Cisco AP775A - Nexus Converged Network Switch 5010 Command Reference Manual page 368

deny (IPv4)
S e n d c o m m e n t s t o n x 5 0 0 0 - d o c f e e d b a c k @ c i s c o . c o m
If you do not specify a sequence number, the switch assigns the rule a sequence number that is 10 greater
than the last rule in the ACL.
Command Modes
IPv4 ACL configuration
Command History Release
4.0(0)N1(1a)
Usage Guidelines
When the switch applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL.
The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of
more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.
Source and Destination
You can specify the source and destination arguments in one of several ways. In each rule, the method
that you use to specify one of these arguments does not affect how you specify the other argument. When
you configure a rule, use the following methods to specify the source and destination arguments:
•
•
•
•
Cisco Nexus 5000 Series Command Reference
6-20
Modification
This command was introduced.
IP address group object—You can use an IPv4 address group object to specify a source or
destination argument. Use the object-group ip address command to create and change IPv4 address
group objects. The syntax is as follows:
addrgroup address-group-name
The following example shows how to use an IPv4 address object group named lab-gateway-svrs to
specify the destination argument:
switch(config-acl)# deny ip any addrgroup lab-gateway-svrs
Address and network wildcard—You can use an IPv4 address followed by a network wildcard to
specify a host or a network as a source or destination. The syntax is as follows:
IPv4-address network-wildcard
The following example shows how to specify the source argument with the IPv4 address and
network wildcard for the 192.168.67.0 subnet:
switch(config-acl)# deny tcp 192.168.67.0 0.0.0.255 any
Address and variable-length subnet mask—You can use an IPv4 address followed by a
variable-length subnet mask (VLSM) to specify a host or a network as a source or destination. The
syntax is as follows:
IPv4-address/prefix-len
The following example shows how to specify the source argument with the IPv4 address and VLSM
for the 192.168.67.0 subnet:
switch(config-acl)# deny udp 192.168.67.0/24 any
Host address—You can use the host keyword and an IPv4 address to specify a host as a source or
destination. The syntax is as follows:
host IPv4-address
This syntax is equivalent to IPv4-address/32 and IPv4-address 0.0.0.0.
Chapter 6 Security Commands
OL-16599-01