Configuring IP ACLs
Source and Destination
In each rule, you specify the source and the destination of the traffic that matches the rule. You can specify
both the source and destination as a specific host, a network or group of hosts, or any host.
Protocols
IPv4, IPv6, and MAC ACLs allow you to identify traffic by protocol. For your convenience, you can specify
some protocols by name. For example, in an IPv4 ACL, you can specify ICMP by name.
You can specify any protocol by the integer that represents the Internet protocol number.
Implicit Rules
IP and MAC ACLs have implicit rules, which means that although these rules do not appear in the running
configuration, the switch applies them to traffic when no other rules in an ACL match.
All IPv4 ACLs include the following implicit rule:
deny ip any any
This implicit rule ensures that the switch denies unmatched IP traffic.
All IPv6 ACLs include the following implicit rule:
deny ipv6 any any
All MAC ACLs include the following implicit rule:
deny any any
This implicit rule ensures that the device denies the unmatched traffic, regardless of the protocol specified in
the Layer 2 header of the traffic.
Additional Filtering Options
You can identify traffic by using additional options. IPv4 ACLs support the following additional filtering
options:
• Layer 4 protocol
• TCP and UDP ports
• IGMP types
• Established TCP connections
Sequence Numbers
The Cisco Nexus device supports sequence numbers for rules. Every rule that you enter receives a sequence
number, either assigned by you or assigned automatically by the device. Sequence numbers simplify the
following ACL tasks:
• Adding new rules between existing rules—By specifying the sequence number, you specify where in
the ACL a new rule should be positioned. For example, if you need to insert a rule between rules numbered
100 and 110, you could assign a sequence number of 105 to the new rule.
protocol
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
Rules
77