Lists

This chapter contains the following sections:

Information About ACLs

An access control list (ACL) is an ordered set of rules that you can use to filter traffic. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When the switch determines that an ACL applies to a packet, it tests the packet against the conditions of all rules. The first match determines whether the packet is permitted or denied. If there is no match, the switch applies the applicable default rule. The switch continues processing packets that are permitted and drops packets that are denied.

You can use ACLs to protect networks and specific hosts from unnecessary or unwanted traffic. For example, you could use ACLs to disallow HTTP traffic from a high-security network to the Internet. You could also use ACLs to allow HTTP traffic but only to specific sites, using the IP address of the site to identify it in an IP ACL.

IP ACL Types and Applications

The Cisco Nexus 3000 Series switch supports IPv4 for security traffic filtering. The switch allows you to use IP access control lists (ACLs) as port ACLs and VLAN ACLs as shown in the following table.

Table 1 Security ACL Applications

Application

Supported Interfaces

Types of ACLs Supported

Port ACL

An ACL is considered a port ACL when you apply it to one of the following:

  • Ethernet interface
  • Ethernet port-channel interface

When a port ACL is applied to a trunk port, the ACL filters traffic on all VLANs on the trunk port.

IPv4 ACLs

VLAN ACL (VACL)

An ACL is a VACL when you use an access map to associate the ACL with an action and then apply the map to a VLAN.

IPv4 ACLs

Application Order

When the switch processes a packet, it determines the forwarding path of the packet. The path determines which ACLs that the switch applies to the traffic. The switch applies the Port ACLs first.

Rules

You can create rules in access-list configuration mode by using the permit or deny command. The switch allows traffic that matches the criteria in a permit rule and blocks traffic that matches the criteria in a deny rule. You have many options for configuring the criteria that traffic must meet in order to match the rule.

Source and Destination

In each rule, you specify the source and the destination of the traffic that matches the rule. You can specify both the source and destination as a specific host, a network or group of hosts, or any host.

Protocols

ACLs allow you to identify traffic by protocol. For your convenience, you can specify some protocols by name. For example, in an IPv4 ACL, you can specify ICMP by name.

You can specify any protocol by number. In IPv4 ACLs, you can specify protocols by the integer that represents the Internet protocol number.

Implicit Rules

IP ACLs have implicit rules, which means that although these rules do not appear in the running configuration, the switch applies them to traffic when no other rules in an ACL match.

All IPv4 ACLs include the following implicit rule:

deny ip any any
 

This implicit rule ensures that the switch denies unmatched IP traffic.

Additional Filtering Options

You can identify traffic by using additional options. IPv4 ACLs support the following additional filtering options:

  • Layer 4 protocol
  • TCP and UDP ports
  • ICMP types and codes
  • IGMP types
  • Precedence level
  • Differentiated Services Code Point (DSCP) value
  • TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set
  • Established TCP connections

Sequence Numbers

The switch supports sequence numbers for rules. Every rule that you enter receives a sequence number, either assigned by you or assigned automatically by the switch. Sequence numbers simplify the following ACL tasks:

  • Adding new rules between existing rules—By specifying the sequence number, you specify where in the ACL a new rule should be positioned. For example, if you need to insert a rule between rules numbered 100 and 110, you could assign a sequence number of 105 to the new rule.
  • Removing a rule—Without using a sequence number, removing a rule requires that you enter the whole rule, as follows:
    switch(config-acl)# no permit tcp 10.0.0.0/8 any
    
     
    However, if the same rule had a sequence number of 101, removing the rule requires only the following command:
    switch(config-acl)# no 101
    
     
  • Moving a rule—With sequence numbers, if you need to move a rule to a different position within an ACL, you can add a second instance of the rule using the sequence number that positions it correctly, and then you can remove the original instance of the rule. This action allows you to move the rule without disrupting traffic.

If you enter a rule without a sequence number, the switch adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule to the rule. For example, if the last rule in an ACL has a sequence number of 225 and you add a rule without a sequence number, the switch assigns the sequence number 235 to the new rule.

In addition, the Cisco Nexus 3000 Series switch allows you to reassign sequence numbers to rules in an ACL. Resequencing is useful when an ACL has rules numbered contiguously, such as 100 and 101, and you need to insert one or more rules between those rules.

Logical Operators and Logical Operation Units

IP ACL rules for TCP and UDP traffic can use logical operators to filter traffic based on port numbers.

The switch stores operator-operand couples in registers called logical operator units (LOUs).

LOU usage for the "eq" operator is never stored in an LOU. The range operation is inclusive of boundary values.

The following guidelines determine when the switch stores operator-operand couples in LOUs:

  • If the operator or operand differs from other operator-operand couples that are used in other rules, the couple is stored in an LOU. For example, the operator-operand couples "gt 10" and "gt 11" would be stored separately in half an LOU each. The couples "gt 10" and "lt 10" would also be stored separately.
  • Whether the operator-operand couple is applied to a source port or a destination port in the rule affects LOU usage. Identical couples are stored separately when one of the identical couples is applied to a source port and the other couple is applied to a destination port. For example, if a rule applies the operator-operand couple "gt 10" to a source port and another rule applies a "gt 10" couple to a destination port, both couples would also be stored in half an LOU, resulting in the use of one whole LOU. Any additional rules using a "gt 10" couple would not result in further LOU usage.

Configuring IP ACLs

Creating an IP ACL

You can create an IPv4 on the switch and add rules to it.

SUMMARY STEPS

    1.    switch# configure terminal

    2.    switch(config)# ip access-list name

    3.    switch(config)# ip access-list name

    4.    switch(config-acl)# [sequence-number] {permit | deny} protocol source destination

    5.    (Optional) switch(config-acl)# statistics

    6.    (Optional) switch# show ip access-lists name

    7.    (Optional) switch# copy running-config startup-config


DETAILED STEPS
      Command or Action Purpose
    Step 1 switch# configure terminal
     

    Enters configuration mode.

     
    Step 2 switch(config)# ip access-list name
     

    Creates the IP ACL and enters IP ACL configuration mode. The name argument can be up to 64 characters.

     
    Step 3 switch(config)# ip access-list name
     

    Creates the IP ACL and enters IP ACL configuration mode. The name argument can be up to 64 characters.

     
    Step 4 switch(config-acl)# [sequence-number] {permit | deny} protocol source destination
     

    Creates a rule in the IP ACL. You can create many rules. The sequence-number argument can be a whole number between 1 and 4294967295.

    The permit and deny commands support many ways of identifying traffic. For more information, see the Cisco Nexus 3000 Series Command Reference.

     
    Step 5 switch(config-acl)# statistics
     
    (Optional)

    Specifies that the switch maintains global statistics for packets that matches the rules in the ACL.

     
    Step 6 switch# show ip access-lists name
     
    (Optional)

    Displays the IP ACL configuration.

     
    Step 7 switch# copy running-config startup-config
     
    (Optional)

    Copies the running configuration to the startup configuration.

     

    The following example shows how to create an IPv4 ACL:

    switch# configure terminal
    switch(config-acl)# permit ip 192.168.2.0/24 any
    switch(config-acl)# statistics
    

    Changing an IP ACL

    You can add and remove rules in an existing IPv4 ACL. You cannot change existing rules. Instead, to change a rule, you can remove it and recreate it with the desired changes.

    If you need to add more rules between existing rules than the current sequence numbering allows, you can use the resequence command to reassign sequence numbers.

    SUMMARY STEPS

      1.    switch# configure terminal

      2.    switch(config)#ip access-list name

      3.    switch(config-acl)# [sequence-number] {permit | deny} protocol source destination

      4.    (Optional) switch(config-acl)# no {sequence-number | {permit | deny} protocol source destination}

      5.    (Optional) switch(config-acl)# [no] statistics

      6.    (Optional) switch#show ip access-lists name

      7.    (Optional) switch# copy running-config startup-config


    DETAILED STEPS
        Command or Action Purpose
      Step 1 switch# configure terminal
       

      Enters configuration mode.

       
      Step 2 switch(config)#ip access-list name
       

      Enters IP ACL configuration mode for the ACL that you specify by name.

       
      Step 3 switch(config-acl)# [sequence-number] {permit | deny} protocol source destination
       

      Creates a rule in the IP ACL. Using a sequence number allows you to specify a position for the rule in the ACL. Without a sequence number, the rule is added to the end of the rules. The sequence-number argument can be a whole number between 1 and 4294967295.

      The permit and deny commands support many ways of identifying traffic. For more information, see the Cisco Nexus 3000 Series Command Reference.

       
      Step 4 switch(config-acl)# no {sequence-number | {permit | deny} protocol source destination}
       
      (Optional)

      Removes the rule that you specified from the IP ACL.

      The permit and deny commands support many ways of identifying traffic. For more information, see the Cisco Nexus 3000 Series Command Reference.

       
      Step 5 switch(config-acl)# [no] statistics
       
      (Optional)

      Specifies that the switch maintains global statistics for packets matching the rules in the ACL.

      The no option stops the switch from maintaining global statistics for the ACL.

       
      Step 6 switch#show ip access-lists name
       
      (Optional)

      Displays the IP ACL configuration.

       
      Step 7 switch# copy running-config startup-config
       
      (Optional)

      Copies the running configuration to the startup configuration.

       
      Related Information
      Changing Sequence Numbers in an IP ACL

      Removing an IP ACL

      You can remove an IP ACL from the switch.

      Before you remove an IP ACL from the switch, be sure that you know whether the ACL is applied to an interface. The switch allows you to remove ACLs that are currently applied. Removing an ACL does not affect the configuration of interfaces where you have applied the ACL. Instead, the switch considers the removed ACL to be empty.

      SUMMARY STEPS

        1.    switch# configure terminal

        2.    switch(config)# no ip access-list name

        3.    (Optional) switch# show running-config

        4.    (Optional) switch# copy running-config startup-config


      DETAILED STEPS
          Command or Action Purpose
        Step 1 switch# configure terminal
         

        Enters configuration mode.

         
        Step 2 switch(config)# no ip access-list name
         

        Removes the IP ACL that you specified by name from the running configuration.

         
        Step 3 switch# show running-config
         
        (Optional)

        Displays the ACL configuration. The removed IP ACL should not appear.

         
        Step 4 switch# copy running-config startup-config
         
        (Optional)

        Copies the running configuration to the startup configuration.

         

        Changing Sequence Numbers in an IP ACL

        You can change all the sequence numbers assigned to the rules in an IP ACL.

        SUMMARY STEPS

          1.    switch# configure terminal

          2.    switch(config)# resequence ip access-list name starting-sequence-number increment

          3.    (Optional) switch# show ip access-lists name

          4.    (Optional) switch# copy running-config startup-config


        DETAILED STEPS
            Command or Action Purpose
          Step 1 switch# configure terminal
           

          Enters configuration mode.

           
          Step 2 switch(config)# resequence ip access-list name starting-sequence-number increment
           

          Assigns sequence numbers to the rules contained in the ACL, where the first rule receives the starting sequence number that you specify. Each subsequent rule receives a number larger than the preceding rule. The difference in numbers is determined by the increment that you specify. The starting-sequence-number argument and the increment argument can be a whole number between 1 and 4294967295.

           
          Step 3 switch# show ip access-lists name
           
          (Optional)

          Displays the IP ACL configuration.

           
          Step 4 switch# copy running-config startup-config
           
          (Optional)

          Copies the running configuration to the startup configuration.

           

          Applying an IP ACL to mgmt0

          You can apply an IPv4 ACL to the management interface (mgmt0).

          Before You Begin

          Ensure that the ACL that you want to apply exists and that it is configured to filter traffic in the manner that you need for this application.

          SUMMARY STEPS

            1.    configure terminal

            2.    interface mgmt port

            3.    ip access-group access-list {in | out}

            4.    (Optional) show running-config aclmgr

            5.    (Optional) copy running-config startup-config


          DETAILED STEPS
              Command or Action Purpose
            Step 1 configure terminal


            Example:
            switch# configure terminal
            switch(config)#
             

            Enters global configuration mode.

             
            Step 2 interface mgmt port


            Example:
            switch(config)# interface mgmt0
            switch(config-if)#
             

            Enters configuration mode for the management interface.

             
            Step 3 ip access-group access-list {in | out}


            Example:
            switch(config-if)#ip access-group acl-120 out
             

            Applies an IPv4 ACL to the Layer 3 interface for traffic flowing in the direction specified. You can apply one router ACL per direction.

             
            Step 4 show running-config aclmgr


            Example:
            switch(config-if)# show running-config aclmgr
             
            (Optional)

            Displays the ACL configuration.

             
            Step 5 copy running-config startup-config


            Example:
            switch(config-if)# copy running-config startup-config
             
            (Optional)

            Copies the running configuration to the startup configuration.

             

            Related Topics

            • Creating an IP ACL

            Applying an IP ACL as a Port ACL

            You can apply an IPv4 ACL to a physical Ethernet interface or a PortChannel. ACLs applied to these interface types are considered port ACLs.


            Note


            Some configuration parameters when applied to an EtherChannel are not reflected on the configuration of the member ports.


            SUMMARY STEPS

              1.    switch# configure terminal

              2.    switch(config)# interface {ethernet [chassis/]slot/port | port-channel channel-number}

              3.    switch(config-if)# ip port access-group access-list in

              4.    switch(config-if)# ip port access-group access-list in

              5.    (Optional) switch# show running-config

              6.    (Optional) switch# copy running-config startup-config


            DETAILED STEPS
                Command or Action Purpose
              Step 1 switch# configure terminal
               

              Enters configuration mode.

               
              Step 2 switch(config)# interface {ethernet [chassis/]slot/port | port-channel channel-number}
               

              Enters interface configuration mode for the specified interface.

               
              Step 3 switch(config-if)# ip port access-group access-list in
               

              Applies an IPv4 ACL to the interface or EtherChannel. Only inbound filtering is supported with port ACLs. You can apply one port ACL to an interface.

               
              Step 4 switch(config-if)# ip port access-group access-list in
               

              Applies an IPv4 ACL to the interface or EtherChannel. Only inbound filtering is supported with port ACLs. You can apply one port ACL to an interface.

               
              Step 5 switch# show running-config
               
              (Optional)

              Displays the ACL configuration.

               
              Step 6 switch# copy running-config startup-config
               
              (Optional)

              Copies the running configuration to the startup configuration.

               

              Verifying IP ACL Configurations

              To display IP ACL configuration information, perform one of the following tasks:

              • switch# show running-config

                Displays ACL configuration, including IP ACL configuration and interfaces that IP ACLs are applied to.

              • switch# show running-config interface

                Displays the configuration of an interface to which you have applied an ACL.

              For detailed information about the fields in the output from these commands, refer to the Cisco Nexus 3000 Series Command Reference.

              Monitoring and Clearing IP ACL Statistics

              Use the show ip access-lists command to display statistics about an IP ACL, including the number of packets that have matched each rule. For detailed information about the fields in the output from this command, see the Cisco Nexus 3000 Series Command Reference.


              Note


              The mac access-list is applicable to non-IPv4 traffic only.


              • switch#show ip access-lists name

                Displays IP ACL configuration. If the IP ACL includes the statistics command, then the show ip access-lists command output includes the number of packets that have matched each rule.

              • switch# clear ip access-list counters [access-list-name]

                Clears statistics for all IP ACLs or for a specific IP ACL.

              Information About VLAN ACLs

              A VLAN ACL (VACL) is one application of a IP ACL. You can configure VACLs to apply to all packets that are bridged within a VLAN. VACLs are used strictly for security packet filtering. VACLs are not defined by direction (ingress or egress).


              Note


              If an IPv4 ACL, applied as a VLAN ACL, contains one or more ACEs with logical operators for TCP/UDP port numbers, the port numbers are matched in the ingress direction but ignored in the egress direction.


              VACLs have the following restrictions:
              • One VLAN access map can match only one IP ACL.
              • An IP ACL can have multiple permit/deny ACEs.
              • One VLAN can have only one access map applied.

              VACLs and Access Maps

              VACLs use access maps to link an IP ACL to an action. The switch takes the configured action on packets permitted by the VACL.

              VACLs and Actions

              In access map configuration mode, you use the action command to specify one of the following actions:

              • Forward—Sends the traffic to the destination determined by normal operation of the switch.
              • Drop—Drops the traffic.

              Statistics

              The switch can maintain global statistics for each rule in a VACL. If a VACL is applied to multiple VLANs, the maintained rule statistics are the sum of packet matches (hits) on all the interfaces on which that VACL is applied.


              Note


              The Cisco Nexus 3000 Series switch does not support interface-level VACL statistics.


              For each VLAN access map that you configure, you can specify whether the switch maintains statistics for that VACL. This allows you to turn VACL statistics on or off as needed to monitor traffic filtered by a VACL or to help troubleshoot VLAN access-map configuration.

              Configuring VACLs

              Creating or Changing a VACL

              You can create or change a VACL. Creating a VACL includes creating an access map that associates an IP ACL with an action to be applied to the matching traffic.

              To create or change a VACL, perform this task:

              SUMMARY STEPS

                1.    switch# configure terminal

                2.    switch(config)# vlan access-map map-name

                3.    switch(config-access-map)# match ip address ip-access-list

                4.    switch(config-access-map)# action {drop | forward}

                5.    (Optional) switch(config-access-map)# [no] statistics

                6.    (Optional) switch(config-access-map)# show running-config

                7.    (Optional) switch(config-access-map)# copy running-config startup-config


              DETAILED STEPS
                  Command or Action Purpose
                Step 1 switch# configure terminal
                 

                Enters configuration mode.

                 
                Step 2 switch(config)# vlan access-map map-name
                 

                Enters access map configuration mode for the access map specified.

                 
                Step 3 switch(config-access-map)# match ip address ip-access-list
                 

                Specifies an IPv4 ACL for the map.

                 
                Step 4 switch(config-access-map)# action {drop | forward}
                 

                Specifies the action that the switch applies to traffic that matches the ACL.

                 
                Step 5 switch(config-access-map)# [no] statistics
                 
                (Optional)

                Specifies that the switch maintains global statistics for packets matching the rules in the VACL.

                The no option stops the switch from maintaining global statistics for the VACL.

                 
                Step 6 switch(config-access-map)# show running-config
                 
                (Optional)

                Displays ACL configuration.

                 
                Step 7 switch(config-access-map)# copy running-config startup-config
                 
                (Optional)

                Copies the running configuration to the startup configuration.

                 

                Removing a VACL

                You can remove a VACL, which means that you will delete the VLAN access map.

                Be sure that you know whether the VACL is applied to a VLAN. The switch allows you to remove VACLs that are current applied. Removing a VACL does not affect the configuration of VLANs where you have applied the VACL. Instead, the switch considers the removed VACL to be empty.

                SUMMARY STEPS

                  1.    switch# configure terminal

                  2.    switch(config)# no vlan access-map map-name

                  3.    (Optional) switch(config)# show running-config

                  4.    (Optional) switch(config)# copy running-config startup-config


                DETAILED STEPS
                    Command or Action Purpose
                  Step 1 switch# configure terminal
                   

                  Enters configuration mode.

                   
                  Step 2 switch(config)# no vlan access-map map-name
                   

                  Removes the VLAN access map configuration for the specified access map.

                   
                  Step 3 switch(config)# show running-config
                   
                  (Optional)

                  Displays ACL configuration.

                   
                  Step 4 switch(config)# copy running-config startup-config
                   
                  (Optional)

                  Copies the running configuration to the startup configuration.

                   

                  Applying a VACL to a VLAN

                  You can apply a VACL to a VLAN.

                  SUMMARY STEPS

                    1.    switch# configure terminal

                    2.    switch(config)# [no] vlan filter map-name vlan-list list

                    3.    (Optional) switch(config)# show running-config

                    4.    (Optional) switch(config)# copy running-config startup-config


                  DETAILED STEPS
                      Command or Action Purpose
                    Step 1 switch# configure terminal
                     

                    Enters configuration mode.

                     
                    Step 2 switch(config)# [no] vlan filter map-name vlan-list list
                     

                    Applies the VACL to the VLANs by the list that you specified. The no option unapplies the VACL.

                    The vlan-list command can specify a list of up to 32 VLANs, but multiple vlan-list commands can be configured to cover more than 32 VLANs.

                     
                    Step 3 switch(config)# show running-config
                     
                    (Optional)

                    Displays ACL configuration.

                     
                    Step 4 switch(config)# copy running-config startup-config
                     
                    (Optional)

                    Copies the running configuration to the startup configuration.

                     

                    Verifying VACL Configuration

                    To display VACL configuration information, perform one of the following tasks:

                    • switch# show running-config aclmgr

                      Displays ACL configuration, including VACL-related configuration.

                    • switch# show vlan filter

                      Displays information about VACLs that are applied to a VLAN.

                    • switch# show vlan access-map

                      Displays information about VLAN access maps.

                    Displaying and Clearing VACL Statistics

                    To display or clear VACL statistics, perform one of the following tasks:

                    • switch# show vlan access-list

                      Displays VACL configuration. If the VLAN access-map includes the statistics command, then the show vlan access-list command output includes the number of packets that have matched each rule.

                    • switch# clear vlan access-list counters

                      Clears statistics for all VACLs or for a specific VACL.

                    Configuration Examples for VACL

                    The following example shows how to configure a VACL to forward traffic permitted by an IP ACL named acl-ip-01 and how to apply the VACL to VLANs 50 through 82:

                    switch# configure terminal
                    
                    switch(config)# vlan access-map acl-ip-map
                    
                    switch(config-access-map)# match ip address acl-ip-01
                    
                    switch(config-access-map)# action forward
                    
                    switch(config-access-map)# exit
                    
                     switch(config)# vlan filter acl-ip-map vlan-list 50-82
                    
                     

                    Configuring ACL TCAM Region Sizes

                    You can change the size of the ACL ternary content addressable memory (TCAM) regions in the hardware.

                    SUMMARY STEPS

                      1.    configure terminal

                      2.    hardware profile tcam region {arpacl | e-racl | ifacl | ipsg | qos |qoslbl | racl | vacl } tcam_size

                      3.    (Optional) copy running-config startup-config

                      4.    switch(config)# show hardware profile tcam region

                      5.    switch(config)# reload


                    DETAILED STEPS
                        Command or Action Purpose
                      Step 1 configure terminal


                      Example:
                      switch# configure terminal
                      switch(config) #
                       

                      Enters global configuration mode.

                       
                      Step 2 hardware profile tcam region {arpacl | e-racl | ifacl | ipsg | qos |qoslbl | racl | vacl } tcam_size
                       

                      Changes the ACL TCAM region size.

                      • arpacl—Configures the size of the Address Resolution Protocol (ARP) ACL (ARPACL) TCAM region.
                      • e-racl—Configures the size of the egress router ACL (ERACL) TCAM region.
                      • e-vacl—Configures the size of the egress VLAN ACL (EVACL) TCAM region.
                      • ifacl—Configures the size of the interface ACL (ifacl) TCAM region.
                      • ipsg—Configures the size of the IP Source Guard (IPSG) TCAM region.
                      • qos—Configures the size of the quality of service (QoS) TCAM region.
                      • qoslbl—Configures the size of the QoS Label (qoslbl) TCAM region.
                      • racl—Configures the size of the router ACL (RACL) TCAM region.
                      • vacl—Configures the size of the VLAN ACL (VACL) TCAM region.
                      • tcam_size—TCAM size. The range is from 0 to 2,14,74, 83, 647 entries.
                       
                      Step 3 copy running-config startup-config


                      Example:
                      switch(config) # copy running-config-startup-config
                      switch(config) #
                       
                      (Optional)

                      Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

                       
                      Step 4 switch(config)# show hardware profile tcam region
                       

                      Displays the TCAM sizes that will be applicable on the next reload of the switch.

                       
                      Step 5 switch(config)# reload
                       

                      Copies the running configuration to the startup configuration.

                       

                      The following example shows how to change the size of the RACL TCAM region:

                      switch(config)# hardware profile tcam region racl 256 
                      [SUCCESS] New tcam size will be applicable only at boot time. 
                      You need to 'copy run start' and 'reload'
                      
                      switch(config)# copy running-configur startup-config 
                      switch(config)# reload 
                      WARNING: This command will reboot the system 
                      Do you want to continue? (y/n) [n] y

                      The following example shows the error message you see when you set the ARP ACL TCAM value to a value other than 0 or 128, and then shows how to change the size of the ARP ACL TCAM region and verify the changes:

                      switch(config)# hardware profile tcam region arpacl 200
                      ARPACL size can be either 0 or 128
                      
                      switch(config)# hardware profile tcam region arpacl 128
                      To start using ARPACL tcam, IFACL tcam size needs to be changed.
                      Changing IFACL tcam size to 256
                      [SUCCESS] New tcam size will be applicable only at boot time. 
                      You need to 'copy run start' and 'reload'
                      
                      switch(config)# show hardware profile tcam region
                         sup size = 128
                        vacl size = 512
                       ifacl size = 256 
                         qos size = 256 
                       rbacl size =	0 
                        span size = 128 
                        racl size = 256 
                      e-racl size = 512 
                      e-vacl size = 512 
                      qoslbl size = 512 
                        ipsg size = 512 
                      arpacl size = 128
                      switch(config)#

                      The following example shows how to configure the TCAM VLAN ACLs on a switch:

                      switch# configure sync 
                      Enter configuration commands, one per line. End with CNTL/Z. 
                      switch(config-sync)# switch-profile s5010 
                      Switch-Profile started, Profile ID is 1 
                      switch(config-sync-sp)# hardware profile tcam region vacl 512 
                      switch(config-sync-sp)# hardware profile tcam region e-vacl 512 
                      switch(config-sync-sp)#

                      Reverting to the Default TCAM Region Sizes

                      SUMMARY STEPS

                        1.    configure terminal

                        2.    switch(config)# no hardware profile tcam region

                        3.    (Optional) copy running-config startup-config

                        4.    switch(config)# reload


                      DETAILED STEPS
                          Command or Action Purpose
                        Step 1 configure terminal


                        Example:
                        switch# configure terminal
                        switch(config) #
                         

                        Enters global configuration mode.

                         
                        Step 2 switch(config)# no hardware profile tcam region
                         

                        Reverts the configuration to the default ACL TCAM size.

                         
                        Step 3 copy running-config startup-config


                        Example:
                        switch(config) # copy running-config-startup-config
                        switch(config) #
                         
                        (Optional)

                        Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

                         
                        Step 4 switch(config)# reload
                         

                        Reloads the switch.

                         
                        The following example shows how to revert to the default RACL TCAM region sizes:
                        switch(config)# no hardware profile tcam region 
                        [SUCCESS] New tcam size will be applicable only at boot time. 
                        You need to 'copy run start' and 'reload'
                        
                        switch(config)# copy running-configur startup-config 
                        switch(config)# reload 
                        WARNING: This command will reboot the system 
                        Do you want to continue? (y/n) [n] y

                        Configuring ACLs on Virtual Terminal Lines

                        To restrict incoming and outgoing connections between a Virtual Terminal (VTY) line and the addresses in an access list, use the access-class command in line configuration mode. To remove access restrictions, use the no form of this command.

                        Follow these guidelines when configuring ACLs on VTY lines:

                        • Set identical restrictions on all VTY lines because a user can connect to any of them.
                        • Statistics per entry is not supported for ACLs on VTY lines.
                        Before You Begin

                        Be sure that the ACL that you want to apply exists and is configured to filter traffic for this application.

                        SUMMARY STEPS

                          1.    switch# configure terminal

                          2.    switch(config)# line vty

                          3.    switch(config-line)# access-class access-list-number {in | out}

                          4.    (Optional) switch(config-line)# no access-class access-list-number {in | out}

                          5.    switch(config-line)# exit

                          6.    (Optional) switch# show running-config aclmgr

                          7.    (Optional) switch# copy running-config startup-config


                        DETAILED STEPS
                            Command or Action Purpose
                          Step 1 switch# configure terminal
                           

                          Enters global configuration mode.

                           
                          Step 2 switch(config)# line vty


                          Example:
                          switch(config)# line vty
                          switch(config-line)#
                           

                          Enters line configuration mode.

                           
                          Step 3 switch(config-line)# access-class access-list-number {in | out}


                          Example:
                          switch(config-line)# access-class ozi2 in
                          switch(config-line)#access-class ozi3 out
                          switch(config)#
                           

                          Specifies inbound or outbound access restrictions.

                           
                          Step 4 switch(config-line)# no access-class access-list-number {in | out}


                          Example:
                          switch(config-line)# no access-class ozi2 in
                          switch(config-line)# no access-class ozi3 out
                          switch(config)#
                           
                          (Optional)

                          Removes inbound or outbound access restrictions.

                           
                          Step 5 switch(config-line)# exit


                          Example:
                          switch(config-line)# exit
                          switch#
                           

                          Exits line configuration mode.

                           
                          Step 6 switch# show running-config aclmgr


                          Example:
                          switch# show running-config aclmgr
                           
                          (Optional)

                          Displays the running configuration of the ACLs on the switch.

                           
                          Step 7 switch# copy running-config startup-config


                          Example:
                          switch# copy running-config startup-config
                           
                          (Optional)

                          Copies the running configuration to the startup configuration.

                           

                          The following example shows how to apply the access-class ozi2 command to the in-direction of the vty line.

                          switch# configure terminal
                          Enter configuration commands, one per line.  End with CNTL/Z.
                          switch(config)# line vty
                          switch(config-line)# access-class ozi2 in
                          switch(config-line)# exit
                          switch#

                          Verifying ACLs on VTY Lines

                          To display the ACL configurations on VTY lines, perform one of the following tasks:

                          Command Purpose
                          show running-config aclmgr Displays the running configuration of the ACLs configured on the switch.
                          show users Displays the users that are connected.
                          show access-lists access-list-name Display the statistics per entry.

                          Configuration Examples for ACLs on VTY Lines

                          The following example shows the connected users on the console line (ttyS0) and the VTY lines (pts/0 and pts/1).

                          switch# show users
                          NAME     LINE         TIME         IDLE          PID COMMENT
                          admin    ttyS0        Aug 27 20:45   .         14425 *
                          admin    pts/0        Aug 27 20:06 00:46       14176 (172.18.217.82) session=ssh
                          admin    pts/1        Aug 27 20:52   .         14584 (10.55.144.118)
                          

                          The following example shows how to allow vty connections to all IPv4 hosts except 172.18.217.82 and how to deny vty connections to any IPv4 host except 10.55.144.118, 172.18.217.79, 172.18.217.82, 172.18.217.92:

                            switch# show running-config aclmgr 
                            !Time: Fri Aug 27 22:01:09 2010
                            version 5.0(2)N1(1)
                            ip access-list ozi
                              10 deny ip 172.18.217.82/32 any 
                              20 permit ip any any 
                            ip access-list ozi2
                              10 permit ip 10.55.144.118/32 any 
                              20 permit ip 172.18.217.79/32 any 
                              30 permit ip 172.18.217.82/32 any 
                              40 permit ip 172.18.217.92/32 any 
                            
                            
                            line vty
                              access-class ozi in
                              access-class ozi2 out
                            
                            

                            The following example shows how to configure the IP access list by enabling per-entry statistics for the ACL:

                            switch# conf t
                            Enter configuration commands, one per line. 
                            End with CNTL/Z. 
                            switch(config)# ip access-list ozi2
                            switch(config-acl)# statistics per-entry
                            switch(config-acl)# deny tcp 172.18.217.83/32 any
                            switch(config-acl)# exit
                            
                            switch(config)# ip access-list ozi
                            switch(config-acl)# statistics per-entry
                            switch(config-acl)# permit ip 172.18.217.20/24 any
                            switch(config-acl)# exit
                            switch#
                            

                            The following example shows how to apply the ACLs on VTY in and out directions:

                            switch(config)# line vty
                            switch(config-line)# ip access-class ozi in
                            switch(config-line)# access-class ozi2 out
                            switch(config-line)# exit
                            switch#
                            

                            The following example shows how to remove the access restrictions on the VTY line:

                             
                            switch# conf t 
                            Enter configuration commands, one per line. End
                            with CNTL/Z.
                            switch(config)# line vty
                            switch(config-line)# no access-class ozi2 in
                            switch(config-line)# no ip access-class ozi2 in
                            switch(config-line)# exit
                            switch#
                            

                            Default ACL Settings

                            The following table lists the default settings for IP ACLs parameters.

                            Table 2 Default IP ACLs Parameters

                            Parameters

                            Default

                            IP ACLs

                            No IP ACLs exist by default.

                            ACL rules

                            Implicit rules apply to all ACLs .

                            The following table lists the default settings for VACL parameters.

                            Table 3  Default VACL Parameters

                            Parameters

                            Default

                            VACLs

                            No IP ACLs exist by default.

                            ACL rules

                            Implicit rules apply to all ACLs.