ACLGlobal Config

ip access-list [name]

Creates or modifies an IP access list to filter traffic based on source and destination addresses, protocols, and ports.

Overview

The 'ip access-list' command in Cisco NX-OS is used to define access control lists (ACLs) that filter network traffic based on IP addresses, protocols, and port numbers. ACLs are a fundamental security feature used to permit or deny traffic traversing the switch. In NX-OS, ACLs can be standard (filtering only source IP) or extended (filtering source/destination IP, protocol, and ports). They are applied to interfaces in the inbound or outbound direction using the 'ip access-group' command. ACLs are also used in route-maps for policy-based routing, BGP filtering, and QoS classification. On Nexus switches, ACLs support sequence numbers for easy editing and object-groups for scalability. Troubleshooting involves verifying ACL hits with 'show ip access-lists' and checking interface counters with 'show interface'. ACLs are processed top-down, so order matters. NX-OS also supports time-based ACLs and reflexive ACLs for advanced filtering.

Syntax·Global Config
ip access-list {standard | extended} {name}

When to Use This Command

  • Restricting management access to the switch from specific management subnets.
  • Permitting only specific VLAN traffic between data center leaf and spine switches.
  • Blocking unwanted traffic like Telnet or SNMP from external networks.
  • Creating route-maps for policy-based routing or BGP filtering.

Parameters

ParameterSyntaxDescription
standardstandardSpecifies a standard ACL that filters based on source IP address only. Standard ACLs are typically placed close to the destination.
extendedextendedSpecifies an extended ACL that filters based on source and destination IP, protocol, and port numbers. Extended ACLs should be placed close to the source.
namenameA unique alphanumeric name for the ACL. Names can be up to 64 characters and are case-sensitive.

Command Examples

Create an extended ACL to permit HTTP and HTTPS from a specific subnet

ip access-list extended WEB-ACCESS 10 permit tcp 10.1.1.0 0.0.0.255 any eq 80 20 permit tcp 10.1.1.0 0.0.0.255 any eq 443

The ACL named WEB-ACCESS is created with two entries: permit TCP traffic from source 10.1.1.0/24 to any destination on port 80 (HTTP) and port 443 (HTTPS). Sequence numbers 10 and 20 are used for ordering.

Apply ACL to an interface to filter inbound traffic

interface ethernet 1/1 ip access-group WEB-ACCESS in

The ACL WEB-ACCESS is applied inbound on interface Ethernet 1/1, filtering traffic entering the switch from that interface.

Understanding the Output

When you issue the command 'show ip access-lists', the output displays each ACL with its entries. Each entry shows the sequence number, action (permit/deny), protocol, source and destination addresses with wildcard masks, and optional port information. The 'hit count' field indicates how many packets have matched that entry, which is useful for troubleshooting. A healthy ACL will have entries that match expected traffic patterns, while a problem might be indicated by unexpected high hit counts on deny entries or zero hits on permit entries that should be active.

Configuration Scenarios

Restricting SSH Access to Management Interface

A data center switch should only allow SSH access from a management subnet 10.10.10.0/24.

Topology

Management PC (10.10.10.5) --- Mgmt0 (10.10.10.1) --- Nexus Switch

Steps

  1. 1.Create an extended ACL to permit SSH from the management subnet.
  2. 2.Apply the ACL inbound on the management interface.
Configuration
! Create ACL
ip access-list extended MGMT-ACL
  permit tcp 10.10.10.0 0.0.0.255 any eq 22
! Apply to management interface
interface mgmt0
  ip access-group MGMT-ACL in

Verify: Use 'show ip access-lists MGMT-ACL' to verify entries and hit counts. Use 'show ssh server' to confirm SSH is enabled.

Watch out: Ensure the management interface IP is within the permitted subnet, otherwise you may lock yourself out.

Troubleshooting with This Command

When troubleshooting ACLs on NX-OS, start by verifying the ACL configuration with 'show ip access-lists'. Check the hit counts to see if entries are being matched. If an ACL is not working as expected, ensure it is applied to the correct interface and direction using 'show running-config interface <interface>'. Use 'show interface <interface>' to check for packet drops. For complex issues, enable ACL logging by adding 'log' at the end of ACL entries to see matches in syslog. Also verify that the ACL does not contain conflicting entries; NX-OS processes ACLs sequentially, so a deny entry before a permit entry will block traffic. If using object-groups, verify the group contents with 'show object-group'. Finally, check for hardware resource exhaustion with 'show hardware capacity' as ACLs consume TCAM resources.

CCNA Exam Tips

1.

Remember that NX-OS uses sequence numbers for ACL entries; you can insert entries between existing ones using the sequence number.

2.

In NX-OS, ACLs are applied using 'ip access-group' under interface configuration, similar to IOS.

3.

Be aware that NX-OS supports object-groups for simplifying ACL configuration, which is a common exam topic.

Common Mistakes

Forgetting to apply the ACL to an interface after creation, resulting in no filtering.

Using incorrect wildcard mask (e.g., using subnet mask instead of wildcard).

Placing ACL entries in the wrong order; NX-OS processes entries sequentially, so more specific entries should come before general ones.

Platform Notes

NX-OS ACLs differ from IOS in several ways: NX-OS uses sequence numbers by default, allowing insertion of entries without reordering. NX-OS supports object-groups for IP addresses, ports, and protocols, which simplifies ACL management. NX-OS also supports VACLs (VLAN ACLs) for filtering within a VLAN. On Nexus 9000 series, ACLs are hardware-offloaded for performance. Equivalent commands on other platforms: on IOS, 'access-list' is used instead of 'ip access-list'; on Juniper, firewall filters are used. NX-OS version differences: earlier versions may not support certain features like object-groups or time-based ACLs; check the release notes.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions