Statistics And Acls; Atomic Acl Updates - Cisco Nexus 9000 Series Configuration Manual
Nx-os security configuration guide, release 9.x
Hide thumbs
Also See for Nexus 9000 Series:
- Configuration manual (276 pages) ,
- Troubleshooting manual (126 pages) ,
- Quick start configuration manual (6 pages)
Table of Contents
Advertisement
Statistics and ACLs
Statistics and ACLs
The device can maintain global statistics for each rule that you configure in IPv4, IPv6, and MAC ACLs. If
an ACL is applied to multiple interfaces, the maintained rule statistics are the sum of packet matches (hits)
on all the interfaces on which that ACL is applied.
Note
The device does not support interface-level ACL statistics.
For each ACL that you configure, you can specify whether the device maintains statistics for that ACL, which
allows you to turn ACL statistics on or off as needed to monitor traffic filtered by an ACL or to help
troubleshoot the configuration of an ACL.
The device does not maintain statistics for implicit rules in an ACL. For example, the device does not maintain
a count of packets that match the implicit deny ip any any rule at the end of all IPv4 ACLs. If you want to
maintain statistics for implicit rules, you must explicitly configure the ACL with rules that are identical to the
implicit rules.
Related Topics
Atomic ACL Updates
By default, when a supervisor module of a Cisco Nexus 9000 Series device updates an I/O module with
changes to an ACL, it performs an atomic ACL update. An atomic update does not disrupt traffic that the
updated ACL applies to; however, an atomic update requires that an I/O module that receives an ACL update
has enough available resources to store each updated ACL entry in addition to all pre-existing entries in the
affected ACL. After the update occurs, the additional resources used for the update are freed. If the I/O module
lacks the required resources, the device generates an error message and the ACL update to the I/O module
fails.
If an I/O module lacks the resources required for an atomic update, you can disable atomic updates by using
the no hardware access-list update atomic command; however, during the brief time required for the device
to remove the preexisting ACL and implement the updated ACL, traffic that the ACL applies to is dropped
by default.
If you want to permit all traffic that an ACL applies to while it receives a nonatomic update, use the hardware
access-list update default-result permit command.
This example shows how to disable atomic updates to ACLs:
switch# config t
switch(config)# no hardware access-list update atomic
This example shows how to permit affected traffic during a nonatomic ACL update:
switch# config t
switch(config)# hardware access-list update default-result permit
This example shows how to revert to the atomic update method:
switch# config t
switch(config)# no hardware access-list update default-result permit
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
222
Monitoring and Clearing IP ACL
Implicit Rules for IP and MAC
Statistics, on page 269
ACLs, on page 217
Configuring IP ACLs
- Quick Links:
- Radius and Tacacs+ Security Protocols
Hide quick links:
Advertisement
Table of Contents
