Master IP Addressing and Subnetting: The Ultimate Course for Network Engineers—Limited Time Offer: $100 Course for FREE!

Hey there, fellow Network Engineers! Tired of feeling lost in the world of IP addressing and subnetting? Look no further! My course, "Mastering IP Addressing and Subnetting," is here to give you the skills and confidence you need to tackle any subnetting challenge. And the best part? For a limited time, I'm offering it for free to my website visitors and subscribers with the code "year2023" at checkout. Don't miss out on this opportunity to level up your networking game.

Click now to check out the course!

Configure ACLs using Atomic Programming in Cisco Nexus 7000

This lab has been completed on Nexus 7010 with the following hardware and software installed; you can take a look at Cisco Nexus 7000 user accounts and RBAC in my previous post.

In this task, we will configure ACLs using the atomic programming feature of Cisco NX-OS.
Software. In addition, we will investigate the method used to modify, validate, and re-sequence ACLs.

  • Step 1 – On your N7K switch, create two object groups: ALLOWSUBNETS and the other BADPORTS.
Nexus 7k Object
Nexus 7k Object
  • Step 2 – Exit global configuration mode and reenter using the configure session command.

Name our session ACL-CHECKER
N7K11-pod3# configure session ACL-CHECKER

  • Step 3 – Create an IP access list named BIG-ACL.

N7K11-pod3(config-s)# ip access-list BIG-ACL

  • Step 4 – Assign the object-groups named ALLOWSUBNETS and BADPORTS created in Step 1 above to the IP access list BIG-ACL.

N7K11-pod3(config-s-acl)# permit ip addrgroup ALLOWNETS any
N7K11-pod3(config-s-acl)# deny tcp any port-group BADPORTS any

  • Step 5 – Add the following deny statements to the access list named BIG-ACL.

N7K11-pod3(config-s-acl)# deny tcp any
N7K11-pod3(config-s-acl)# deny tcp any
N7K11-pod3(config-s-acl)# deny tcp any
N7K11-pod3(config-s-acl)# deny tcp any
N7K11-pod3(config-s-acl)# exit

  • Step 6 – Assign the IP access list BIG-ACL to the port channel interface within our pod. VDC in the ingress direction.

N7K11-pod3(config-s)# interface port-channel 1

N7K11-pod3(config-s-if)# ip access-group BIG-ACL in
N7K11-pod3(config-s-if)# exit

  • Step 7 – Verify the configuration session ACL-CHECK.

N7K11-pod3(config-s)# verify
Verification Successful

  • Step 8 – If the operation in Step 7 was successful, then commit the session to the running configuration.

N7K11-pod3(config-s)# commit
Commit Successful

Nexus 7k Object

We can check our access-list just configured by ” show access-list BIG-ACL.” Also, we can insert multiple sequences in between our access-list sequence; here, we will insert sequences 11 to 19 between 10 and 20.

Nexus 7k ACL

We can resequence the ACL also by using “resequence ip access-list BIG-ACL [start-seq] [end-seq],” and we can verify our new restructured ACL.

Nexus 7k ACL

We can use several Show commands like “show ip access-list” and ” sh access-list” to check our configuration “; one cool command is “Show running-config aclmgr”

Nexus 7k ACL
Afroz Ahmad
Afroz Ahmad

"Hey there, network enthusiasts! My name is Afroz, and I've been a CCIE for over 14 years. I work as a Network Designer, and my true passion is teaching others about the industry and sharing my knowledge through my blog and courses. I know the struggles of navigating the complex world of networking, but I firmly believe that teaching makes you a better learner and reinforces understanding. So, whether you're just starting out or a seasoned veteran, join me on this journey of learning and discovery, it will be worth it, and who knows, you might even have some fun along the way!"

Articles: 83

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *