About ACLs
An ACL is an ordered set of rules that you can use to filter traffic. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When the device determines that an ACL applies to a packet, it tests the packet against the conditions of all rules. The first matching rule determines whether the packet is permitted or denied. If there is no match, the device applies the applicable implicit rule. The device continues processing packets that are permitted and drops packets that are denied.
You can use ACLs to protect networks and specific hosts from unnecessary or unwanted traffic. For example, you could use ACLs to disallow HTTP traffic from a high-security network to the Internet. You could also use ACLs to allow HTTP traffic but only to specific sites, using the IP address of the site to identify it in an IP ACL.
ACL Types and Applications
The device supports the following types of ACLs for security traffic filtering:
- IPv4 ACLs
- The Cisco Nexus® 3550-T device applies IPv4 ACLs only to IPv4 TCP and UDP traffic.
IP has the following types of applications:
- Router ACL
- Filters Layer 3 traffic
- VTY ACL
- Filters virtual teletype (VTY) traffic
Note |
Only Router and VTY ACL IP applications are supported in Cisco Nexus® 3550-T. |
Note |
Only the ingress policy can be configured in Cisco Nexus® 3550-T switches to filter the ingress traffic based on conditions specified in the ACL on the following interfaces:
|
This table summarizes the applications for security ACLs.
Application |
Supported Interfaces |
Types of ACLs Supported |
||
---|---|---|---|---|
Router ACL |
|
|
Order of ACL Application
When the device processes a packet, it determines the forwarding path of the packet. The path determines which ACLs that the device applies to the traffic. The device only applies the Ingress router ACL.
About Rules
Rules are what you create, modify, and remove when you configure how an ACL filters network traffic. Rules appear in the running configuration. When you apply an ACL to an interface or change a rule within an ACL that is already applied to an interface, the supervisor module creates ACL entries from the rules in the running configuration and sends those ACL entries to the applicable I/O module. Depending upon how you configure the ACL, there may be more ACL entries than rules, especially if you implement policy-based ACLs by using object groups when you configure rules.
You can create rules in access-list configuration mode by using the permit or deny command. The device allows traffic that matches the criteria in a permit rule and blocks traffic that matches the criteria in a deny rule. You have many options for configuring the criteria that traffic must meet in order to match the rule.
This section describes some of the options that you can use when you configure a rule.
Source and Destination
In each rule, you specify the source and the destination of the traffic that matches the rule. You can specify both the source and destination as a specific host, a network or group of hosts, or any host.
Implicit Rules for IP ACL
IP ACLs have implicit rules, which means that although these rules do not appear in the running configuration, the device applies them to traffic when no other rules in an ACL match.
All IPv4 ACLs include the following implicit rule:
deny ip any any
This implicit rule ensures that the device denies unmatched IP traffic.
This implicit rule ensures that the device denies the unmatched traffic, regardless of the protocol specified in the Layer 2 header of the traffic.
Additional Filtering Options
You can identify traffic by using additional options. These options differ by ACL type. The following list includes most but not all additional filtering options:
-
IPv4 ACLs support the following additional filtering options:
-
Layer 4 protocol
-
TCP and UDP ports
-
ICMP types and codes
-
Sequence Numbers
The device supports sequence numbers for rules. Every rule that you enter receives a sequence number, either assigned by you or assigned automatically by the device. Sequence numbers simplify the following ACL tasks:
- Adding new rules between existing rules
-
By specifying the sequence number, you specify where in the ACL a new rule should be positioned. For example, if you need to insert a rule between rules numbered 100 and 110, you could assign a sequence number of 105 to the new rule.
- Removing a rule
-
Without using a sequence number, removing a rule requires that you enter the whole rule, as follows:
switch(config-acl)# no permit tcp 10.0.0.0/8 any
However, if the same rule had a sequence number of 101, removing the rule requires only the following command:
switch(config-acl)# no 101
- Moving a rule
-
With sequence numbers, if you need to move a rule to a different position within an ACL, you can add a second instance of the rule using the sequence number that positions it correctly, and then you can remove the original instance of the rule. This action allows you to move the rule without disrupting traffic.
If you enter a rule without a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule to the rule. For example, if the last rule in an ACL has a sequence number of 225 and you add a rule without a sequence number, the device assigns the sequence number 235 to the new rule.
In addition, Cisco NX-OS allows you to reassign sequence numbers to rules in an ACL. Resequencing is useful when an ACL has rules numbered contiguously, such as 100 and 101, and you need to insert one or more rules between those rules.
Logical Operators and Logical Operation Units
IP ACL rules for TCP and UDP traffic can use logical operators to filter traffic based on port numbers. Cisco NX-OS supports logical operators in only the ingress direction.
The device stores operator-operand couples in registers called logical operator units (LOUs). The LOU usage for each type of operator is as follows:
- eq
- Is never stored in an LOU
- gt
- Uses 1 LOU
- lt
- Uses 1 LOU
- range
- Uses 1 LOU
Time Ranges
You can use time ranges to control when an ACL rule is in effect. For example, if the device determines that a particular ACL applies to traffic arriving on an interface, and a rule in the ACL uses a time range that is not in effect, the device does not compare the traffic to that rule. The device evaluates time ranges based on its clock.
When you apply an ACL that uses time ranges, the device updates the affected I/O module whenever a time range referenced in the ACL starts or ends. Updates that are initiated by time ranges occur on a best-effort priority. If the device is especially busy when a time range causes an update, the device may delay the update by up to a few seconds.
IPv4 ACLs support time ranges. When the device applies an ACL to traffic, the rules in effect are as follows:
-
All rules without a time range specified
-
Rules with a time range that includes the second when the device applies the ACL to traffic
The device supports named, reusable time ranges, which allows you to configure a time range once and specify it by name when you configure many ACL rules. Time range names have a maximum length of 64 alphanumeric characters.
A time range contains one or more rules. The two types of rules are as follows:
- Absolute
-
A rule with a specific start date and time, specific end date and time, both, or neither. The following items describe how the presence or absence of a start or end date and time affect whether an absolute time range rule is active:
-
Start and end date and time both specified—The time range rule is active when the current time is later than the start date and time and earlier than the end date and time.
-
Start date and time specified with no end date and time—The time range rule is active when the current time is later than the start date and time.
-
No start date and time with end date and time specified—The time range rule is active when the current time is earlier than the end date and time.
-
No start or end date and time specified—The time range rule is always active.
For example, you could prepare your network to allow access to a new subnet by specifying a time range that allows access beginning at midnight of the day that you plan to place the subnet online. You can use that time range in ACL rules that apply to the subnet. After the start time and date have passed, the device automatically begins applying the rules that use this time range when it applies the ACLs that contain the rules.
-
- Periodic
-
A rule that is active one or more times per week. For example, you could use a periodic time range to allow access to a lab subnet only during work hours on weekdays. The device automatically applies ACL rules that use this time range only when the range is active and when it applies the ACLs that contain the rules.
Note |
The order of rules in a time range does not affect how a device evaluates whether a time range is active. Cisco NX-OS includes sequence numbers in time ranges to make editing the time range easier. |
Time ranges also allow you to include remarks, which you can use to insert comments into a time range. Remarks have a maximum length of 100 alphanumeric characters.
The device determines whether a time range is active as follows:
-
The time range contains one or more absolute rules—The time range is active if the current time is within one or more absolute rules.
-
The time range contains one or more periodic rules—The time range is active if the current time is within one or more periodic rules.
-
The time range contains both absolute and periodic rules—The time range is active if the current time is within one or more absolute rules and within one or more periodic rules.
When a time range contains both absolute and periodic rules, the periodic rules can only be active when at least one absolute rule is active.