Configuring IP ACLs
• The time range contains one or more absolute rules—The time range is active if the current time is within
• The time range contains one or more periodic rules—The time range is active if the current time is within
• The time range contains both absolute and periodic rules—The time range is active if the current time
When a time range contains both absolute and periodic rules, the periodic rules can only be active when at
least one absolute rule is active.
Policy-Based ACLs
The device supports policy-based ACLs (PBACLs), which allow you to apply access control policies across
object groups. An object group is a group of IP addresses or a group of TCP or UDP ports. When you create
a rule, you specify the object groups rather than specifying IP addresses or ports.
Using object groups when you configure IPv4 or IPv6 ACLs can help reduce the complexity of updating
ACLs when you need to add or remove addresses or ports from the source or destination of rules. For example,
if three rules reference the same IP address group object, you can add an IP address to the object instead of
changing all three rules.
PBACLs do not reduce the resources required by an ACL when you apply it to an interface. When you apply
a PBACL or update a PBACL that is already applied, the device expands each rule that refers to object groups
into one ACL entry per object within the group. If a rule specifies the source and destination both with object
groups, the number of ACL entries created on the I/O module when you apply the PBACL is equal to the
number of objects in the source group multiplied by the number of objects in the destination group.
The following object group types apply to port, router, policy-based routing (PBR), and VLAN ACLs:
IPv4 Address Object Groups
IPv6 Address Object Groups
Protocol Port Object Groups
Note
Policy-based routing (PBR) ACLs do not support deny access control entries (ACEs) or deny commands to
configure a rule.
one or more absolute rules.
one or more periodic rules.
is within one or more absolute rules and within one or more periodic rules.
Can be used with IPv4 ACL rules to specify source or destination addresses. When you use the permit
or deny command to configure a rule, the addrgroup keyword allows you to specify an object group
for the source or destination.
Can be used with IPv6 ACL rules to specify source or destination addresses. When you use the permit
or deny command to configure a rule, the addrgroup keyword allows you to specify an object group
for the source or destination.
Can be used with IPv4 and IPv6 TCP and UDP rules to specify source or destination ports. When you
use the permit or deny command to configure a rule, the portgroup keyword allows you to specify an
object group for the source or destination.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
Policy-Based ACLs
221