IP Access List
Access lists provide packet filtering and traffic classification on NX-OS through ordered sequences of permit/deny rules that match on Layer 3 and Layer 4 header fields including protocol, source/destination prefixes, ports, DSCP, and TCP flags. Each ACL supports per-ACE statistics, fragment handling policies, address and port groups for object-based matching, ICMP type/code filtering, HTTP method matching, packet length operators, time-range restrictions, VLAN/VNI-based filtering, TTL matching, capture sessions, IGMP type filtering, telemetry actions, and redirect options. Access lists are applied to interfaces for ingress/egress traffic filtering and referenced by other features such as route maps, QoS policies, and DHCP snooping for comprehensive traffic control and security enforcement.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”configuration (nxos.devices)
Section titled “configuration (nxos.devices)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ip_access_lists | List | [ip_access_lists] | No |
ip_access_lists (nxos.devices.configuration)
Section titled “ip_access_lists (nxos.devices.configuration)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| fragments | Choice | permit-all, deny-all | No | |
| ignore_routable | Boolean | true, false | No | |
| statistics_per_entry | Boolean | true, false | No | |
| entries | List | [entries] | No |
entries (nxos.devices.configuration.ip_access_lists)
Section titled “entries (nxos.devices.configuration.ip_access_lists)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| sequence_number | Integer | min: 1, max: 4294967295 | Yes | |
| remark | String | No | ||
| action | Choice | permit, deny | No | |
| protocol | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| source | Class | [source] | No | |
| destination | Class | [destination] | No | |
| dscp | Integer | min: 0, max: 63 | No | |
| fragment | Boolean | true, false | No | |
| log | Boolean | true, false | No | |
| established | Boolean | true, false | No | |
| ack | Boolean | true, false | No | |
| fin | Boolean | true, false | No | |
| psh | Boolean | true, false | No | |
| rst | Boolean | true, false | No | |
| syn | Boolean | true, false | No | |
| urg | Boolean | true, false | No | |
| icmp_type | Integer | min: 0, max: 256 | No | |
| icmp_code | Integer | min: 0, max: 256 | No | |
| icmp_message | String | No | ||
| http_method | Choice | get, put, head, post, delete, trace, connect | No | |
| time_range | String | No | ||
| redirect | String | No | ||
| packet_length_operator | Choice | none, eq, neq, lt, gt, range | No | |
| packet_length_1 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| packet_length_2 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| precedence | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| vlan | Integer | min: 0, max: 4095 | No | |
| vni | String | No | ||
| rev | Boolean | true, false | No | |
| tcp_flags_mask | Integer | min: 0, max: 64 | No | |
| tcp_option_length | Integer | min: 0, max: 41 | No | |
| igmp_type | Integer | min: 0, max: 16 | No | |
| capture_session | Integer | min: 0, max: 48 | No | |
| dscp_mask | Integer | min: 0, max: 63 | No | |
| load_share | Boolean | true, false | No | |
| priority_all | Boolean | true, false | No | |
| protocol_mask | String | No | ||
| redirect_all | String | No | ||
| telemetry_path | Boolean | true, false | No | |
| telemetry_queue | Boolean | true, false | No | |
| tos | Integer | min: 0, max: 15 | No | |
| ttl | Integer | min: 0, max: 255 | No |
source (nxos.devices.configuration.ip_access_lists.entries)
Section titled “source (nxos.devices.configuration.ip_access_lists.entries)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| prefix | String | No | ||
| prefix_length | Integer | min: 0, max: 32 | No | |
| prefix_mask | String | No | ||
| address_group | String | No | ||
| port_operator | Choice | none, eq, neq, lt, gt, range | No | |
| port_1 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_2 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_group | String | No |
destination (nxos.devices.configuration.ip_access_lists.entries)
Section titled “destination (nxos.devices.configuration.ip_access_lists.entries)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| prefix | String | No | ||
| prefix_length | Integer | min: 0, max: 32 | No | |
| prefix_mask | String | No | ||
| address_group | String | No | ||
| port_operator | Choice | none, eq, neq, lt, gt, range | No | |
| port_1 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_2 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_group | String | No |
Examples
Section titled “Examples”Example 1: Management plane protection ACL — restrict SSH and SNMP access to trusted subnets
nxos: devices: - name: SPINE1 configuration: ip_access_lists: - name: ACL-MGMT-ACCESS statistics_per_entry: true entries: - sequence_number: 10 remark: "Allow SSH from management subnet" - sequence_number: 20 action: permit protocol: tcp source: prefix: 10.50.202.0 prefix_length: 24 destination: prefix: any port_operator: eq port_1: 22 - sequence_number: 30 remark: "Allow SNMP from monitoring servers" - sequence_number: 40 action: permit protocol: udp source: prefix: 10.50.100.0 prefix_length: 24 destination: prefix: any port_operator: eq port_1: 161 - sequence_number: 50 remark: "Allow TACACS from AAA servers" - sequence_number: 60 action: permit protocol: tcp source: prefix: 10.50.100.10 prefix_length: 32 destination: prefix: any port_operator: eq port_1: 49 - sequence_number: 1000 action: deny protocol: ip source: prefix: any destination: prefix: any log: trueExample 2: VXLAN fabric infrastructure ACL — permit BFD, BGP, and VXLAN UDP traffic between spine and leaf
nxos: devices: - name: LEAF1 configuration: ip_access_lists: - name: ACL-FABRIC-INFRA statistics_per_entry: true entries: - sequence_number: 10 remark: "Allow BGP between fabric peers" - sequence_number: 20 action: permit protocol: tcp source: prefix: 10.1.10.0 prefix_length: 24 destination: prefix: 10.1.10.0 prefix_length: 24 port_operator: eq port_1: 179 - sequence_number: 30 remark: "Allow VXLAN encapsulated traffic" - sequence_number: 40 action: permit protocol: udp source: prefix: 10.1.200.0 prefix_length: 24 destination: prefix: 10.1.200.0 prefix_length: 24 port_operator: eq port_1: 4789 - sequence_number: 50 remark: "Allow ICMP for troubleshooting" - sequence_number: 60 action: permit protocol: icmp source: prefix: 10.1.0.0 prefix_length: 16 destination: prefix: 10.1.0.0 prefix_length: 16Example 3: Tenant traffic filtering ACL with TCP flags, DSCP marking, and logging on a border leaf
nxos: devices: - name: BORDER-LEAF1 configuration: ip_access_lists: - name: ACL-TENANT-BLUE-IN statistics_per_entry: true fragments: deny-all entries: - sequence_number: 10 remark: "Allow established TCP sessions" - sequence_number: 20 action: permit protocol: tcp source: prefix: any destination: prefix: 192.168.1.0 prefix_length: 24 established: true - sequence_number: 30 remark: "Allow HTTPS inbound to web tier" - sequence_number: 40 action: permit protocol: tcp source: prefix: any destination: prefix: 192.168.1.0 prefix_length: 24 port_operator: eq port_1: 443 dscp: 46 - sequence_number: 50 remark: "Allow DNS queries to tenant DNS" - sequence_number: 60 action: permit protocol: udp source: prefix: any destination: prefix: 192.168.1.0 prefix_length: 24 port_operator: eq port_1: 53 - sequence_number: 70 remark: "Deny and log all other traffic" - sequence_number: 80 action: deny protocol: ip source: prefix: any destination: prefix: any log: trueExample 4: Advanced ACL with TTL matching, IGMP filtering, capture session, time-range, and telemetry
nxos: devices: - name: LEAF2 configuration: ip_access_lists: - name: ACL-ADVANCED-SECURITY statistics_per_entry: true ignore_routable: true entries: - sequence_number: 10 remark: "Capture suspicious traffic for analysis" - sequence_number: 20 action: permit protocol: tcp source: prefix: 10.99.0.0 prefix_length: 16 destination: prefix: any port_operator: eq port_1: 443 capture_session: 1 telemetry_queue: true - sequence_number: 30 remark: "Allow IGMP queries from routers" - sequence_number: 40 action: permit protocol: igmp source: prefix: 10.1.0.0 prefix_length: 16 destination: prefix: any igmp_type: 1 - sequence_number: 50 remark: "Permit ICMP echo with TTL check" - sequence_number: 60 action: permit protocol: icmp source: prefix: any destination: prefix: 172.16.0.0 prefix_length: 12 icmp_message: echo ttl: 64 - sequence_number: 70 remark: "Allow HTTP during business hours" - sequence_number: 80 action: permit protocol: tcp source: prefix: 10.20.0.0 prefix_length: 16 destination: prefix: any port_operator: eq port_1: 80 http_method: get time_range: BUSINESS-HOURS - sequence_number: 90 remark: "Redirect traffic to inspection appliance" - sequence_number: 100 action: permit protocol: ip source: prefix: 10.30.0.0 prefix_length: 24 destination: prefix: any redirect: eth1/48 load_share: true - sequence_number: 1000 action: deny protocol: ip source: prefix: any destination: prefix: any log: trueAccess lists provide packet filtering and traffic classification on NX-OS through ordered sequences of permit/deny rules that match on Layer 3 and Layer 4 header fields including protocol, source/destination prefixes, ports, DSCP, and TCP flags. Each ACL supports per-ACE statistics, fragment handling policies, address and port groups for object-based matching, ICMP type/code filtering, HTTP method matching, packet length operators, time-range restrictions, and VLAN/VNI-based filtering. Access lists are applied to interfaces for ingress/egress traffic filtering and referenced by other features such as route maps, QoS policies, and DHCP snooping for comprehensive traffic control and security enforcement.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”configuration (nxos.devices)
Section titled “configuration (nxos.devices)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ip_access_lists | List | [ip_access_lists] | No |
ip_access_lists (nxos.devices.configuration)
Section titled “ip_access_lists (nxos.devices.configuration)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Yes | ||
| fragments | Choice | permit-all, deny-all | No | |
| statistics_per_entry | Boolean | true, false | No | |
| entries | List | [entries] | No |
entries (nxos.devices.configuration.ip_access_lists)
Section titled “entries (nxos.devices.configuration.ip_access_lists)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| sequence_number | Integer | min: 1, max: 4294967295 | Yes | |
| remark | String | No | ||
| action | Choice | permit, deny | No | |
| protocol | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| source | Class | [source] | No | |
| destination | Class | [destination] | No | |
| dscp | Integer | min: 0, max: 63 | No | |
| fragment | Boolean | true, false | No | |
| log | Boolean | true, false | No | |
| established | Boolean | true, false | No | |
| ack | Boolean | true, false | No | |
| fin | Boolean | true, false | No | |
| psh | Boolean | true, false | No | |
| rst | Boolean | true, false | No | |
| syn | Boolean | true, false | No | |
| urg | Boolean | true, false | No | |
| icmp_type | Integer | min: 0, max: 256 | No | |
| icmp_code | Integer | min: 0, max: 256 | No | |
| icmp_message | String | No | ||
| http_method | Choice | get, put, head, post, delete, trace, connect | No | |
| time_range | String | No | ||
| redirect | String | No | ||
| packet_length_operator | Choice | none, eq, neq, lt, gt, range | No | |
| packet_length_1 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| packet_length_2 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| precedence | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| vlan | Integer | min: 0, max: 4095 | No | |
| vni | String | No |
source (nxos.devices.configuration.ip_access_lists.entries)
Section titled “source (nxos.devices.configuration.ip_access_lists.entries)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| prefix | String | No | ||
| prefix_length | Integer | min: 0, max: 32 | No | |
| prefix_mask | String | No | ||
| address_group | String | No | ||
| port_operator | Choice | none, eq, neq, lt, gt, range | No | |
| port_1 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_2 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_group | String | No |
destination (nxos.devices.configuration.ip_access_lists.entries)
Section titled “destination (nxos.devices.configuration.ip_access_lists.entries)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| prefix | String | No | ||
| prefix_length | Integer | min: 0, max: 32 | No | |
| prefix_mask | String | No | ||
| address_group | String | No | ||
| port_operator | Choice | none, eq, neq, lt, gt, range | No | |
| port_1 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_2 | Any | String or Integer or String[Regex: ^.*[\$\%]\{.*$] | No | |
| port_group | String | No |
Examples
Section titled “Examples”Example 1: Management plane protection ACL — restrict SSH and SNMP access to trusted subnets
nxos: devices: - name: SPINE1 configuration: ip_access_lists: - name: ACL-MGMT-ACCESS statistics_per_entry: true entries: - sequence_number: 10 remark: "Allow SSH from management subnet" - sequence_number: 20 action: permit protocol: tcp source: prefix: 10.50.202.0 prefix_length: 24 destination: prefix: any port_operator: eq port_1: 22 - sequence_number: 30 remark: "Allow SNMP from monitoring servers" - sequence_number: 40 action: permit protocol: udp source: prefix: 10.50.100.0 prefix_length: 24 destination: prefix: any port_operator: eq port_1: 161 - sequence_number: 50 remark: "Allow TACACS from AAA servers" - sequence_number: 60 action: permit protocol: tcp source: prefix: 10.50.100.10 prefix_length: 32 destination: prefix: any port_operator: eq port_1: 49 - sequence_number: 1000 action: deny protocol: ip source: prefix: any destination: prefix: any log: trueExample 2: VXLAN fabric infrastructure ACL — permit BFD, BGP, and VXLAN UDP traffic between spine and leaf
nxos: devices: - name: LEAF1 configuration: ip_access_lists: - name: ACL-FABRIC-INFRA statistics_per_entry: true entries: - sequence_number: 10 remark: "Allow BGP between fabric peers" - sequence_number: 20 action: permit protocol: tcp source: prefix: 10.1.10.0 prefix_length: 24 destination: prefix: 10.1.10.0 prefix_length: 24 port_operator: eq port_1: 179 - sequence_number: 30 remark: "Allow VXLAN encapsulated traffic" - sequence_number: 40 action: permit protocol: udp source: prefix: 10.1.200.0 prefix_length: 24 destination: prefix: 10.1.200.0 prefix_length: 24 port_operator: eq port_1: 4789 - sequence_number: 50 remark: "Allow ICMP for troubleshooting" - sequence_number: 60 action: permit protocol: icmp source: prefix: 10.1.0.0 prefix_length: 16 destination: prefix: 10.1.0.0 prefix_length: 16Example 3: Tenant traffic filtering ACL with TCP flags, DSCP marking, and logging on a border leaf
nxos: devices: - name: BORDER-LEAF1 configuration: ip_access_lists: - name: ACL-TENANT-BLUE-IN statistics_per_entry: true fragments: deny-all entries: - sequence_number: 10 remark: "Allow established TCP sessions" - sequence_number: 20 action: permit protocol: tcp source: prefix: any destination: prefix: 192.168.1.0 prefix_length: 24 established: true - sequence_number: 30 remark: "Allow HTTPS inbound to web tier" - sequence_number: 40 action: permit protocol: tcp source: prefix: any destination: prefix: 192.168.1.0 prefix_length: 24 port_operator: eq port_1: 443 dscp: 46 - sequence_number: 50 remark: "Allow DNS queries to tenant DNS" - sequence_number: 60 action: permit protocol: udp source: prefix: any destination: prefix: 192.168.1.0 prefix_length: 24 port_operator: eq port_1: 53 - sequence_number: 70 remark: "Deny and log all other traffic" - sequence_number: 80 action: deny protocol: ip source: prefix: any destination: prefix: any log: true