Configuring IP ACLs
Moving a rule
If you enter a rule without a sequence number, the device adds the rule to the end of the ACL and assigns a
sequence number that is 10 greater than the sequence number of the preceding rule to the rule. For example,
if the last rule in an ACL has a sequence number of 225 and you add a rule without a sequence number, the
device assigns the sequence number 235 to the new rule.
In addition, Cisco NX-OS allows you to reassign sequence numbers to rules in an ACL. Resequencing is
useful when an ACL has rules numbered contiguously, such as 100 and 101, and you need to insert one or
more rules between those rules.
Logical Operators and Logical Operation Units
IP ACL rules for TCP and UDP traffic can use logical operators to filter traffic based on port numbers. Cisco
NX-OS supports logical operators in only the ingress direction.
The device stores operator-operand couples in registers called logical operator units (LOUs). The LOU usage
for each type of operator is as follows:
eq
gt
lt
neq
range
IPv4 ACL Logging
The IPv4 ACL logging feature monitors IPv4 ACL flows and logs statistics.
A flow is defined by the source interface, protocol, source IP address, source port, destination IP address, and
destination port values. The statistics maintained for a flow include the number of forwarded packets (for
each flow that matches the permit conditions of the ACL entry) and dropped packets (for each flow that
matches the deny conditions of the ACL entry).
Time Ranges
You can use time ranges to control when an ACL rule is in effect. For example, if the device determines that
a particular ACL applies to traffic arriving on an interface, and a rule in the ACL uses a time range that is not
in effect, the device does not compare the traffic to that rule. The device evaluates time ranges based on its
clock.
However, if the same rule had a sequence number of 101, removing the rule requires only the following
command:
switch(config-acl)# no 101
With sequence numbers, if you need to move a rule to a different position within an ACL, you can add
a second instance of the rule using the sequence number that positions it correctly, and then you can
remove the original instance of the rule. This action allows you to move the rule without disrupting
traffic.
Is never stored in an LOU
Uses 1 LOU
Uses 1 LOU
Uses 1 LOU
Uses 1 LOU
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
Logical Operators and Logical Operation Units
219