Configuring IP ACLs
• Egress ACLs are not supported for Cisco Nexus 9508 switches with the N9K-X9636C-R,
N9K-X9636C-RX, and N9K-X9636Q-R line cards.
• An RACL applied on a Layer 3 physical or logical interface does not match multicast traffic. If multicast
traffic must be blocked, use a PACL instead. This behavior applies to Cisco Nexus 9200, 9300, 9300-EX,
and 9500 Series switches and Cisco Nexus 3164Q, 31128PQ, 3232C, and 3264Q switches.
• For Network Forwarding Engine (NFE)-enabled switches, ingress RACLs matching the tunnel interface's
outer header are not supported.
• If the same QoS policy and ACL are applied to multiple interfaces, the label will be shared only when
the QoS policy is applied with the no-stats option.
• The switch hardware does not support range checks (Layer 4 operations) in the egress TCAM. Therefore,
ACL and QoS policies with a Layer 4 operations-based classification need to be expanded to multiple
entries in the egress TCAM. Make sure to consider this limitation for egress TCAM space planning.
• TCAM resources are shared in the following scenarios:
• TCAM resources are not shared in the following scenarios:
• HTTP methods are not supported on FEX ports.
• The mode tap aggregation command is not required for TAP aggregation unless it is used with MPLS
stripping. However, HTTP methods are not supported after MPLS packets have been stripped.
• The following guidelines and limitations apply to Cisco Nexus 9200 and 9300-EX Series switches:
• When a routed ACL is applied to multiple switched virtual interfaces (SVIs) in the ingress direction
• When a routed ACL is applied to multiple physical Layer 3 interfaces in the ingress or egress
direction
• VACL (VLAN ACL) is applied to multiple VLANs.
• Routed ACL is applied to multiple SVIs in the egress direction.
• Egress MAC ACLs are not supported.
• Egress RACLs are not supported on an interface if the packet matches the tunnel interface's outer
header on the device where the tunnel is originating the traffic.
• Ingress RACLs matching the tunnel interface's outer header are not supported.
• IP length-based matches are not supported.
• All ACL-based features cannot be enabled at the same time.
• 16 Layer 4 operations are supported.
• Layer 4 operations are not supported on egress TCAM regions.
• The MAC compression table size is 4096 + 512 overflow TCAM.
• An overlap of MAC addresses and MAC masks will be rejected.
• The ACL log rate limiter does not have any hardware counters for transmitted or dropped packets.
• The ACL log rate limiter is implemented at the per-TCAM entry level (instead of using aggregated
rate limiting), and the default is 1 pps.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
Guidelines and Limitations for IP ACLs
231