Configuring Ip Acls - Cisco nexus 5000 series Cli Configuration Manual

Configuring IP ACLs

S e n d f e e d b a c k t o n x 5 0 0 0 - d o c f e e d b a c k @ c i s c o . c o m
If you enter a rule without a sequence number, the switch adds the rule to the end of the ACL and assigns
a sequence number that is 10 greater than the sequence number of the preceding rule to the rule. For
example, if the last rule in an ACL has a sequence number of 225 and you add a rule without a sequence
number, the switch assigns the sequence number 235 to the new rule.
In addition, the Nexus 5000 Series switch allows you to reassign sequence numbers to rules in an ACL.
Resequencing is useful when an ACL has rules numbered contiguously, such as 100 and 101, and you
need to insert one or more rules between those rules.
Logical Operators and Logical Operation Units
IP ACL rules for TCP and UDP traffic can use logical operators to filter traffic based on port numbers.
The switch stores operator-operand couples in registers called logical operator units (LOUs).
LOU usage for the eq operator is never stored in an LOU. The range operation is inclusive of boundary
values.
The following guidelines determine when the switch stores operator-operand couples in LOUs:
•
•
Configuring IP ACLs
This section includes the following topics:
•
•
•
•
•
•
•
•
Cisco Nexus 5000 Series Switch CLI Software Configuration Guide
1-4
If the operator or operand differs from other operator-operand couples that are used in other rules,
the couple is stored in an LOU.
For example, the operator-operand couples gt 10 and gt 11 would be stored separately in half an
LOU each. The couples gt 10 and lt 10 would also be stored separately.
Whether the operator-operand couple is applied to a source port or a destination port in the rule
affects LOU usage. Identical couples are stored separately when one of the identical couples is
applied to a source port and the other couple is applied to a destination port.
For example, if a rule applies the operator-operand couple gt 10 to a source port and another rule
applies a gt 10 couple to a destination port, both couples would also be stored in half an LOU,
resulting in the use of one whole LOU. Any additional rules using a gt 10 couple would not result
in further LOU usage.
Creating an IP ACL, page 1-5
Changing an IP ACL, page 1-5
Removing an IP ACL, page 1-6
Changing Sequence Numbers in an IP ACL, page 1-7
Applying an IP ACL as a Port ACL, page 1-7
Applying an IP ACL as a VACL, page 1-8
Verifying IP ACL Configurations, page 1-9
Displaying and Clearing IP ACL Statistics, page 1-9
Chapter 1 Configuring ACLs
OL-16597-01