Guidelines and Limitations for IP ACLs
• The network address translation (NAT) exception counters are zero.
• Only PACL redirects are supported for TAP aggregation. VACL redirects are not supported.
• Only three of the following four features can be supported at a time: DHCPv4 snooping/relay,
• RACLs cannot match on packets with multicast MAC destination addresses.
• In the Cisco Nexus 9200 and 9300-EX Series switches, RACL with ACL log option will not take into
effect as the sup-redirect ACLs will have higher priority for the traffic destined to SUP.
• For traffic destined to the FHRP VIP and ingressing on FHRP standby which matches an ACL log enabled
ACE designed to permit the traffic, the Cisco Nexus 9000 Series switch will drop this packet.
• For Broadcom-based Cisco Nexus 9000 series switches, when there is a SVI and subinterface matching
the same VLAN tag, the traffic that gets routed out through a subinterface gets dropped if the access-list
is configured on that SVI. This is due to an ASIC limitation and egress RACL on L3 subinterfaces is not
supported due to this limitation.
• In Cisco NX-OS Release 9.2(2), the permit tcp any established rule for the egress IPv4 and IPv6
RACLs is not supported on the Cisco Nexus 9504 and Cisco Nexus 9508 line cards.
• n Cisco Nexus Release 9.2(2), Cisco Nexus N9K-C9508 and N9K-C9504 with N9K-X96136YC-R,
N9K-X9636C-R, N9K-X9636Q-R, N9K-X9636C-RX line cards do not support the following on egress
RACL:
• UDF to support ICMP Type Match
• ACL log on egress
• Egress IPv4 RACL with additional filter option tcp/udp ports with lt/gt
• Egress IPv4 RACL with additional filter option tcp/udp ports with neq
• Egress IPv4 RACL with additional filter option tcp/udp ports with range
• Egress IPv4 RACL with flag
• Egress RACL on an external TCAM
• Egress PACL support
• Statistics support
• Label sharing
• When a new ACL is applied or an existing ACL is re-configured on a Layer 3 interface which is BFD
enabled, the BFD on that interface flaps momentarily.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
232
DHCPv6 relay, ARP snooping, VXLAN. The first three configured features will take effect, but
the fourth one will fail because all three bridge domain label bits are already in use.
Configuring IP ACLs