• The time range contains one or more absolute rules—The time range is active if the current time is within
one or more absolute rules.
• The time range contains one or more periodic rules—The time range is active if the current time is within
one or more periodic rules.
• The time range contains both absolute and periodic rules—The time range is active if the current time
is within one or more absolute rules and within one or more periodic rules.
When a time range contains both absolute and periodic rules, the periodic rules can only be active when at
least one absolute rule is active.
Policy-Based ACLs
The device supports policy-based ACLs (PBACLs), which allow you to apply access control policies across
object groups. An object group is a group of IP addresses or a group of TCP or UDP ports. When you create
a rule, you specify the object groups rather than specifying IP addresses or ports.
Using object groups when you configure IPv4 or IPv6 ACLs can help reduce the complexity of updating
ACLs when you need to add or remove addresses or ports from the source or destination of rules. For example,
if three rules reference the same IP address group object, you can add an IP address to the object instead of
changing all three rules.
PBACLs do not reduce the resources required by an ACL when you apply it to an interface. When you apply
a PBACL or update a PBACL that is already applied, the device expands each rule that refers to object groups
into one ACL entry per object within the group. If a rule specifies the source and destination both with object
groups, the number of ACL entries created on the I/O module when you apply the PBACL is equal to the
number of objects in the source group multiplied by the number of objects in the destination group.
The following object group types apply to port, router, policy-based routing (PBR), and VLAN ACLs:
IPv4 Address Object Groups
Can be used with IPv4 ACL rules to specify source or destination addresses. When you use the permit
or deny command to configure a rule, the addrgroup keyword allows you to specify an object group
for the source or destination.
IPv6 Address Object Groups
Can be used with IPv6 ACL rules to specify source or destination addresses. When you use the permit
or deny command to configure a rule, the addrgroup keyword allows you to specify an object group
for the source or destination.
Protocol Port Object Groups
Can be used with IPv4 and IPv6 TCP and UDP rules to specify source or destination ports. When you
use the permit or deny command to configure a rule, the portgroup keyword allows you to specify an
object group for the source or destination.
Policy-based routing (PBR) ACLs do not support deny access control entries (ACEs) or deny commands to
configure a rule.
Note
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
221
Configuring IP ACLs
Policy-Based ACLs
To Next Page
Loading...
