• Precedence level
• Differentiated Services Code Point (DSCP) value
• TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set
• Established TCP connections
• Packet length
• IPv6 ACLs support the following additional filtering options:
• Layer 4 protocol
• Encapsulating Security Payload
• Payload Compression Protocol
• Stream Control Transmission Protocol (SCTP)
• SCTP, TCP, and UDP ports
• ICMP types and codes
• DSCP value
• TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set
• Established TCP connections
• Packet length
• MAC ACLs support the following additional filtering options:
• Layer 3 protocol (Ethertype)
• VLAN ID
• Class of Service (CoS)
Sequence Numbers
The device supports sequence numbers for rules. Every rule that you enter receives a sequence number, either
assigned by you or assigned automatically by the device. Sequence numbers simplify the following ACL
tasks:
Adding new rules between existing rules
By specifying the sequence number, you specify where in the ACL a new rule should be positioned. For
example, if you need to insert a rule between rules numbered 100 and 110, you could assign a sequence
number of 105 to the new rule.
Removing a rule
Without using a sequence number, removing a rule requires that you enter the whole rule, as follows:
switch(config-acl)# no permit tcp 10.0.0.0/8 any
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
218
Configuring IP ACLs
Sequence Numbers
To Next Page
Loading...
