Table of Contents
Advertisement
Chapter 22
Configuring IP Services
•
•
•
To configure an IP-ACL, you must complete the following tasks:
•
•
Creating IP-ACLs
You can specify IP- ACLs using a assigned name. Each IP-ACL can have a maximum of 256 entries.
Each entry is a unique filter applied to a specified interface. Each switch can have a maximum of 64
IP-ACLs.
Traffic coming into the switch is compared to IP-ACL entries based on the order that the entries occur
in the switch. New statements are added to the end of the list. The switch keeps looking until it has a
match. If no matches are found when the switch reaches the end of the list, the traffic is denied. For this
reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic
that is not permitted. A single-entry IP-ACL with only one deny entry has the effect of denying all
traffic.
Adding Entries to an Existing IP-ACL
After you create an IP- ACL, you place subsequent additions at the end of the IP-ACL. You cannot insert
entries in the middle of an IP-ACL. Each configured entry is automatically added to the end of a IP-ACL.
Comparing Ports
Use the following operators to compare the source and destination ports:
•
•
•
•
Port numbers range from 0 to 65535 for TCP and UDP ports. displays the port numbers for associated
TCP and UDP ports.
OL-7753-01
An IP-ACL is a sequential collection of permit and deny conditions that apply to IP flows. Each IP
packet is tested against the conditions in the list. The first match determines if the software accepts
or rejects the rule. Because the software stops testing conditions after the first match, the order of
the conditions in the list is critical. If no conditions match, the software rejects that rule.
An IP protocol can be configured using an integer ranging from 0 to 255 to represent a particular IP
protocol. Alternatively, you can specify the name of a protocol: icmp, ip, tcp, or udp. IP includes
Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message
Protocol (ICMP), and other protocols.
The source/source-wildcard and destination/destination-wildcard is specified in one of two ways:
Using the 32-bit quantity in four-part, dotted decimal format (10.1.1.2/0.0.0.0 is the same as
–
host 10.1.1.2).
Using the any option as an abbreviation for a source/source-wildcard or
–
destination/destination-wildcard (0.0.0.0/255.255.255.255)
Create an IP-ACL by specifying a name and access condition.
All lists use the source and destination address for matching operations. You can configure finer
granularity using optional keywords
Apply the access list to specified interfaces.
eq = equal
gt = greater than
lt = less than
range = range of ports
Cisco MDS 9000 Fabric Manager Switch Configuration Guide
IP Access Control Lists
22-5
Advertisement
Chapters
Table of Contents
Troubleshooting
