Chapter 33
Configuring IPv4 and IPv6 Access Control Lists
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Configuring IPv4-ACLs or IPv6-ACLs
Traffic coming into the switch is compared to IPv4-ACL or IPv6-ACL filters based on the order that the
filters occur in the switch. New filters are added to the end of the IPv4-ACL or the IPv6-ACL. The switch
keeps looking until it has a match. If no matches are found when the switch reaches the end of the filter,
the traffic is denied. For this reason, you should have the frequently hit filters at the top of the filter.
There is an implied deny for traffic that is not permitted. A single-entry IPv4-ACL or IPv6-ACL with
only one deny entry has the effect of denying all traffic.
To configure an IPv4-ACL or an IPv6-ACL, you must complete the following tasks:
Step 1
Create an IPv4-ACL or an IPv6-ACL by specifying a filter name and one or more access condition(s).
Filters require the source and destination address to match a condition. Use optional keywords to
configure finer granularity.
Note
Apply the access filter to specified interfaces.
Step 2
Creating IPv4-ACLs or IPv6-ACLs
To create an IPv4-ACL, follow these steps:
Command
Step 1
switch# config t
Step 2
switch(config)# ip access-list List1 permit ip any any
switch(config)# no ip access-list List1 permit ip any any
Step 3
switch(config)# ip access-list List1 deny tcp any any
To create an IPv6-ACL, follow these steps:
Command
Step 1
switch# config t
switch(config)#
Step 2
switch(config)# ipv6 access-list List1
switch(config-ipv6-acl)#
switch(config)# no ipv6 access-list List1
OL-16184-01, Cisco MDS SAN-OS Release 3.x
The filter entries are executed in sequential order. You can only add the entries to the end of the
list. Take care to add the entries in the correct order.
Configuring IPv4-ACLs or IPv6-ACLs
Purpose
Enters configuration mode.
Configures an IPv4-ACL called
List1 and permits IP traffic from
any source address to any
destination address.
Removes the IPv4-ACL called
List1.
Updates List1 to deny TCP traffic
from any source address to any
destination address.
Purpose
Enters configuration mode.
Configures an IPv6-ACL called List1 and
enters IPv6-ACL configuration submode.
Removes the IPv6-ACL called List1 and all its
entries.
Cisco MDS 9000 Family CLI Configuration Guide
33-5