Configuring IP ACLs

This chapter describes how to configure IP access control lists (ACLs) on Cisco NX-OS devices.

Unless otherwise specified, the term IP ACL refers to IPv4 ACLs.

This chapter includes the following sections:

About ACLs

An ACL is an ordered set of rules that you can use to filter traffic. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When the device determines that an ACL applies to a packet, it tests the packet against the conditions of all rules. The first matching rule determines whether the packet is permitted or denied. If there is no match, the device applies the applicable implicit rule. The device continues processing packets that are permitted and drops packets that are denied.

You can use ACLs to protect networks and specific hosts from unnecessary or unwanted traffic. For example, you could use ACLs to disallow HTTP traffic from a high-security network to the Internet. You could also use ACLs to allow HTTP traffic but only to specific sites, using the IP address of the site to identify it in an IP ACL.

ACL Types and Applications

The device supports the following types of ACLs for security traffic filtering:

IPv4 ACLs
The Cisco Nexus® 3550-T device applies IPv4 ACLs only to IPv4 TCP and UDP traffic.

IP has the following types of applications:

Router ACL
Filters Layer 3 traffic
VTY ACL
Filters virtual teletype (VTY) traffic

Note


Only Router and VTY ACL IP applications are supported in Cisco Nexus® 3550-T.



Note


Only the ingress policy can be configured in Cisco Nexus® 3550-T switches to filter the ingress traffic based on conditions specified in the ACL on the following interfaces:

  • Physical Layer 3 interfaces

  • Layer 3 Ethernet port-channel interfaces


This table summarizes the applications for security ACLs.

Table 1. Security ACL Applications

Application

Supported Interfaces

Types of ACLs Supported

Router ACL

  • Physical Layer 3 interfaces

  • Layer 3 Ethernet port-channel interfaces

  • Management interfaces

  • IPv4 ACLs

Note

 

Egress router ACLs are not supported on Cisco Nexus® 3550-T switch uplink ports.

Order of ACL Application

When the device processes a packet, it determines the forwarding path of the packet. The path determines which ACLs that the device applies to the traffic. The device only applies the Ingress router ACL.

About Rules

Rules are what you create, modify, and remove when you configure how an ACL filters network traffic. Rules appear in the running configuration. When you apply an ACL to an interface or change a rule within an ACL that is already applied to an interface, the supervisor module creates ACL entries from the rules in the running configuration and sends those ACL entries to the applicable I/O module. Depending upon how you configure the ACL, there may be more ACL entries than rules, especially if you implement policy-based ACLs by using object groups when you configure rules.

You can create rules in access-list configuration mode by using the permit or deny command. The device allows traffic that matches the criteria in a permit rule and blocks traffic that matches the criteria in a deny rule. You have many options for configuring the criteria that traffic must meet in order to match the rule.

This section describes some of the options that you can use when you configure a rule.

Source and Destination

In each rule, you specify the source and the destination of the traffic that matches the rule. You can specify both the source and destination as a specific host, a network or group of hosts, or any host.

Implicit Rules for IP ACL

IP ACLs have implicit rules, which means that although these rules do not appear in the running configuration, the device applies them to traffic when no other rules in an ACL match.

All IPv4 ACLs include the following implicit rule:

deny ip any any


This implicit rule ensures that the device denies unmatched IP traffic.

This implicit rule ensures that the device denies the unmatched traffic, regardless of the protocol specified in the Layer 2 header of the traffic.

Additional Filtering Options

You can identify traffic by using additional options. These options differ by ACL type. The following list includes most but not all additional filtering options:

  • IPv4 ACLs support the following additional filtering options:

    • Layer 4 protocol

    • TCP and UDP ports

    • ICMP types and codes

Sequence Numbers

The device supports sequence numbers for rules. Every rule that you enter receives a sequence number, either assigned by you or assigned automatically by the device. Sequence numbers simplify the following ACL tasks:

Adding new rules between existing rules

By specifying the sequence number, you specify where in the ACL a new rule should be positioned. For example, if you need to insert a rule between rules numbered 100 and 110, you could assign a sequence number of 105 to the new rule.

Removing a rule

Without using a sequence number, removing a rule requires that you enter the whole rule, as follows:

switch(config-acl)# no permit tcp 10.0.0.0/8 any

However, if the same rule had a sequence number of 101, removing the rule requires only the following command:

switch(config-acl)# no 101
Moving a rule

With sequence numbers, if you need to move a rule to a different position within an ACL, you can add a second instance of the rule using the sequence number that positions it correctly, and then you can remove the original instance of the rule. This action allows you to move the rule without disrupting traffic.

If you enter a rule without a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule to the rule. For example, if the last rule in an ACL has a sequence number of 225 and you add a rule without a sequence number, the device assigns the sequence number 235 to the new rule.

In addition, Cisco NX-OS allows you to reassign sequence numbers to rules in an ACL. Resequencing is useful when an ACL has rules numbered contiguously, such as 100 and 101, and you need to insert one or more rules between those rules.

Logical Operators and Logical Operation Units

IP ACL rules for TCP and UDP traffic can use logical operators to filter traffic based on port numbers. Cisco NX-OS supports logical operators in only the ingress direction.

The device stores operator-operand couples in registers called logical operator units (LOUs). The LOU usage for each type of operator is as follows:

eq
Is never stored in an LOU
gt
Uses 1 LOU
lt
Uses 1 LOU
range
Uses 1 LOU

Time Ranges

You can use time ranges to control when an ACL rule is in effect. For example, if the device determines that a particular ACL applies to traffic arriving on an interface, and a rule in the ACL uses a time range that is not in effect, the device does not compare the traffic to that rule. The device evaluates time ranges based on its clock.

When you apply an ACL that uses time ranges, the device updates the affected I/O module whenever a time range referenced in the ACL starts or ends. Updates that are initiated by time ranges occur on a best-effort priority. If the device is especially busy when a time range causes an update, the device may delay the update by up to a few seconds.

IPv4 ACLs support time ranges. When the device applies an ACL to traffic, the rules in effect are as follows:

  • All rules without a time range specified

  • Rules with a time range that includes the second when the device applies the ACL to traffic

The device supports named, reusable time ranges, which allows you to configure a time range once and specify it by name when you configure many ACL rules. Time range names have a maximum length of 64 alphanumeric characters.

A time range contains one or more rules. The two types of rules are as follows:

Absolute

A rule with a specific start date and time, specific end date and time, both, or neither. The following items describe how the presence or absence of a start or end date and time affect whether an absolute time range rule is active:

  • Start and end date and time both specified—The time range rule is active when the current time is later than the start date and time and earlier than the end date and time.

  • Start date and time specified with no end date and time—The time range rule is active when the current time is later than the start date and time.

  • No start date and time with end date and time specified—The time range rule is active when the current time is earlier than the end date and time.

  • No start or end date and time specified—The time range rule is always active.

For example, you could prepare your network to allow access to a new subnet by specifying a time range that allows access beginning at midnight of the day that you plan to place the subnet online. You can use that time range in ACL rules that apply to the subnet. After the start time and date have passed, the device automatically begins applying the rules that use this time range when it applies the ACLs that contain the rules.

Periodic

A rule that is active one or more times per week. For example, you could use a periodic time range to allow access to a lab subnet only during work hours on weekdays. The device automatically applies ACL rules that use this time range only when the range is active and when it applies the ACLs that contain the rules.


Note


The order of rules in a time range does not affect how a device evaluates whether a time range is active. Cisco NX-OS includes sequence numbers in time ranges to make editing the time range easier.


Time ranges also allow you to include remarks, which you can use to insert comments into a time range. Remarks have a maximum length of 100 alphanumeric characters.

The device determines whether a time range is active as follows:

  • The time range contains one or more absolute rules—The time range is active if the current time is within one or more absolute rules.

  • The time range contains one or more periodic rules—The time range is active if the current time is within one or more periodic rules.

  • The time range contains both absolute and periodic rules—The time range is active if the current time is within one or more absolute rules and within one or more periodic rules.

When a time range contains both absolute and periodic rules, the periodic rules can only be active when at least one absolute rule is active.

Prerequisites for IP ACLs

IP ACLs have the following prerequisites:

  • You must be familiar with IP addressing and protocols to configure IP ACLs.

  • You must be familiar with the interface types that you want to configure with ACLs.

Guidelines and Limitations for IP ACLs

IP ACLs have the following configuration guidelines and limitations:

  • Duplicate ACL entries with different sequence numbers are allowed in the configuration. However, these duplicate entries are not programmed in the hardware access-list.

  • Usually, ACL processing for IP packets occurs on the I/O modules, which use hardware that accelerates ACL processing. In some circumstances, processing occurs on the supervisor module, which can result in slower ACL processing, especially during processing that involves an ACL with many rules. Management interface traffic is always processed on the supervisor module. If IP packets in any of the following categories are exiting a Layer 3 interface, they are sent to the supervisor module for processing:

    • IPv4 packets that have IP options (other IP packet header fields following the destination address field).

    In Cisco Nexus® 3550-T switches Storm control settings are used to prevent redirected packets from overwhelming the supervisor module.

    For more information on storm control, see Configuring Traffic Storm Control.

  • When you apply an ACL that uses time ranges, the device updates the ACL entries whenever a time range that is referenced in an ACL entry starts or ends. Updates that are initiated by time ranges occur on a best-effort priority. If the device is especially busy when a time range causes an update, the device may delay the update by up to a few seconds.

  • The VTY ACL feature restricts all traffic for all VTY lines. You cannot specify different traffic restrictions for different VTY lines. Any router ACL can be configured as a VTY ACL.

  • An egress VTY ACL (an IP ACL applied to the VTY line in the outbound direction) prevents the switch from copying files using a file transfer protocol (TFTP, FTP, SCP, SFTP, etc.) unless the file transfer protocol is explicitly permitted within the egress VTY ACL.

  • When you apply an undefined ACL to an interface, the system treats the ACL as empty and permits all traffic.

  • IP tunnels do not support ACLs or QoS policies.

  • IPv4 ACL logging in the egress direction is not supported.

  • ACL logging applies to port ACLs configured by the ip port access-group command and to router ACLs configured by the ip access-group command only.

  • The total number of IPv4 ACL flows is limited to a user-defined maximum value to prevent DoS attacks. If this limit is reached, no new logs are created until an existing flow finishes.

  • The number of syslog entries that are generated by IPv4 ACL logging is limited by the configured logging level of the ACL logging process. If the number of syslog entries exceeds this limit, the logging facility might drop some logging messages. Therefore, IPv4 ACL logging should not be used as a billing tool or as an accurate source of the number of matches to an ACL.

  • A router ACL applied on a Layer 3 physical or logical interface does not match multicast traffic. This behavior applies to Cisco Nexus® 3550-T switches.

  • If the same QoS policy and ACL are applied to multiple interfaces, the label is shared only when the QoS policy is applied with the no-stats option.

  • Access-lists based on HTTP methods are not supported on the Cisco Nexus® 3550-T Platform switches and the Cisco Nexus® 3550-T switches.

  • The following guidelines and limitations apply to Cisco Nexus® 3550-T switches:

    • RACLs cannot match on packets with multicast MAC destination addresses.

  • Statistics per-entry is not supported on Cisco Nexus 3550-T switches.

Default Settings for IP ACLs

This table lists the default settings for IP ACL parameters.

Table 2. Default IP ACL Parameters

Parameters

Default

IP ACLs

No IP ACLs exist by default

IP ACL entries

1024

ACL rules

Implicit rules apply to all ACLs

Object groups

No object groups exist by default

Time ranges

No time ranges exist by default

Configuring IP ACLs

Creating an IP ACL

You can create an IPv4 ACL on the device and add rules to it.

Before you begin

This feature allows you to verify the ACL configuration and confirm that the resources that are required by the configuration are available before committing them to the running configuration. This feature is especially useful for ACLs that include more than about 1000 rules.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Note

 

When ACL is enabled only TCP and UDP packets are handled in the Cisco Nexus® 3550-T hardware.

Step 2

Enter the following commands: ip access-list name

Example:

switch(config)# ip access-list acl-01
switch(config-acl)#

Creates the IP ACL and enters IP ACL configuration mode. The name argument can be up to 64 characters.

Step 3

[sequence-number] {permit | deny} protocol {source-ip-prefix | source-ip-mask} {destination-ip-prefix | destination-ip-mask}

Creates a rule in the IP ACL. You can create many rules. The sequence-number argument can be a whole number between 1 and 4294967295.

The permit and deny commands support many ways of identifying traffic.

For IPv4 access lists, you can specify a source and destination IPv4 prefix, which matches only on the first contiguous bits, or you can specify a source and destination IPv4 wildcard mask, which matches on any bit in the address.

Step 4

(Optional) Enter the following commands: show ip access-lists name

Example:

switch(config-acl)# show ip access-lists acl-01
(Optional)

Displays the IP ACL configuration.

Step 5

(Optional) copy running-config startup-config

Example:

switch(config-acl)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Changing an IP ACL

You can add and remove rules in an existing IPv4 ACL, but you cannot change existing rules. Instead, to change a rule, you can remove it and recreate it with the desired changes.

If you need to add more rules between existing rules than the current sequence numbering allows, you can use the resequence command to reassign sequence numbers.

Before you begin

This feature allows you to verify ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration. This feature is especially useful for ACLs that include more than about 1000 rules.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

Enter the following commands: ip access-list name

Example:

switch(config)# ip access-list acl-01
switch(config-acl)#

Enters IP ACL configuration mode for the ACL that you specify by name.

Step 3

(Optional) [sequence-number] {permit | deny} protocol source destination

Example:

switch(config-acl)# 100 permit ip 192.168.2.0/24 any
(Optional)

Creates a rule in the IP ACL. Using a sequence number allows you to specify a position for the rule in the ACL. Without a sequence number, the rule is added to the end of the rules. The sequence-number argument can be a whole number between 1 and 4294967295.

The permit and deny commands support many ways of identifying traffic.

Step 4

(Optional) no {sequence-number | {permit | deny} protocol source destination}

Example:

switch(config-acl)# no 80
(Optional)

Removes the rule that you specified from the IP ACL.

The permit and deny commands support many ways of identifying traffic.

Step 5

(Optional) Enter the following commands: show ip access-lists name

Example:

switch(config-acl)# show ip access-lists acl-01
(Optional)

Displays the IP ACL configuration.

Step 6

(Optional) copy running-config startup-config

Example:

switch(config-acl)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Changing Sequence Numbers in an IP ACL

You can change all the sequence numbers assigned to the rules in an IP ACL.

Before you begin

This feature allows you to verify ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration. This feature is especially useful for ACLs that include more than about 1000 rules.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

resequence {ip | ipv4} access-list name starting-sequence-number increment

Example:

switch(config)# resequence access-list ip acl-01 100 10

Assigns sequence numbers to the rules contained in the ACL, where the first rule receives the starting sequence number that you specify. Each subsequent rule receives a number larger than the preceding rule. The difference in numbers is determined by the increment that you specify. The starting-sequence-number argument and the increment argument can be a whole number between 1 and 4294967295.

Step 3

(Optional) show ip access-lists name

Example:

switch(config)# show ip access-lists acl-01
(Optional)

Displays the IP ACL configuration.

Step 4

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Removing an IP ACL

You can remove an IP ACL from the device.

Before you begin

Ensure that you know whether the ACL is applied to an interface. The device allows you to remove ACLs that are currently applied. Removing an ACL does not affect the configuration of interfaces where you have applied the ACL. Instead, the device considers the removed ACL to be empty. Use the show ip access-lists command with the summary keyword to find the interfaces that an IP ACL is configured on.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

Enter the following commands: no ip access-list name

Example:

switch(config)# no ip access-list acl-01

Removes the IP ACL that you specified by name from the running configuration.

Step 3

(Optional) Enter the following commands: show ip access-lists name summary

Example:

switch(config)# show ip access-lists acl-01 summary
(Optional)

Displays the IP ACL configuration. If the ACL remains applied to an interface, the command lists the interfaces.

Step 4

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Applying an IP ACL as a Router ACL

You can apply an IPv4 ACL to any of the following types of interfaces:

  • Physical Layer 3 interfaces and subinterfaces

  • Layer 3 Ethernet port-channel interfaces

ACLs applied to these interface types are considered router ACLs.

Before you begin

Ensure that the ACL you want to apply exists and that it is configured to filter traffic in the manner that you need for this application.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

Enter one of the following commands:

  • interface ethernet slot/port
  • interface port-channel channel-number

Example:

switch(config)# interface ethernet 1/3
switch(config-if)#

Enters configuration mode for the interface type that you specified.

Step 3

Enter the following commands: ip access-group access-list

Example:

switch(config-if)# ip access-group acl1 in

Applies an IPv4 ACL to the Layer 3 interface for traffic flowing in the direction specified. You can apply one router ACL per direction.

Step 4

(Optional) show running-config aclmgr

Example:

switch(config-if)# show running-config aclmgr
(Optional)

Displays the ACL configuration.

Step 5

(Optional) copy running-config startup-config

Example:

switch(config-if)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Verifying the IP ACL Configuration

To display IP ACL configuration information, perform one of the following tasks.

Command

Purpose

show ip access-lists

Displays the IPv4 ACL configuration.

show running-config aclmgr [all]

Displays the ACL running configuration, including the IP ACL configuration and the interfaces to which IP ACLs are applied.

show startup-config aclmgr [all]

Displays the ACL startup configuration.

Note

 
This command displays the user-configured ACLs in the startup configuration. The all option displays both the default and user-configured ACLs in the startup configuration.

Configuration Examples for IP ACLs

The following example shows how to create an IPv4 ACL named acl-01 and apply it as a RACL to Ethernet interface 1/1, which is a Layer 3 interface:

ip access-list acl-01
  permit ip 192.168.2.0/24 any 
interface ethernet 1/1
  ip port access-group acl-01 in

Configuring Time-Ranges

Creating a Time-Range

You can create a time range on the device and add rules to it.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

time-range name

Example:

switch(config)# time-range workday-daytime
switch(config-time-range)#

Creates the time range and enters time-range configuration mode.

Step 3

(Optional) [sequence-number] periodic weekday time to [weekday] time

Example:

switch(config-time-range)# periodic monday 00:00:00 to friday 23:59:59
(Optional)

Creates a periodic rule that is in effect for one or more contiguous days between and including the specified start and end days and times.

Step 4

(Optional) [sequence-number] periodic list-of-weekdays time to time

Example:

switch(config-time-range)# periodic weekdays 06:00:00 to 20:00:00
(Optional)

Creates a periodic rule that is in effect on the days specified by the list-of-weekdays argument between and including the specified start and end times. The following keywords are also valid values for the list-of-weekdays argument:

  • daily —All days of the week.

  • weekdays —Monday through Friday.

  • weekend —Saturday through Sunday.

Step 5

(Optional) [sequence-number] absolute start time date [end time date]

Example:

switch(config-time-range)# absolute start 1:00 15 march 2013
(Optional)

Creates an absolute rule that is in effect beginning at the time and date specified after the start keyword. If you omit the end keyword, the rule is always in effect after the start time and date have passed.

Step 6

(Optional) [sequence-number] absolute [start time date] end time date

Example:

switch(config-time-range)# absolute end 23:59:59 31 may 2013
(Optional)

Creates an absolute rule that is in effect until the time and date specified after the end keyword. If you omit the start keyword, the rule is always in effect until the end time and date have passed.

Step 7

(Optional) show time-range name

Example:

switch(config-time-range)# show time-range workday-daytime
(Optional)

Displays the time-range configuration.

Step 8

(Optional) copy running-config startup-config

Example:

switch(config-time-range)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Changing a Time-Range

You can add and remove rules in an existing time range. You cannot change existing rules. Instead, to change a rule, you can remove it and recreate it with the desired changes.

If you need to add more rules between existing rules than the current sequence numbering allows, you can use the resequence command to reassign sequence numbers.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

time-range name

Example:

switch(config)# time-range workday-daytime
switch(config-time-range)#

Enters time-range configuration mode for the specified time range.

Step 3

(Optional) [sequence-number] periodic weekday time to [weekday] time

Example:

switch(config-time-range)# periodic monday 00:00:00 to friday 23:59:59
(Optional)

Creates a periodic rule that is in effect for one or more contiguous days between and including the specified start and end days and times.

Step 4

(Optional) [sequence-number] periodic list-of-weekdays time to time

Example:

switch(config-time-range)# 100 periodic weekdays 05:00:00 to 22:00:00
(Optional)

Creates a periodic rule that is in effect on the days specified by the list-of-weekdays argument between and including the specified start and end times. The following keywords are also valid values for the list-of-weekdays argument:

  • daily —All days of the week.

  • weekdays —Monday through Friday.

  • weekend —Saturday through Sunday.

Step 5

(Optional) [sequence-number] absolute start time date [end time date]

Example:

switch(config-time-range)# absolute start 1:00 15 march 2013
(Optional)

Creates an absolute rule that is in effect beginning at the time and date specified after the start keyword. If you omit the end keyword, the rule is always in effect after the start time and date have passed.

Step 6

(Optional) [sequence-number] absolute [start time date] end time date

Example:

switch(config-time-range)# absolute end 23:59:59 31 may 2013
(Optional)

Creates an absolute rule that is in effect until the time and date specified after the end keyword. If you omit the start keyword, the rule is always in effect until the end time and date have passed.

Step 7

(Optional) no {sequence-number | periodic arguments . . . | absolute arguments. . .}

Example:

switch(config-time-range)# no 80
(Optional)

Removes the specified rule from the time range.

Step 8

(Optional) show time-range name

Example:

switch(config-time-range)# show time-range workday-daytime
(Optional)

Displays the time-range configuration.

Step 9

(Optional) copy running-config startup-config

Example:

switch(config-time-range)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Removing a Time-Range

You can remove a time range from the device.

Before you begin

Ensure that you know whether the time range is used in any ACL rules. The device allows you to remove time ranges that are used in ACL rules. Removing a time range that is in use in an ACL rule does not affect the configuration of interfaces where you have applied the ACL. Instead, the device considers the ACL rule using the removed time range to be empty.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

no time-range name

Example:

switch(config)# no time-range daily-workhours

Removes the time range that you specified by name.

Step 3

(Optional) show time-range

Example:

switch(config-time-range)# show time-range
(Optional)

Displays the configuration for all time ranges. The removed time range should not appear.

Step 4

(Optional) copy running-config startup-config

Example:

switch# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Changing Sequence Numbers in a Time Range

You can change all the sequence numbers assigned to rules in a time range.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

resequence time-range name starting-sequence-number increment

Example:

switch(config)# resequence time-range daily-workhours 100 10
switch(config)#

Assigns sequence numbers to the rules contained in the time range, where the first rule receives the starting sequence number that you specify. Each subsequent rule receives a number larger than the preceding rule. The difference in numbers is determined by the increment that you specify.

Step 3

(Optional) show time-range name

Example:

switch(config)# show time-range daily-workhours
(Optional)

Displays the time-range configuration.

Step 4

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config
(Optional)

Copies the running configuration to the startup configuration.

Verifying the Time-Range Configuration

To display time-range configuration information, perform one of the following tasks.

Command

Purpose

show time-range

Displays the time-range configuration.

show running-config aclmgr

Displays ACL configuration, including all time ranges.