Guidelines and Limitations for VACLs
VACLs have the following configuration guidelines:
• Cisco recommends using the Session Manager to configure ACLs. This feature allows you to verify the
ACL configuration and confirm that the resources required by the configuration are available prior to
committing them to the running configuration. For more information about Session Manager, see the
Cisco Nexus 9000 Series NX-OS System Management Configuration Guide
• If you try to apply too many ACL entries, the configuration might be rejected.
• VACL redirects to SPAN destination ports are not supported.
• VACL logging is not supported.
• TCAM resources are not shared when a VACL is applied to multiple VLANs.
• Cisco Nexus 9200 and 9300-EX Series switches support the VACL redirect option. The redirect is
permitted to one physical or port-channel interface.
• Deny statements are not supported on VACLs. Alternatively, you can use permit statements with the
action 'drop' to achieve a similar outcome.
• When configuring a VACL with the "redirect" option, the interface that you define as the redirect interface,
must be configured as a member of the VLAN which you apply this VACL to. This VLAN must also
be in the forwarding state on this interface for the redirection to work. If these conditions are not met,
then the switch will drop the packets which are matched by the VACL.
The following guidelines apply to VACLs for VXLANs:
• VACLs applied on a VXLAN VLAN in the access to network direction (Layer 2 to Layer 3 encapsulation
path) are supported on the inner payload.
• We recommend using VACLs on the access side to filter out traffic entering the overlay network.
• Egress VACLs for decapsulated VXLAN traffic are not supported.
Default Settings for VACLs
This table lists the default settings for VACL parameters.
Table 31: Default VACL Parameters
Default
Parameters
No IP ACLs exist by default
VACLs
Implicit rules apply to all ACLs
ACL rules
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
297
Configuring VLAN ACLs
Guidelines and Limitations for VACLs