Cisco Nexus 5000 Series Switch CLI Software Configuration Guide, NX-OS 4.0(1a)N1 (OL-16597-01, January 2009)
Send feedback to nx5000-docfeedback@cisco.com
20-2
Cisco Nexus 5000 Series Switch CLI Software Configuration Guide
OL-16597-01
Chapter 20 Configuring ACLs
Information About ACLs
Application Order
When the switch processes a packet, it determines the forwarding path of the packet. The path
determines which ACLs that the switch applies to the traffic. The switch applies the Port ACLs first.
Rules
You can create rules in access-list configuration mode by using the permit or deny command. The
switch allows traffic that matches the criteria in a permit rule and blocks traffic that matches the criteria
in a deny rule. You have many options for configuring the criteria that traffic must meet in order to match
the rule.
This section includes the following topics:
• Source and Destination, page 20-2
• Protocols, page 20-2
• Implicit Rules, page 20-3
• Additional Filtering Options, page 20-3
• Sequence Numbers, page 20-3
• Logical Operators and Logical Operation Units, page 20-4
Source and Destination
In each rule, you specify the source and the destination of the traffic that matches the rule. You can
specify both the source and destination as a specific host, a network or group of hosts, or any host.
Protocols
ACLs allow you to identify traffic by protocol. For your convenience, you can specify some protocols
by name. For example, in an IPv4 ACL, you can specify ICMP by name.
Table 20-1 Security ACL Applications
Application Supported Interfaces Types of ACLs Supported
Port ACL An ACL is considered a port ACL when you apply it to one of the
following:
• Ethernet interface
• Ethernet port-channel interface
When a port ACL is applied to a trunk port, the ACL filters traffic
on all VLANs on the trunk port.
IPv4 ACLs
IPv6 ACLs
MAC ACLs
VLAN ACL
(VACL)
An ACL is a VACL when you use an access map to associate the
ACL with an action, and then apply the map to a VLAN.
IPv4 ACLs
IPv6 ACLs
MAC ACLs