Configuring IP ACLs
Command or Action
• permit ip source destination udf udf-name value mask
Example:
switch(config-acl)# permit udf pktoff10 0x1234
0xffff
Example:
switch(config-acl)# permit ip any any udf pktoff10
0x1234 0xffff
Step 8
(Optional) copy running-config startup-config
Example:
switch(config)# copy running-config startup-config
Applying an IP ACL as a Router ACL
You can apply an IPv4 or IPv6 ACL to any of the following types of interfaces:
• Physical Layer 3 interfaces and subinterfaces
• Layer 3 Ethernet port-channel interfaces
• VLAN interfaces
• Management interfaces
ACLs applied to these interface types are considered router ACLs.
Note
Egress router ACLs are not supported on subinterfaces and on Cisco Nexus 9300 Series switch uplink ports.
Before you begin
Ensure that the ACL you want to apply exists and that it is configured to filter traffic in the manner that you
need for this application.
SUMMARY STEPS
1. configure terminal
2. Enter one of the following commands:
3. Enter one of the following commands:
• interface ethernet slot/port[. number]
• interface port-channel channel-number
• interface vlan vlan-id
• interface mgmt port
• ip access-group access-list {in | out}
• ipv6 traffic-filter access-list {in | out}
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
Applying an IP ACL as a Router ACL
Purpose
range for the value and mask arguments is from 0x0 to
0xffff.
A single ACL can have ACEs with and without UDFs
together. Each ACE can have different UDF fields to match,
or all ACEs can match for the same list of UDFs.
Copies the running configuration to the startup
configuration.
259