Manualshelf

Cisco Nexus 5000 Series Switch CLI Software Configuration Guide, NX-OS 4.0(1a)N1 (OL-16597-01, January 2009)

ManualsBrandsHP ManualsStorageCisco MDS 9513 with Supervisor 2 Director Switch
291292293294295296297298299300
Send feedback to nx5000-docfeedback@cisco.com
20-3
Cisco Nexus 5000 Series Switch CLI Software Configuration Guide
OL-16597-01
Chapter 20 Configuring ACLs
Information About ACLs
You can specify any protocol by number. In IPv4 ACLs, you can specify protocols by the integer that
represents the Internet protocol number. For example, you can use 115 to specify Layer 2 Tunneling
Protocol (L2TP) traffic.
Implicit Rules
IP ACLs have implicit rules, which means that although these rules do not appear in the running
configuration, the switch applies them to traffic when no other rules in an ACL match.
All IPv4 ACLs include the following implicit rule:
deny ip any any
This implicit rule ensures that the switch denies unmatched IP traffic.
Additional Filtering Options
You can identify traffic by using additional options. IPv4 ACLs support the following additional filtering
options:
Layer 4 protocol
TCP and UDP ports
ICMP types and codes
IGMP types
Precedence level
Differentiated Services Code Point (DSCP) value
TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set
Established TCP connections
Sequence Numbers
The switch supports sequence numbers for rules. Every rule that you enter receives a sequence number,
either assigned by you or assigned automatically by the switch. Sequence numbers simplify the
following ACL tasks:
Adding new rules between existing rules—By specifying the sequence number, you specify where
in the ACL a new rule should be positioned. For example, if you need to insert a rule between rules
numbered 100 and 110, you could assign a sequence number of 105 to the new rule.
Removing a rule—Without using a sequence number, removing a rule requires that you enter the
whole rule, as follows:
switch(config-acl)# no permit tcp 10.0.0.0/8 any
However, if the same rule had a sequence number of 101, removing the rule requires only the
following command:
switch(config-acl)# no 101
Moving a rule—With sequence numbers, if you need to move a rule to a different position within an
ACL, you can add a second instance of the rule using the sequence number that positions it correctly,
and then you can remove the original instance of the rule. This action allows you to move the rule
without disrupting traffic.