IP Access List
Access lists provide packet filtering and traffic classification on NX-OS through ordered sequences of permit/deny rules that match on Layer 3 and Layer 4 header fields including protocol, source/destination prefixes, ports, DSCP, and TCP flags. Each ACL supports per-ACE statistics, fragment handling policies, address and port groups for object-based matching, ICMP type/code filtering, HTTP method matching, packet length operators, time-range restrictions, and VLAN/VNI-based filtering. Access lists are applied to interfaces for ingress/egress traffic filtering and referenced by other features such as route maps, QoS policies, and DHCP snooping for comprehensive traffic control and security enforcement.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”configuration (nxos.devices)
Section titled “configuration (nxos.devices)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ip_access_lists | List | [ip_access_lists] | No |
ip_access_lists (nxos.devices.configuration)
Section titled “ip_access_lists (nxos.devices.configuration)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| fragments | Choice | permit-all, deny-all | No | |
| statistics_per_entry | Boolean | true, false | No | |
| entries | List | [entries] | No |
entries (nxos.devices.configuration.ip_access_lists)
Section titled “entries (nxos.devices.configuration.ip_access_lists)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| sequence_number | Integer | min: 1, max: 4294967295 | Yes | |
| remark | String | No | ||
| action | Choice | permit, deny | No | |
| protocol | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| source | Class | [source] | No | |
| destination | Class | [destination] | No | |
| dscp | Integer | min: 0, max: 63 | No | |
| fragment | Boolean | true, false | No | |
| log | Boolean | true, false | No | |
| established | Boolean | true, false | No | |
| ack | Boolean | true, false | No | |
| fin | Boolean | true, false | No | |
| psh | Boolean | true, false | No | |
| rst | Boolean | true, false | No | |
| syn | Boolean | true, false | No | |
| urg | Boolean | true, false | No | |
| icmp_type | Integer | min: 0, max: 256 | No | |
| icmp_code | Integer | min: 0, max: 256 | No | |
| icmp_message | String | No | ||
| http_method | Choice | get, put, head, post, delete, trace, connect | No | |
| time_range | String | No | ||
| redirect | String | No | ||
| packet_length_operator | Choice | none, eq, neq, lt, gt, range | No | |
| packet_length_1 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| packet_length_2 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| precedence | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| vlan | Integer | min: 0, max: 4095 | No | |
| vni | String | No |
source (nxos.devices.configuration.ip_access_lists.entries)
Section titled “source (nxos.devices.configuration.ip_access_lists.entries)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| prefix | String | No | ||
| prefix_length | Integer | min: 0, max: 32 | No | |
| prefix_mask | String | No | ||
| address_group | String | No | ||
| port_operator | Choice | none, eq, neq, lt, gt, range | No | |
| port_1 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_2 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_group | String | No |
destination (nxos.devices.configuration.ip_access_lists.entries)
Section titled “destination (nxos.devices.configuration.ip_access_lists.entries)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| prefix | String | No | ||
| prefix_length | Integer | min: 0, max: 32 | No | |
| prefix_mask | String | No | ||
| address_group | String | No | ||
| port_operator | Choice | none, eq, neq, lt, gt, range | No | |
| port_1 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_2 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_group | String | No |
Examples
Section titled “Examples”Example 1: Management plane protection ACL — restrict SSH and SNMP access to trusted subnets
nxos: devices: - name: SPINE1 configuration: ip_access_lists: - name: ACL-MGMT-ACCESS statistics_per_entry: true entries: - sequence_number: 10 remark: "Allow SSH from management subnet" - sequence_number: 20 action: permit protocol: tcp source: prefix: 10.50.202.0 prefix_length: 24 destination: prefix: any port_operator: eq port_1: 22 - sequence_number: 30 remark: "Allow SNMP from monitoring servers" - sequence_number: 40 action: permit protocol: udp source: prefix: 10.50.100.0 prefix_length: 24 destination: prefix: any port_operator: eq port_1: 161 - sequence_number: 50 remark: "Allow TACACS from AAA servers" - sequence_number: 60 action: permit protocol: tcp source: prefix: 10.50.100.10 prefix_length: 32 destination: prefix: any port_operator: eq port_1: 49 - sequence_number: 1000 action: deny protocol: ip source: prefix: any destination: prefix: any log: trueExample 2: VXLAN fabric infrastructure ACL — permit BFD, BGP, and VXLAN UDP traffic between spine and leaf
nxos: devices: - name: LEAF1 configuration: ip_access_lists: - name: ACL-FABRIC-INFRA statistics_per_entry: true entries: - sequence_number: 10 remark: "Allow BGP between fabric peers" - sequence_number: 20 action: permit protocol: tcp source: prefix: 10.1.10.0 prefix_length: 24 destination: prefix: 10.1.10.0 prefix_length: 24 port_operator: eq port_1: 179 - sequence_number: 30 remark: "Allow VXLAN encapsulated traffic" - sequence_number: 40 action: permit protocol: udp source: prefix: 10.1.200.0 prefix_length: 24 destination: prefix: 10.1.200.0 prefix_length: 24 port_operator: eq port_1: 4789 - sequence_number: 50 remark: "Allow ICMP for troubleshooting" - sequence_number: 60 action: permit protocol: icmp source: prefix: 10.1.0.0 prefix_length: 16 destination: prefix: 10.1.0.0 prefix_length: 16Example 3: Tenant traffic filtering ACL with TCP flags, DSCP marking, and logging on a border leaf
nxos: devices: - name: BORDER-LEAF1 configuration: ip_access_lists: - name: ACL-TENANT-BLUE-IN statistics_per_entry: true fragments: deny-all entries: - sequence_number: 10 remark: "Allow established TCP sessions" - sequence_number: 20 action: permit protocol: tcp source: prefix: any destination: prefix: 192.168.1.0 prefix_length: 24 established: true - sequence_number: 30 remark: "Allow HTTPS inbound to web tier" - sequence_number: 40 action: permit protocol: tcp source: prefix: any destination: prefix: 192.168.1.0 prefix_length: 24 port_operator: eq port_1: 443 dscp: 46 - sequence_number: 50 remark: "Allow DNS queries to tenant DNS" - sequence_number: 60 action: permit protocol: udp source: prefix: any destination: prefix: 192.168.1.0 prefix_length: 24 port_operator: eq port_1: 53 - sequence_number: 70 remark: "Deny and log all other traffic" - sequence_number: 80 action: deny protocol: ip source: prefix: any destination: prefix: any log: true