Prerequisites for IP ACLs
IP ACLs have the following prerequisites:
• You must be familiar with IP addressing and protocols to configure IP ACLs.
• You must be familiar with the interface types that you want to configure with ACLs.
Guidelines and Limitations for IP ACLs
IP ACLs have the following configuration guidelines and limitations:
• We recommend that you perform ACL configuration using the Session Manager. This feature allows
you to verify ACL configuration and confirm that the resources required by the configuration are available
prior to committing them to the running configuration. This is especially useful for ACLs that include
more than 1000 rules. For more information about Session Manager, see the
Cisco Nexus 9000 Series
NX-OS System Management Configuration Guide
.
• Configuring IPv4 PACLs in the range of 12k to 64k is supported on Cisco Nexus 9500 Series switches
with -RX line cards.
• Duplicate ACL entries with different sequence numbers are allowed in the configuration. However, these
duplicate entries are not programmed in the hardware access-list.
• Only 62 unique ACLs can be configured. Each ACL takes one label. If the same ACL is configured on
multiple interfaces, the same label is shared. If each ACL has unique entries, the ACL labels are not
shared, and the label limit is 62.
• In most cases, ACL processing for IP packets occurs on the I/O modules, which use hardware that
accelerates ACL processing. In some circumstances, processing occurs on the supervisor module, which
can result in slower ACL processing, especially during processing that involves an ACL with a large
number of rules. Management interface traffic is always processed on the supervisor module. If IP packets
in any of the following categories are exiting a Layer 3 interface, they are sent to the supervisor module
for processing:
• Packets that fail the Layer 3 maximum transmission unit check and therefore require fragmenting.
• IPv4 packets that have IP options (additional IP packet header fields following the destination
address field).
• IPv6 packets that have extended IPv6 header fields.
Rate limiters prevent redirected packets from overwhelming the supervisor module.
• When you apply an ACL that uses time ranges, the device updates the ACL entries whenever a time
range referenced in an ACL entry starts or ends. Updates that are initiated by time ranges occur on a
best-effort priority. If the device is especially busy when a time range causes an update, the device may
delay the update by up to a few seconds.
• To apply an IP ACL to a VLAN interface, you must have enabled VLAN interfaces globally. For more
information about VLAN interfaces, see the
Cisco Nexus 9000 Series NX-OS Interfaces Configuration
Guide
.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
229
Configuring IP ACLs
Prerequisites for IP ACLs