Sequence Numbers; Logical Operators And Logical Operation Units - Cisco Nexus 5000 Series Configuration Manual

Sequence Numbers

Sequence Numbers
The switch supports sequence numbers for rules. Every rule that you enter receives a sequence number, either
assigned by you or assigned automatically by the switch. Sequence numbers simplify the following ACL
tasks:
• Adding new rules between existing rules—By specifying the sequence number, you specify where in
• Removing a rule—Without using a sequence number, removing a rule requires that you enter the whole
• Moving a rule—With sequence numbers, if you need to move a rule to a different position within an
If you enter a rule without a sequence number, the switch adds the rule to the end of the ACL and assigns a
sequence number that is 10 greater than the sequence number of the preceding rule to the rule. For example,
if the last rule in an ACL has a sequence number of 225 and you add a rule without a sequence number, the
switch assigns the sequence number 235 to the new rule.
In addition, the Cisco Nexus 5000 Series switch allows you to reassign sequence numbers to rules in an ACL.
Resequencing is useful when an ACL has rules numbered contiguously, such as 100 and 101, and you need
to insert one or more rules between those rules.

Logical Operators and Logical Operation Units

IP ACL rules for TCP and UDP traffic can use logical operators to filter traffic based on port numbers.
The switch stores operator-operand couples in registers called logical operator units (LOUs).
LOU usage for the "eq" operator is never stored in an LOU. The range operation is inclusive of boundary
values.
The following guidelines determine when the switch stores operator-operand couples in LOUs:
• If the operator or operand differs from other operator-operand couples that are used in other rules, the
• Whether the operator-operand couple is applied to a source port or a destination port in the rule affects
Cisco Nexus 5000 Series NX-OS Security Configuration Guide
76
the ACL a new rule should be positioned. For example, if you need to insert a rule between rules numbered
100 and 110, you could assign a sequence number of 105 to the new rule.
rule, as follows:
switch(config-acl)# no permit tcp 10.0.0.0/8 any
However, if the same rule had a sequence number of 101, removing the rule requires only the following
command:
switch(config-acl)# no 101
ACL, you can add a second instance of the rule using the sequence number that positions it correctly,
and then you can remove the original instance of the rule. This action allows you to move the rule without
disrupting traffic.
couple is stored in an LOU.
For example, the operator-operand couples "gt 10" and "gt 11" would be stored separately in half an
LOU each. The couples "gt 10" and "lt 10" would also be stored separately.
LOU usage. Identical couples are stored separately when one of the identical couples is applied to a
source port and the other couple is applied to a destination port.
For example, if a rule applies the operator-operand couple "gt 10" to a source port and another rule
applies a "gt 10" couple to a destination port, both couples would also be stored in half an LOU, resulting
Configuring Access Control Lists
OL-20919-01