switch(config-acl)#
permit ip any 2001:DB8:1::1/64 log
switch(config-acl)#
exit
switch(config)#
interface ethernet 1/1
switch(config-if)#
ip access-group logging-test in
switch(config-if)#
exit
switch(config)#
logging ip access-list cache interval 400
switch(config)#
logging ip access-list cache entries 100
switch(config)#
logging ip access-list cache threshold 900
switch(config)#
hardware rate-limiter access-list-log 200
switch(config)#
acllog match-log-level 5
The following example shows how to configure a UDF-based port ACL:
switch#
configure terminal
switch(config)#
hardware access-list tcam region ing-ifacl 256
switch(config)#
udf pktoff10 packet-start 10 2
switch(config)#
udf pktoff20 packet-start 10 1
switch(config)#
hardware access-list tcam region ing-ifacl qualify udf pktoff10 pktoff20
switch#
configure terminal
switch(config)#
ip access-list udfacl
switch(config-acl)#
statistics per-entry
switch(config-acl)#
10 permit ip any any udf pktoff10 0x1234 0xffff
switch#
configure terminal
switch(config)#
interface Ethernet1/1
switch(config-if)#
ip port access-group udfacl in
switch(config-if)#
switchport
switch(config-if)#
no shutdown
About System ACLs
You can configure system ACLs on Cisco Nexus 9500 Series switches with -R and -RX line cards. With
system ACLs, you can now configure a Layer 2 port ACL (PACL) on all the ports with the same access-list
in the switch. Configuring system ACLs reduces the TCAM usage and also brings down the time and memory
usage while the policy is being applied or modified.
See the following guidelines and limitations for configuring system ACLs:
• The system PACL is supported for Layer 2 interface only.
• Up to 10K ACEs are supported with all other basic features for the switch to come up on Cisco Nexus
9500 Series switches with -R line cards. The hardware capacity on Cisco Nexus 9500 Series switches
with -RX line cards is 64K ACEs.
• You can also configure system ACLs on Cisco Nexus 3600 platform switches with N3K-C3636C-R and
N3K-C36180YC-R line cards.
• Configuring IPv4 PACL TCAM region (ifacl) with anything more than the total physical TCAM capacity
of -R line cards of 12k will result in power down of -R line cards only.
• ACE statistics are not yet supported for the system ACLs.
• IPv6 is not yet supported in the system ACLs.
• System ACLs are not supported on the breakout port.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
270
Configuring IP ACLs
About System ACLs