Prerequisites For Ip Acls; Guidelines And Limitations For Ip Acls - Cisco Nexus 9000 Series Configuration Manual

Configuring IP ACLs

Prerequisites for IP ACLs

IP ACLs have the following prerequisites:
• You must be familiar with IP addressing and protocols to configure IP ACLs.
• You must be familiar with the interface types that you want to configure with ACLs.

Guidelines and Limitations for IP ACLs

IP ACLs have the following configuration guidelines and limitations:
• We recommend that you perform ACL configuration using the Session Manager. This feature allows
• Configuring IPv4 PACLs in the range of 12k to 64k is supported on Cisco Nexus 9500 Series switches
• Duplicate ACL entries with different sequence numbers are allowed in the configuration. However, these
• Only 62 unique ACLs can be configured. Each ACL takes one label. If the same ACL is configured on
• In most cases, ACL processing for IP packets occurs on the I/O modules, which use hardware that
• When you apply an ACL that uses time ranges, the device updates the ACL entries whenever a time
• To apply an IP ACL to a VLAN interface, you must have enabled VLAN interfaces globally. For more
you to verify ACL configuration and confirm that the resources required by the configuration are available
prior to committing them to the running configuration. This is especially useful for ACLs that include
more than 1000 rules. For more information about Session Manager, see the Cisco Nexus 9000 Series
NX-OS System Management Configuration Guide.
with -RX line cards.
duplicate entries are not programmed in the hardware access-list.
multiple interfaces, the same label is shared. If each ACL has unique entries, the ACL labels are not
shared, and the label limit is 62.
accelerates ACL processing. In some circumstances, processing occurs on the supervisor module, which
can result in slower ACL processing, especially during processing that involves an ACL with a large
number of rules. Management interface traffic is always processed on the supervisor module. If IP packets
in any of the following categories are exiting a Layer 3 interface, they are sent to the supervisor module
for processing:
• Packets that fail the Layer 3 maximum transmission unit check and therefore require fragmenting.
• IPv4 packets that have IP options (additional IP packet header fields following the destination
address field).
• IPv6 packets that have extended IPv6 header fields.
Rate limiters prevent redirected packets from overwhelming the supervisor module.
range referenced in an ACL entry starts or ends. Updates that are initiated by time ranges occur on a
best-effort priority. If the device is especially busy when a time range causes an update, the device may
delay the update by up to a few seconds.
information about VLAN interfaces, see the Cisco Nexus 9000 Series NX-OS Interfaces Configuration
Guide.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
Prerequisites for IP ACLs
229