Configuring Udf-Based Port Acls - Cisco Nexus 9000 Series Configuration Manual

Configuring IP ACLs
Note The default redirect TCAM region size of 256 might not be sufficient if you are running many BFD or DHCP
relay sessions. To accommodate more BFD or DHCP relay sessions, you might need to increase the TCAM
size to 512 or greater.
Related Topics

Configuring UDF-Based Port ACLs

You can configure UDF-based port ACLs for Cisco Nexus 9200, 9300, and 9300-EX Series switches. This
feature enables the device to match on user-defined fields (UDFs) and to apply the matching packets to an
IPv4 port ACL.
You can configure UDF-based port IPv6 ACLs for Cisco Nexus 9300-EX switches. This feature enables the
device to match on the new UDFs and to apply the matching packets to an IPv6 port ACL.
SUMMARY STEPS
1. configure terminal
2. udf udf-name offset-base offset length
3. hardware access-list tcam region ing-ifacl qualify {udf udf-name | v6udf v6udf-name}
4. copy running-config startup-config
5. reload
6. ip access-list udf-acl
7. Enter one of the following commands:
8. (Optional) copy running-config startup-config
DETAILED STEPS
Command or Action
Step 1
configure terminal
Example:
switch# configure terminal
switch(config)#
Step 2 udf udf-name offset-base offset length
Example:
switch(config)# udf pktoff10 packet-start 10 2
Example:
switch(config)# udf pktoff10 header outer l3 20 2
Configuring ACL TCAM Region
• permit udf udf-name value mask
• permit ip source destination udf udf-name value mask
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
Sizes, on page 240
Purpose
Enters global configuration mode.
Defines the UDF as follows:
• udf-name—Specifies the name of the UDF. You can
enter up to 16 alphanumeric characters for the name.
• offset-base—Specifies the UDF offset base as follows,
where header is the packet header to consider for the
offset: {packet-start | header {outer | inner {l3 |
l4}}}.
Configuring UDF-Based Port ACLs
257