CHAPTER 10
Configuring IP ACLs
This chapter describes how to configure IP access control lists (ACLs) on Cisco NX-OS devices.
Unless otherwise specified, the term IP ACL refers to IPv4 and IPv6 ACLs.
This chapter includes the following sections:
• About ACLs, on page 213
• Licensing Requirements for IP ACLs, on page 228
• Prerequisites for IP ACLs, on page 229
• Guidelines and Limitations for IP ACLs, on page 229
• Default Settings for IP ACLs, on page 233
• Configuring IP ACLs, on page 233
• Verifying the IP ACL Configuration, on page 267
• Monitoring and Clearing IP ACL Statistics, on page 269
• Configuration Examples for IP ACLs, on page 269
• About System ACLs, on page 270
• Configuring Object Groups, on page 274
• Verifying the Object-Group Configuration, on page 279
• Configuring Time-Ranges, on page 279
• Verifying the Time-Range Configuration, on page 284
• Additional References for IP ACLs, on page 284
About ACLs
An ACL is an ordered set of rules that you can use to filter traffic. Each rule specifies a set of conditions that
a packet must satisfy to match the rule. When the device determines that an ACL applies to a packet, it tests
the packet against the conditions of all rules. The first matching rule determines whether the packet is permitted
or denied. If there is no match, the device applies the applicable implicit rule. The device continues processing
packets that are permitted and drops packets that are denied.
You can use ACLs to protect networks and specific hosts from unnecessary or unwanted traffic. For example,
you could use ACLs to disallow HTTP traffic from a high-security network to the Internet. You could also
use ACLs to allow HTTP traffic but only to specific sites, using the IP address of the site to identify it in an
IP ACL.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
213
To Next Page
Loading...
