EasyManua.ls Logo

Cisco Nexus 9000 Series - About Rules; Protocols for IP Acls and MAC Acls

Cisco Nexus 9000 Series
562 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
Figure 8: ACLs and Packet Flow
The following figure shows where the device applies ACLs, depending upon the type of ACL. The red path
indicates a packet sent to a destination on a different interface than its source. The blue path indicates a packet
that is bridged within its VLAN.
The device applies only the applicable ACLs. For example, if the ingress port is a Layer 2 port and the traffic
is on a VLAN that is a VLAN interface, a port ACL and a router ACL both can apply. In addition, if a VACL
is applied to the VLAN, the device applies that ACL too.
About Rules
Rules are what you create, modify, and remove when you configure how an ACL filters network traffic. Rules
appear in the running configuration. When you apply an ACL to an interface or change a rule within an ACL
that is already applied to an interface, the supervisor module creates ACL entries from the rules in the running
configuration and sends those ACL entries to the applicable I/O module. Depending upon how you configure
the ACL, there may be more ACL entries than rules, especially if you implement policy-based ACLs by using
object groups when you configure rules.
You can create rules in access-list configuration mode by using the permit or deny command. The device
allows traffic that matches the criteria in a permit rule and blocks traffic that matches the criteria in a deny
rule. You have many options for configuring the criteria that traffic must meet in order to match the rule.
This section describes some of the options that you can use when you configure a rule.
Protocols for IP ACLs and MAC ACLs
IPv4, IPv6, and MAC ACLs allow you to identify traffic by protocol. For your convenience, you can specify
some protocols by name. For example, in an IPv4 or IPv6 ACL, you can specify ICMP by name.
You can specify any protocol by number. In MAC ACLs, you can specify protocols by the EtherType number
of the protocol, which is a hexadecimal number. For example, you can use 0x0800 to specify IP traffic in a
MAC ACL rule.
In IPv4 and IPv6 ACLs, you can specify protocols by the integer that represents the Internet protocol number.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
216
Configuring IP ACLs
About Rules

Table of Contents

Other manuals for Cisco Nexus 9000 Series

Preview: Manual
Manual30 pages
Preview: Troubleshooting Guide
Troubleshooting Guide126 pages
Preview: Hardware Installation Guide
Hardware Installation Guide74 pages
Preview: Quick Start Configuration Guide
Quick Start Configuration Guide6 pages
Preview: Installation
Installation12 pages
Preview: Installing
Installing8 pages

Related product manuals