Creating an IP ACL
7. (Optional) copy running-config startup-config
DETAILED STEPS
Command or Action
Step 1
configure terminal
Example:
switch# configure terminal
switch(config)#
Step 2
Enter one of the following commands:
• ip access-list name
• ipv6 access-list name
Example:
switch(config)# ip access-list acl-01
switch(config-acl)#
Step 3
(Optional) fragments {permit-all | deny-all}
Example:
switch(config-acl)# fragments permit-all
Step 4
[sequence-number] {permit | deny} protocol
{source-ip-prefix | source-ip-mask} {destination-ip-prefix
| destination-ip-mask}
Example:
switch(config-acl)# permit ip 192.168.2.0/24 any
Example:
switch(config-acl)# 10 permit ipv6 1::1 2::2 3::3
4::4
Step 5
(Optional) statistics per-entry
Example:
switch(config-acl)# statistics per-entry
Step 6
(Optional) Enter one of the following commands:
• show ip access-lists name
• show ipv6 access-lists name
Example:
switch(config-acl)# show ip access-lists acl-01
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
234
•
show ip access-lists name
• show ipv6 access-lists name
Purpose
Enters global configuration mode.
Creates the IP ACL and enters IP ACL configuration mode.
The name argument can be up to 64 characters.
Optimizes fragment handling for noninitial fragments. When
a device applies to traffic an ACL that contains the
fragments command, the fragments command only
matches noninitial fragments that do not match any explicit
permit or deny commands in the ACL.
Creates a rule in the IP ACL. You can create many rules.
The sequence-number argument can be a whole number
between 1 and 4294967295.
The permit and deny commands support many ways of
identifying traffic.
For IPv4 and IPv6 access lists, you can specify a source
and destination IPv4 or IPv6 prefix, which matches only
on the first contiguous bits, or you can specify a source and
destination IPv4 or IPv6 wildcard mask, which matches on
any bit in the address. IPv6 wildcard masks are supported
for Cisco Nexus 9200, 9300-EX, and 9300-FX/FX2/FXP
switches and the Cisco Nexus 9364C switch.
Specifies that the device maintains global statistics for
packets that match the rules in the ACL.
Displays the IP ACL configuration.
Configuring IP ACLs