Cisco Nexus 6000 Series NX-OS Security Configuration Guide, Release 7.x

Information About ACLs

An access control list (ACL) is an ordered set of rules that you can use to filter traffic. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When the switch determines that an ACL applies to a packet, it tests the packet against the conditions of all rules. The first match determines whether the packet is permitted or denied. If there is no match, the switch applies the applicable default rule. The switch continues processing packets that are permitted and drops packets that are denied.

You can use ACLs to protect networks and specific hosts from unnecessary or unwanted traffic. For example, you could use ACLs to disallow HTTP traffic from a high-security network to the Internet. You could also use ACLs to allow HTTP traffic but only to specific sites, using the IP address of the site to identify it in an IP ACL.

IP ACL Types and Applications

The Cisco Nexus device supports IPv4 for security traffic filtering. The switch allows you to use IP access control lists (ACLs) as port ACLs, VLAN ACLs, and Router ACLs as shown in the following table.

Table 1. Security ACL Applications

Application

Supported Interfaces

Types of ACLs Supported

Port ACL

An ACL is considered a port ACL when you apply it to one of the following:

Ethernet interface
Ethernet port-channel interface

When a port ACL is applied to a trunk port, the ACL filters traffic on all VLANs on the trunk port.

IPv4 ACLs

IPv6 ACLs

Router ACL

VLAN interfaces

Note

You must enable VLAN interfaces globally before you can configure a VLAN interface.

Physical Layer 3 interfaces
Layer 3 Ethernet subinterfaces
Layer 3 Ethernet port-channel interfaces
Layer 3 Ethernet port-channel subinterfaces
Tunnels
Management interfaces

IPv4 ACLs

IPv6 ACLs

VLAN ACL (VACL)

An ACL is a VACL when you use an access map to associate the ACL with an action and then apply the map to a VLAN.

IPv4 ACLs

VTY ACL

VTYs

IPv4 ACLs

IPv6 ACLs

Application Order

When the device processes a packet, it determines the forwarding path of the packet. The path determines which ACLs that the device applies to the traffic. The device applies the ACLs in the following order:

Port ACL
Ingress VACL
Ingress Router ACL
Egress Router ACL
Egress VACL

Rules

Rules are what you create, modify, and remove when you configure how an ACL filters network traffic. Rules appear in the running configuration. When you apply an ACL to an interface or change a rule within an ACL that is already applied to an interface, the supervisor module creates ACL entries from the rules in the running configuration and sends those ACL entries to the applicable I/O module. Depending upon how you configure the ACL, there may be more ACL entries than rules, especially if you implement policy-based ACLs by using object groups when you configure rules.

he device allows traffic that matches the criteria in a permit rule and blocks traffic that matches the criteria in a deny rule. You have many options for configuring the criteria that traffic must meet in order to match the rule.

This section describes some of the options that you can use when you configure a rule.

Source and Destination

In each rule, you specify the source and the destination of the traffic that matches the rule. You can specify both the source and destination as a specific host, a network or group of hosts, or any host.

Protocols

IPv4, IPv6, and MAC ACLs allow you to identify traffic by protocol. For your convenience, you can specify some protocols by name. For example, in an IPv4 ACL, you can specify ICMP by name.

You can specify any protocol by the integer that represents the Internet protocol number.

Implicit Rules

IP and MAC ACLs have implicit rules, which means that although these rules do not appear in the running configuration, the switch applies them to traffic when no other rules in an ACL match.

All IPv4 ACLs include the following implicit rule:

deny ip any any

This implicit rule ensures that the switch denies unmatched IP traffic.

All IPv6 ACLs include the following implicit rule:

deny ipv6 any any


permit icmp any any nd-na
permit icmp any any nd-ns
permit icmp any any router-advertisement
permit icmp any any router-solicitation

Unless you configure an IPv6 ACL with a rule that denies ICMPv6 neighbor discovery messages, the first four rules ensure that the device permits neighbor discovery advertisement and solicitation messages. The fifth rule ensures that the device denies unmatched IPv6 traffic.

Note

If you explicitly configure an IPv6 ACL with a deny ipv6 any any rule, the implicit permit rules can never permit traffic. If you explicitly configure a deny ipv6 any any rule but want to permit ICMPv6 neighbor discovery messages, explicitly configure a rule for all five implicit rules.

All MAC ACLs include the following implicit rule:

deny any any protocol

This implicit rule ensures that the device denies the unmatched traffic, regardless of the protocol specified in the Layer 2 header of the traffic.

Additional Filtering Options

You can identify traffic by using additional options. IPv4 ACLs support the following additional filtering options:

Layer 4 protocol
TCP and UDP ports
ICMP types and codes
IGMP types
Precedence level
Differentiated Services Code Point (DSCP) value
TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set
Established TCP connections

MAC ACLs support the following additional filtering options:

Layer 3 protocol
VLAN ID
Class of Service (CoS)

Sequence Numbers

The Cisco Nexus device supports sequence numbers for rules. Every rule that you enter receives a sequence number, either assigned by you or assigned automatically by the device. Sequence numbers simplify the following ACL tasks:

Adding new rules between existing rules—By specifying the sequence number, you specify where in the ACL a new rule should be positioned. For example, if you need to insert a rule between rules numbered 100 and 110, you could assign a sequence number of 105 to the new rule.
Removing a rule—Without using a sequence number, removing a rule requires that you enter the whole rule, as follows:
```
switch(config-acl)# no permit tcp 10.0.0.0/8 any
```
However, if the same rule had a sequence number of 101, removing the rule requires only the following command:
```
switch(config-acl)# no 101
```
Moving a rule—With sequence numbers, if you need to move a rule to a different position within an ACL, you can add a second instance of the rule using the sequence number that positions it correctly, and then you can remove the original instance of the rule. This action allows you to move the rule without disrupting traffic.

If you enter a rule without a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule to the rule. For example, if the last rule in an ACL has a sequence number of 225 and you add a rule without a sequence number, the device assigns the sequence number 235 to the new rule.

In addition, the device allows you to reassign sequence numbers to rules in an ACL. Resequencing is useful when an ACL has rules numbered contiguously, such as 100 and 101, and you need to insert one or more rules between those rules.

Logical Operators and Logical Operation Units

IP ACL rules for TCP and UDP traffic can use logical operators to filter traffic based on port numbers.

The Cisco Nexus device stores operator-operand couples in registers called logical operation units (LOUs) to perform operations (greater than, less than, not equal to, and range) on the TCP and UDP ports specified in an IP ACL.

Note

The range operator is inclusive of boundary values.

These LOUs minimize the number of ternary content addressable memory (TCAM) entries needed to perform these operations. A maximum of two LOUs are allowed for each feature on an interface. For example an ingress RACL can use two LOUs, and a QoS feature can use two LOUs. If an ACL feature requires more than two arithmetic operations, the first two operations use LOUs, and the remaining access control entries (ACEs) get expanded.

The following guidelines determine when the device stores operator-operand couples in LOUs:

If the operator or operand differs from other operator-operand couples that are used in other rules, the couple is stored in an LOU.

For example, the operator-operand couples "gt 10" and "gt 11" would be stored separately in half an LOU each. The couples "gt 10" and "lt 10" would also be stored separately.
Whether the operator-operand couple is applied to a source port or a destination port in the rule affects LOU usage. Identical couples are stored separately when one of the identical couples is applied to a source port and the other couple is applied to a destination port.

For example, if a rule applies the operator-operand couple "gt 10" to a source port and another rule applies a "gt 10" couple to a destination port, both couples would also be stored in half an LOU, resulting in the use of one whole LOU. Any additional rules using a "gt 10" couple would not result in further LOU usage.

Policy-Based ACLs

The device supports policy-based ACLs (PBACLs), which allow you to apply access control policies across object groups. An object group is a group of IP addresses or a group of TCP or UDP ports. When you create a rule, you specify the object groups rather than specifying IP addresses or ports.

Using object groups when you configure IPv4 or IPv6 ACLs can help reduce the complexity of updating ACLs when you need to add or remove addresses or ports from the source or destination of rules. For example, if three rules reference the same IP address group object, you can add an IP address to the object instead of changing all three rules.

PBACLs do not reduce the resources required by an ACL when you apply it to an interface. When you apply a PBACL or update a PBACL that is already applied, the device expands each rule that refers to object groups into one ACL entry per object within the group. If a rule specifies the source and destination both with object groups, the number of ACL entries created on the I/O module when you apply the PBACL is equal to the number of objects in the source group multiplied by the number of objects in the destination group.

The following object group types apply to port, router, and VLAN ACLs:

IPv4 address object groups: Can be used with IPv4 ACL rules to specify source or destination addresses. When you use the permit or deny command to configure a rule, the addrgroup keyword allows you to specify an object group for the source or destination.
IPv6 address object groups: Can be used with IPv6 ACL rules to specify source or destination addresses. When you use the permit or deny command to configure a rule, the addrgroup keyword allows you to specify an object group for the source or destination.
Protocol port object groups: Can be used with IPv4 and IPv6 TCP and UDP rules to specify source or destination ports. When you use the permit or deny command to configure a rule, the portgroup keyword allows you to specify an object group for the source or destination.

ACL Resource Management

Understanding the ACL capacities when configuring ACLs helps avoid resource contention and exhaustion. Because the platform enforces several types of ACLs in hardware rather than in software, the switch programs hardware lookup tables and various hardware resources so that when a packet arrives, the switch can perform a hardware table lookup and execute the appropriate action without affecting performance, while the packets are cut-through switched.

For typical configurations, the switch uses one of the following main hardware resources:

Logical operation units (LOUs)-Registers that are used to store Layer 2, Layer 3, and Layer 4 operations information.
Value, Mask, Result (VMR)-Entries in the TCAM that consist of a value pattern, the associated mask value, and a result for lookups returning a hit for the entry.

The switch optimizes the use of these hardware resources for Layer 4 operations (L4Op). When the number of (L4Ops) are exhausted, an ACL that needs to check a particular value using a L4Op can be expanded to use a set of entries in the TCAM instead. The ACL uses the TCAM entries to perform the same filtering that L4Op would have performed.

If the number of L4Ops are not exhausted, the switch computes the cost of using each resource. If the cost of using a set of expanded TCAM entries is less than that of using a L4Op, the switch expands the set of TCAM entries to preserve the L4Op for higher priority operations.

Depending on the size of ACL TCAM, and the size of various regions in the TCAM, it is possible that policies that are expanded might not fit within the available space. For example, after the switch is reloaded, the set of policies that were expanded before might not be expanded again.

To manage this issue, you can configure a threshold value. The threshold value is from 0 to 32 and the default value is 5. When an ACL policy needs a L4Op, the policy is expanded to check if the number of expanded TCAM entries needed exceeds the threshold value. If the number exceeds the threshold value, the expansion is not used, and L4Op is used instead. If the number of TCAM entries do not exceed the threshold value (that is, they are less than or equal to the threshold value), then the expanded TCAM entries are installed.

Note

If there is an ACL policy that uses both a source L4Op and destination L4Op, the source L4Op and destination L4Op are expanded individually. The following example shows an ACL policy with source and destination L4Ops:

permit tcp any get 546 any range 236 981

Statistics and ACLs

The device can maintain global statistics for each rule that you configure in IPv4, IPv6, and MAC ACLs. If an ACL is applied to multiple interfaces, the maintained rule statistics are the sum of packet matches (hits) on all the interfaces on which that ACL is applied.

Note

The device does not support interface-level ACL statistics.

For each ACL that you configure, you can specify whether the device maintains statistics for that ACL, which allows you to turn ACL statistics on or off as needed to monitor traffic filtered by an ACL or to help troubleshoot the configuration of an ACL.

The device does not maintain statistics for implicit rules in an ACL. For example, the device does not maintain a count of packets that match the implicit deny ip any any rule at the end of all IPv4 ACLs. If you want to maintain statistics for implicit rules, you must explicitly configure the ACL with rules that are identical to the implicit rules.

Licensing Requirements for ACLs

The following table shows the licensing requirements for this feature:


Product	License Requirement
Cisco NX-OS	No license is required to use ACLs.

Prerequisites for ACLs

IP ACLs have the following prerequisites:

You must be familiar with IP addressing and protocols to configure IP ACLs.
You must be familiar with the interface types that you want to configure with ACLs.

VACLs have the following prerequisite:

Ensure that the IP ACL that you want to use in the VACL exists and is configured to filter traffic in the manner that you need for this application.

Guidelines and Limitations for ACLs

IP ACLs have the following configuration guidelines and limitations:

We recommend that you perform ACL configuration using the Session Manager. This feature allows you to verify ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration. This is especially useful for ACLs that include more than about 1000 rules.
To apply an IP ACL to a VLAN interface, you must have enabled VLAN interfaces globally.

MAC ACLs have the following configuration guidelines and limitations:

MAC ACLs apply to ingress traffic only.
ACL statistics are not supported if the DHCP snooping feature is enabled.

VACLs have the following configuration guidelines and limitations:

We recommend that you perform ACL configurations using the Session Manager. This feature allows you to verify ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration.
ACL statistics are not supported if the DHCP snooping feature is enabled.

Default ACL Settings

The following table lists the default settings for IP ACLs parameters.

Table 2. Default IP ACLs Parameters
Parameters	Default
IP ACLs	No IP ACLs exist by default.
ACL rules	Implicit rules apply to all ACLs .
Object groups	No object groups exist by default.

The following table lists the default settings for VACL parameters.

Table 3. Default VACL Parameters
Parameters	Default
VACLs	No IP ACLs exist by default.
ACL rules	Implicit rules apply to all ACLs.

Creating an IP ACL

You can create an IPv4 or IPv6 ACL on the switch and add rules to it.

Procedure

Step 1	switch# configure terminal Enters global configuration mode.
Step 2	switch(config)# {ip \| ipv6} access-list `name` Creates the IP ACL and enters IP ACL configuration mode. The `name` argument can be up to 64 characters.
Step 3	switch(config-acl)# [`sequence-number`] {permit \| deny} `protocol` `source` `destination` Creates a rule in the IP ACL. You can create many rules. The `sequence-number` argument can be a whole number between 1 and 4294967295. The permit and deny commands support many ways of identifying traffic. For more information, see the Command Reference for the specific Cisco Nexus device.
Step 4	(Optional) switch(config-acl)# statistics Specifies that the switch maintains global statistics for packets that match the rules in the ACL.
Step 5	(Optional) switch# show {ip \| ipv6} access-lists `name` Displays the IP ACL configuration.
Step 6	(Optional) switch# copy running-config startup-config Copies the running configuration to the startup configuration.

Example

This example shows how to create an IPv4 ACL:

switch# configure terminal
switch(config)# ip access-list acl-01
switch(config-acl)# permit ip 192.168.2.0/24 any
switch(config-acl)# statistics

This example shows how to create an IPv6 ACL:

switch# configure terminal
switch(config)# ipv6 access-list acl-01-ipv6
switch(config-ipv6-acl)# permit tcp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64

Changing an IP ACL

You can add and remove rules in an existing IPv4 or IPv6 ACL. You cannot change existing rules. Instead, to change a rule, you can remove it and recreate it with the desired changes.

If you need to add more rules between existing rules than the current sequence numbering allows, you can use the resequence command to reassign sequence numbers.

Procedure

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	switch(config)# {ip \| ipv6} access-list `name`	Enters IP ACL configuration mode for the ACL that you specify by name.
Step 3	switch(config)# ip access-list `name`	Enters IP ACL configuration mode for the ACL that you specify by name.
Step 4	switch(config-acl)# [`sequence-number`] {permit \| deny} `protocol` `source` `destination`	Creates a rule in the IP ACL. Using a sequence number allows you to specify a position for the rule in the ACL. Without a sequence number, the rule is added to the end of the rules. The `sequence-number` argument can be a whole number between 1 and 4294967295. The permit and deny commands support many ways of identifying traffic. For more information, see the Command Reference for your Cisco Nexus device.
Step 5	(Optional) switch(config-acl)# no {`sequence-number` \| {permit \| deny} `protocol` `source` `destination`}	(Optional) Removes the rule that you specified from the IP ACL. The permit and deny commands support many ways of identifying traffic. For more information, see the Command Reference for your Cisco Nexus device.
Step 6	(Optional) switch(config-acl)# [no] statistics	(Optional) Specifies that the switch maintains global statistics for packets that match the rules in the ACL. The no option stops the switch from maintaining global statistics for the ACL.
Step 7	(Optional) switch#show ip access-lists `name`	(Optional) Displays the IP ACL configuration.
Step 8	(Optional) switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Removing an IP ACL

You can remove an IP ACL from the switch.

Before you remove an IP ACL from the switch, be sure that you know whether the ACL is applied to an interface. The switch allows you to remove ACLs that are currently applied. Removing an ACL does not affect the configuration of interfaces where you have applied the ACL. Instead, the switch considers the removed ACL to be empty.

Procedure

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	switch(config)# no {ip \| ipv6} access-list `name`	Removes the IP ACL that you specified by name from the running configuration.
Step 3	switch(config)# no ip access-list `name`	Removes the IP ACL that you specified by name from the running configuration.
Step 4	(Optional) switch# show running-config	(Optional) Displays the ACL configuration. The removed IP ACL should not appear.
Step 5	(Optional) switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Changing Sequence Numbers in an IP ACL

You can change all the sequence numbers assigned to the rules in an IP ACL.

Procedure

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	(Optional) switch# show {ip \| ipv6} access-lists `name`	(Optional) Displays the IP ACL configuration.
Step 3	(Optional) switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Configuring ACLs with Logging

You can create an access-control list for logging traffic of a specified protocol and address.

Procedure

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	switch(config)# {ip \| ipv6} access-list `name`	Creates the IP ACL and enters IP ACL configuration mode. The `name` argument can be up to 64 characters.
Step 3	switch(config-acl)# permit `protocol source destination` log	Creates a rule to log traffic of the specified protocol in the syslog file. in the IP ACL. Valid values for the `protocol` argument are: icmp —ICMP igmp —IGMP ip —IPv4 ipv6 —IPv6 tcp —TCP udp —UDP sctp —SCTP (IPv6 only) The source and destination arguments can be the IP address with a network wildcard (IPv4 only), IP address and variable-length subnet mask, host address, or any to designate any address. For more information, see the System Management configuration guide and the Security command reference for your platform.
Step 4	switch(config-acl)# exit	Exists the current configuration mode.
Step 5	(Optional) switch(config)# copy running-config startup-config	(Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

The following example shows how to create an ACL for logging entries that match IPv4 TCP traffic from any source and any destination:

switch# configuration terminal
switch(config)# ip access-list tcp_log
switch(config-acl)# permit tcp any any log
switch(config-acl)# exit
switch(config)# copy running-config startup-config

Applying an IP ACL to mgmt0

You can apply an IPv4 or IPv6 ACL to the management interface (mgmt0).

Before you begin

Ensure that the ACL that you want to apply exists and that it is configured to filter traffic in the manner that you need for this application.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	interface mgmt `port` Example: `switch(config)# interface mgmt0 switch(config-if)#`	Enters configuration mode for the management interface.
Step 3	ip access-group `access-list` {in \| out} Example: `switch(config-if)#ip access-group acl-120 out`	Applies an IPv4 or IPv6 ACL to the Layer 3 interface for traffic flowing in the direction specified. You can apply one router ACL per direction.
Step 4	(Optional) show running-config aclmgr Example: `switch(config-if)# show running-config aclmgr`	(Optional) Displays the ACL configuration.
Step 5	(Optional) copy running-config startup-config Example: `switch(config-if)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Applying an IP ACL as a Router ACL

You can apply an IPv4 or IPv6 ACL to any of the following types of interfaces:

Physical Layer 3 interfaces and subinterfaces
Layer 3 Ethernet port-channel interfaces and subinterfaces
VLAN interfaces
Tunnels
Management interfaces

ACLs applied to these interface types are considered router ACLs.

Before you begin

Ensure that the ACL you want to apply exists and that it is configured to filter traffic in the manner that you need for this application.

Procedure

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	Enter one of the following commands: switch(config)# interface ethernet `slot`/`port`[. `number`] switch(config)# interface port-channel `channel-number`[. `number`] switch(config)# interface tunnel `tunnel-number` switch(config)# interface vlan `vlan-ID` switch(config)# interface mgmt `port`	Enters configuration mode for the interface type that you specified.
Step 3	Enter one of the following commands: switch(config-if)# ip access-group `access-list` {in \| out} switch(config-if)# ipv6 traffic-filter `access-list` {in \| out}	Applies an IPv4 or IPv6 ACL to the Layer 3 interface for traffic flowing in the direction specified. You can apply one router ACL per direction.
Step 4	(Optional) switch(config-if)# show running-config aclmgr	(Optional) Displays the ACL configuration.
Step 5	(Optional) switch(config-if)# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Applying an IP ACL as a Port ACL

You can apply an IPv4 ACL to a physical Ethernet interface or a PortChannel. ACLs applied to these interface types are considered port ACLs.

Note

Some configuration parameters when applied to an PortChannel are not reflected on the configuration of the member ports.

Procedure

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	switch(config)# interface {ethernet [`chassis`/]`slot`/`port` \| port-channel `channel-number`}	Enters interface configuration mode for the specified interface.
Step 3	(Optional) switch# show running-config	(Optional) Displays the ACL configuration.
Step 4	(Optional) switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Verifying IP ACL Configurations

To display IP ACL information, perform one of the following tasks:


Command	Purpose
show running-config	Displays ACL configuration, including IP ACL configuration and interfaces that IP ACLs are applied to.
show running-config interface	Displays the configuration of an interface to which you have applied an ACL.

For detailed information about the fields in the output from these commands, refer to the Command Reference for your Cisco Nexus device.

Monitoring and Clearing IP ACL Statistics


Command or Action	Purpose
show {ip \| ipv6} access-lists `name`	Displays IP ACL configuration. If the IP ACL includes the statistics command, then the show ip access-lists and show ipv6 access-list command output includes the number of packets that have matched each rule.
show ip access-lists `name`	Displays IP ACL configuration. If the IP ACL includes the statistics command, then the show ip access-lists command output includes the number of packets that have matched each rule.
clear {ip \| ipv6} access-list counters [`access-list-name`]	Clears statistics for all IP ACLs or for a specific IP ACL.
clear ip access-list counters [`access-list-name`]	Clears statistics for all IP ACLs or for a specific IP ACL.

Configuring Object Groups

You can use object groups to specify source and destination addresses and protocol ports in IPv4 ACL and IPv6 ACL rules.

Session Manager Support for Object Groups

Session Manager supports the configuration of object groups. This feature allows you to create a configuration session and verify your object group configuration changes prior to committing them to the running configuration. For more information about Session Manager, see the Cisco Nexus 7000 Series NX-OS System Management Configuration Guide.

Creating and Changing an IPv4 Address Object Group

You can create and change an IPv4 address group object.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	object-group ip address `name` Example: `switch(config)# object-group ip address ipv4-addr-group-13 switch(config-ipaddr-ogroup)#`	Creates the IPv4 address object group and enters IPv4 address object-group configuration mode.
Step 3	Enter one of the following commands: [`sequence-number`] host `IPv4-address` [`sequence-number`] `IPv4-address` `network-wildcard` [`sequence-number`] `IPv4-address`/`prefix-len` Example: `switch(config-ipaddr-ogroup)# host 10.99.32.6`	Creates an entry in the object group. For each entry that you want to create, use the host command and specify a single host or omit the host command to specify a network of hosts.
Step 4	Enter one of the following commands: no [`sequence-number` ] no host `IPv4-address` no `IPv4-address` `network-wildcard` no `IPv4-address`/`prefix-len` Example: `switch(config-ipaddr-ogroup)# no host 10.99.32.6`	Removes an entry in the object group. For each entry that you want to remove from the object group, use the no form of the host command.
Step 5	(Optional) show object-group `name` Example: `switch(config-ipaddr-ogroup)# show object-group ipv4-addr-group-13`	(Optional) Displays the object group configuration.
Step 6	(Optional) copy running-config startup-config Example: `switch(config-ipaddr-ogroup)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Creating and Changing an IPv6 Address Object Group

You can create and change an IPv6 address group object.

Procedure

	Command or Action	Purpose
Step 1	config t Example: `switch# config t switch(config)#`	Enters global configuration mode.
Step 2	object-group ipv6 address `name` Example: `switch(config)# object-group ipv6 address ipv6-addr-group-A7 switch(config-ipv6addr-ogroup)#`	Creates the IPv6 address object group and enters IPv6 address object-group configuration mode.
Step 3	Enter one of the following commands: [`sequence-number`] host `IPv6-address` [`sequence-number`] `IPv6-address`/`prefix-len` Example: `switch(config-ipv6addr-ogroup)# host 2001:db8:0:3ab0::1`	Creates an entry in the object group. For each entry that you want to create, use the host command and specify a single host or omit the host command specify a network of hosts.
Step 4	Enter one of the following commands: no `sequence-number` no host `IPv6-address` no `IPv6-address`/`prefix-len` Example: `switch(config-ipv6addr-ogroup)# no host 2001:db8:0:3ab0::1`	Removes an entry from the object group. For each entry that you want to remove from the object group, use the no form of the host command.
Step 5	(Optional) show object-group `name` Example: `switch(config-ipv6addr-ogroup)# show object-group ipv6-addr-group-A7`	(Optional) Displays the object group configuration.
Step 6	(Optional) copy running-config startup-config Example: `switch(config-ipv6addr-ogroup)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Creating and Changing a Protocol Port Object Group

You can create and change a protocol port object group.

Procedure

Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

object-group ip port name

Example:

switch(config)# object-group ip port NYC-datacenter-ports
switch(config-port-ogroup)#

Creates the protocol port object group and enters port object-group configuration mode.

Step 3

[sequence-number] operator port-number [port-number]

Example:

switch(config-port-ogroup)# eq 80

Creates an entry in the object group. For each entry that you want to create, use one of the following operator commands:

eq—Matches the port number that you specify only.
gt—Matches port numbers that are greater than (and not equal to) the port number that you specify.
lt—Matches port numbers that are less than (and not equal to) the port number that you specify.
neq—Matches all port numbers except for the port number that you specify.
range—Matches the range of port number between and including the two port numbers that you specify.

Note

The range command is the only operator command that requires two port-number arguments.

Step 4

no {sequence-number | operator port-number [port-number]}

Example:

switch(config-port-ogroup)# no eq 80

Removes an entry from the object group. For each entry that you want to remove, use the no form of the applicable operator command.

Step 5

(Optional) show object-group name

Example:

switch(config-port-ogroup)# show object-group NYC-datacenter-ports

(Optional)

Displays the object group configuration.

Step 6

(Optional) copy running-config startup-config

Example:

switch(config-port-ogroup)# copy running-config startup-config

(Optional)

Copies the running configuration to the startup configuration.

Removing an Object Group

You can remove an IPv4 address object group, an IPv6 address object group, or a protocol port object group.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	no object-group {ip address \| ipv6 address \| ip port} `name` Example: `switch(config)# no object-group ip address ipv4-addr-group-A7`	Removes the object group that you specified.
Step 3	(Optional) show object-group Example: `switch(config)# show object-group`	(Optional) Displays all object groups. The removed object group should not appear.
Step 4	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Verifying the Object-Group Configuration

To display object-group configuration information, perform one of the following tasks:


Command	Purpose
show object-group	Displays the object-group configuration.
show running-config aclmgr	Displays ACL configuration, including object groups.

For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.

Creating a MAC ACL

Procedure

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	switch# mac access-list `name`	Creates the MAC ACL and enters ACL configuration mode.
Step 3	switch(config-mac-acl)# [`sequence-number`] {permit \| deny} `source` `destination protocol`	Creates a rule in the MAC ACL. The permit and deny options support many ways of identifying traffic. For more information, see the Security command reference for your platform.
Step 4	(Optional) switch(config-mac-acl)# statistics	(Optional) Specifies that the switch maintains global statistics for packets matching the rules in the ACL.
Step 5	(Optional) switch# show mac access-lists `name`	(Optional) Displays the MAC ACL configuration.
Step 6	(Optional) switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Example

The following example shows how to create a MAC ACL and add rules to it:

switch# configure terminal
switch(config)# mac access-list acl-mac-01
switch(config-mac-acl)# permit 00c0.4f00.0000 0000.00ff.ffff any
switch(config-mac-acl)# statistics

Changing a MAC ACL

In an existing MAC ACL, you can add and remove rules. You cannot change existing rules. Instead, to change a rule, you can remove it and recreate it with the desired changes.

If you need to add more rules between existing rules than the current sequence numbering allows, you can use the resequence command to reassign sequence numbers.

Procedure

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	switch(config)# mac access-list `name`	Enters ACL configuration mode for the ACL that you specify by name.
Step 3	switch(config-mac-acl)# [`sequence-number`] {permit \| deny} `source` `destination` `protocol`	Creates a rule in the MAC ACL. Using a sequence number allows you to specify a position for the rule in the ACL. Without a sequence number, the rule is added to the end of the rules. The permit and deny commands support many ways of identifying traffic.
Step 4	(Optional) switch(config-mac-acl)# no {`sequence-number` \| {permit\|deny} `source` `destination protocol`}	(Optional) Removes the rule that you specify from the MAC ACL. The permit and deny commands support many ways of identifying traffic.
Step 5	(Optional) switch(config-mac-acl)# [no] statistics	(Optional) Specifies that the switch maintains global statistics for packets matching the rules in the ACL. The no option stops the switch from maintaining global statistics for the ACL.
Step 6	(Optional) switch# show mac access-lists `name`	(Optional) Displays the MAC ACL configuration.
Step 7	(Optional) switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Example

The following example shows how to change a MAC ACL:

switch# configure terminal

switch(config)# mac access-list acl-mac-01

switch(config-mac-acl)# 100 permit mac 00c0.4f00.00 0000.00ff.ffff any

switch(config-mac-acl)# statistics

Removing a MAC ACL

You can remove a MAC ACL from the switch.

Be sure that you know whether the ACL is applied to an interface. The switch allows you to remove ACLs that are current applied. Removing an ACL does not affect the configuration of interfaces where you have applied the ACL. Instead, the switch considers the removed ACL to be empty.

Procedure

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	switch(config)# no mac access-list `name`	Removes the MAC ACL that you specify by name from the running configuration.
Step 3	(Optional) switch# show mac access-lists	(Optional) Displays the MAC ACL configuration.
Step 4	(Optional) switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Changing Sequence Numbers in a MAC ACL

You can change all the sequence numbers assigned to rules in a MAC ACL. Resequencing is useful when you need to insert rules into an ACL and there are not enough available sequence numbers.

Procedure

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	switch(config)# resequence mac access-list `name` `starting-sequence-number` `increment`	Assigns sequence numbers to the rules contained in the ACL, where the first rule receives the number specified by the starting-sequence number that you specify. Each subsequent rule receives a number larger than the preceding rule. The difference in numbers is determined by the increment number that you specify.
Step 3	(Optional) switch# show mac access-lists `name`	(Optional) Displays the MAC ACL configuration.
Step 4	(Optional) switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Applying a MAC ACL as a Port ACL

You can apply a MAC ACL as a port ACL to any of the following interface types:

Ethernet interfaces
EtherChannel interfaces

Be sure that the ACL that you want to apply exists and is configured to filter traffic as necessary for this application.

Note

Some configuration parameters when applied to an EtherChannel are not reflected on the configuration of the member ports.

Procedure

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	switch(config)# interface {ethernet [`chassis`/]`slot`/`port` \| port-channel `channel-number`}	Enters interface configuration mode for the Ethernet specified interface.
Step 3	switch(config-if)# mac port access-group `access-list`	Applies a MAC ACL to the interface.
Step 4	(Optional) switch# show running-config	(Optional) Displays ACL configuration.
Step 5	(Optional) switch# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Verifying MAC ACL Configurations

To display MAC ACL information, perform one of the following tasks:


Command	Purpose
show mac access-lists	Displays the MAC ACL configuration.
show running-config	Displays ACL configuration, including MAC ACLs and the interfaces that ACLs are applied to.
show running-config interface	Displays the configuration of the interface to which you applied the ACL.

Displaying and Clearing MAC ACL Statistics

To display and clear MAC ACL statistics, perform one of the following tasks:


Command	Purpose
show mac access-lists	Displays MAC ACL configuration. If the MAC ACL includes the statistics command, the show mac access-lists command output includes the number of packets that have matched each rule.
clear mac access-list counters	Clears statistics for all MAC ACLs or for a specific MAC ACL.

Example Configuration for MAC ACLs

This example shows how to create a MAC ACL named acl-mac-01 and apply it to Ethernet interface 1/1:

switch# configure terminal

switch(config)# mac access-list acl-mac-01

switch(config-mac-acl)# permit 00c0.4f00.0000 0000.00ff.ffff any

switch(config-mac-acl)# exit

switch(config)# interface ethernet 1/1

switch(config-if)# mac access-group acl-mac-01

Information About VLAN ACLs

A VLAN ACL (VACL) is one application of an IP ACL. You can configure VACLs to apply to all packets that are bridged within a VLAN. VACLs are used strictly for security packet filtering. VACLs are not defined by direction (ingress or egress).

VACLs and Access Maps

VACLs use access maps to link an IP ACL to an action. The switch takes the configured action on packets that are permitted by the VACL.

VACLs and Actions

In access map configuration mode, you use the action command to specify one of the following actions:

Forward—Sends the traffic to the destination determined by normal operation of the switch.
Drop—Drops the traffic.

Statistics

The Cisco Nexus device can maintain global statistics for each rule in a VACL. If a VACL is applied to multiple VLANs, the maintained rule statistics are the sum of packet matches (hits) on all the interfaces on which that VACL is applied.

Note

The Cisco Nexus device does not support interface-level VACL statistics.

For each VLAN access map that you configure, you can specify whether the switch maintains statistics for that VACL. This allows you to turn VACL statistics on or off as needed to monitor traffic filtered by a VACL or to help troubleshoot VLAN access-map configuration.

Creating or Changing a VACL

You can create or change a VACL. Creating a VACL includes creating an access map that associates an IP ACL with an action to be applied to the matching traffic.

Procedure

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	switch(config)# vlan access-map `map-name`	Enters access map configuration mode for the access map specified.
Step 3	switch(config-access-map)# match ip address `ip-access-list`	Specifies an IPv4 and IPv6 ACL for the map.
Step 4	switch(config-access-map)# action {drop \| forward}	Specifies the action that the switch applies to traffic that matches the ACL.
Step 5	(Optional) switch(config-access-map)# [no] statistics	(Optional) Specifies that the switch maintains global statistics for packets matching the rules in the VACL. The no option stops the switch from maintaining global statistics for the VACL.
Step 6	(Optional) switch(config-access-map)# show running-config	(Optional) Displays the ACL configuration.
Step 7	(Optional) switch(config-access-map)# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Removing a VACL

You can remove a VACL, which means that you will delete the VLAN access map.

Be sure that you know whether the VACL is applied to a VLAN. The switch allows you to remove VACLs that are current applied. Removing a VACL does not affect the configuration of VLANs where you have applied the VACL. Instead, the switch considers the removed VACL to be empty.

Procedure

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	switch(config)# no vlan access-map `map-name`	Removes the VLAN access map configuration for the specified access map.
Step 3	(Optional) switch(config)# show running-config	(Optional) Displays ACL configuration.
Step 4	(Optional) switch(config)# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Applying a VACL to a VLAN

You can apply a VACL to a VLAN.

Procedure

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	switch(config)# [no] vlan filter `map-name` vlan-list `list`	Applies the VACL to the VLANs by the list that you specified. The no option unapplies the VACL. The vlan-list command can specify a list of up to 32 VLANs, but multiple vlan-list commands can be configured to cover more than 32 VLANs.
Step 3	(Optional) switch(config)# show running-config	(Optional) Displays ACL configuration.
Step 4	(Optional) switch(config)# copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Verifying the VACL Configuration

To display VACL configuration information, perform one of the following tasks:


Command	Purpose
show running-config aclmgr	Displays ACL configuration, including VACL-related configuration.
show vlan filter	Displays information about VACLs that are applied to a VLAN.
show vlan access-map	Displays information about VLAN access maps.

Displaying and Clearing VACL Statistics

To display or clear VACL statistics, perform one of the following tasks:


Command	Purpose
show vlan access-list	Displays VACL configuration. If the VLAN access-map includes the statistics command, then the show vlan access-list command output includes the number of packets that have matched each rule.
clear vlan access-list counters	Clears statistics for all VACLs or for a specific VACL.

Configuration Examples for VACL

The following example shows how to configure a VACL to forward traffic permitted by an IP ACL named acl-ip-01 and how to apply the VACL to VLANs 50 through 82:

switch# configure terminal

switch(config)# vlan access-map acl-ip-map

switch(config-access-map)# match ip address acl-ip-01

switch(config-access-map)# action forward

switch(config-access-map)# exit

 switch(config)# vlan filter acl-ip-map vlan-list 50-82

Configuring ACLs on Virtual Terminal Lines

To restrict incoming and outgoing connections for IPv4 or IPv6 between a Virtual Terminal (VTY) line and the addresses in an access list, use the access-class command in line configuration mode. To remove access restrictions, use the no form of this command.

Follow these guidelines when configuring ACLs on VTY lines:

Set identical restrictions on all VTY lines because a user can connect to any of them.
Statistics per entry is not supported for ACLs on VTY lines.

Before you begin

Be sure that the ACL that you want to apply exists and is configured to filter traffic for this application.

Procedure

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	switch(config)# line vty Example: `switch(config)# line vty switch(config-line)#`	Enters line configuration mode.
Step 3	switch(config-line)# access-class access-list-number {in \| out} Example: `switch(config-line)# access-class ozi2 in switch(config-line)#access-class ozi3 out switch(config)#`	Specifies inbound or outbound access restrictions.
Step 4	(Optional) switch(config-line)# no access-class access-list-number {in \| out} Example: `switch(config-line)# no access-class ozi2 in switch(config-line)# no access-class ozi3 out switch(config)#`	(Optional) Removes inbound or outbound access restrictions.
Step 5	switch(config-line)# exit Example: `switch(config-line)# exit switch#`	Exits line configuration mode.
Step 6	(Optional) switch# show running-config aclmgr Example: `switch# show running-config aclmgr`	(Optional) Displays the running configuration of the ACLs on the switch.
Step 7	(Optional) switch# copy running-config startup-config Example: `switch# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Example

The following example shows how to apply the access-class ozi2 command to the in-direction of the vty line.

switch# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
switch(config)# line vty
switch(config-line)# access-class ozi2 in
switch(config-line)# exit
switch#

Verifying ACLs on VTY Lines

To display the ACL configurations on VTY lines, perform one of the following tasks:

Command	Purpose
show running-config aclmgr	Displays the running configuration of the ACLs configured on the switch.
show users	Displays the users that are connected.
show access-lists `access-list-name`	Display the statistics per entry.

Configuration Examples for ACLs on VTY Lines

The following example shows the connected users on the console line (ttyS0) and the VTY lines (pts/0 and pts/1).

switch# show users
NAME     LINE         TIME         IDLE          PID COMMENT
admin    ttyS0        Aug 27 20:45   .         14425 *
admin    pts/0        Aug 27 20:06 00:46       14176 (172.18.217.82) session=ssh
admin    pts/1        Aug 27 20:52   .         14584 (10.55.144.118)

The following example shows how to allow vty connections to all IPv4 hosts except 172.18.217.82 and how to deny vty connections to any IPv4 host except 10.55.144.118, 172.18.217.79, 172.18.217.82, 172.18.217.92:

switch# show running-config aclmgr 
!Time: Fri Aug 27 22:01:09 2010
version 5.0(2)N1(1)
ip access-list ozi
  10 deny ip 172.18.217.82/32 any 
  20 permit ip any any 
ip access-list ozi2
  10 permit ip 10.55.144.118/32 any 
  20 permit ip 172.18.217.79/32 any 
  30 permit ip 172.18.217.82/32 any 
  40 permit ip 172.18.217.92/32 any 


line vty
  access-class ozi in
  access-class ozi2 out

The following example shows how to configure the IP access list by enabling per-entry statistics for the ACL:

switch# configure terminal
Enter configuration commands, one per line. 
End with CNTL/Z. 
switch(config)# ip access-list ozi2
switch(config-acl)# statistics per-entry
switch(config-acl)# deny tcp 172.18.217.83/32 any
switch(config-acl)# exit

switch(config)# ip access-list ozi
switch(config-acl)# statistics per-entry
switch(config-acl)# permit ip 172.18.217.20/24 any
switch(config-acl)# exit
switch#

The following example shows how to apply the ACLs on VTY in and out directions:

switch(config)# line vty
switch(config-line)# ip access-class ozi in
switch(config-line)# access-class ozi2 out
switch(config-line)# exit
switch#

The following example shows how to remove the access restrictions on the VTY line:

 
switch# configure terminal
Enter configuration commands, one per line. End
with CNTL/Z.
switch(config)# line vty
switch(config-line)# no access-class ozi2 in
switch(config-line)# no ip access-class ozi2 in
switch(config-line)# exit
switch#

Configuring the ACL Resource Usage Threshold

You can configure a threshold value for the number of Logical Operation Units (LOUs).

Procedure

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode.
Step 2	switch(config)# hardware access-list lou resource threshold `value`	Configures the threshold value for the number of LOUs.
Step 3	(Optional) switch(config-if)# copy running-config startup-config	(Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

The following example shows how to configure the maximum threshold value for LOUs:

switch# configuration terminal
switch(config)# hardware access-list lou resource threshold 15

Bias-Free Language

Results

Chapter: Configuring Access Control Lists

Configuring Access Control Lists

Information About ACLs

IP ACL Types and Applications

Application Order

Rules

Source and Destination

Protocols

Implicit Rules

Additional Filtering Options

Sequence Numbers

Logical Operators and Logical Operation Units

Policy-Based ACLs

ACL Resource Management

Statistics and ACLs

Licensing Requirements for ACLs

Prerequisites for ACLs

Guidelines and Limitations for ACLs

Default ACL Settings

Creating an IP ACL

Procedure

Example

Changing an IP ACL

Procedure

Removing an IP ACL

Procedure

Changing Sequence Numbers in an IP ACL

Procedure

Configuring ACLs with Logging

Procedure

Example

Applying an IP ACL to mgmt0

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Applying an IP ACL as a Router ACL

Before you begin

Procedure

Applying an IP ACL as a Port ACL

Procedure

Verifying IP ACL Configurations

Monitoring and Clearing IP ACL Statistics

Configuring Object Groups

Session Manager Support for Object Groups

Creating and Changing an IPv4 Address Object Group

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Creating and Changing an IPv6 Address Object Group

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Creating and Changing a Protocol Port Object Group

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Removing an Object Group

Procedure

Example:

Example:

Example: