Applying An Ip-Acl To An Interface - HP Cisco MDS 9216 - Fabric Switch Configuration Manual

Chapter 42 Configuring IPv4 and IPv6 Access Control Lists
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
For the input ACL, the log displays the raw MAC information. The keyword "MAC=" does not refer to
showing an Ethernet MAC frame with MAC address information. It refers to the Layer 2 MAC-layer
information dumped to the log. For the output ACL, the raw Layer 2 information is not logged.
The following example is an input ACL log dump.
Jul 17 20:38:44 excal-2
%KERN-7-SYSTEM_MSG:
%IPACL-7-DENY:IN=vsan1 OUT=
MAC=10:00:00:05:30:00:47:df:10:00:00:05:30:00:8a:1f:aa:aa:03:00:00:00:08:00:45:00:00:54:00
:00:40:00:40:01:0e:86:0b:0b:0b:0c:0b:0b:0b:02:08:00:ff:9c:01:15:05:00:6f:09:17:3f:80:02:01
:00:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f:20:21:22:23:24
:25:26:27:28:29:2a:2b SRC=11.11.11.12 DST=11.11.11.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0
DF PROTO=ICMP TYPE=8 CODE=0 ID=277 SEQ=1280
The following example is an output ACL log dump.
Jul 17 20:38:44 excal-2
%KERN-7-SYSTEM_MSG:
%IPACL-7-DENY:IN= OUT=vsan1 SRC=11.11.11.2 DST=11.11.11.12 LEN=84 TOS=0x00 PREC=0x00
TTL=255 ID=38095 PROTO=ICMP TYPE=0 CODE=0 ID=277 SEQ=1280

Applying an IP-ACL to an Interface

You can define IP-ACLs without applying them. However, the IP-ACLs will have no effect until they are
applied to an interface on the switch. You can apply IP-ACLs to VSAN interfaces, the management
interface, Gigabit Ethernet interfaces on IPS modules and MPS-14/2 modules, and Ethernet PortChannel
interfaces.
Tip Apply the IP-ACL on the interface closest to the source of the traffic.
When you are trying to block traffic from source to destination, you can apply an inbound IPv4-ACL to
M0 on Switch 1 instead of an outbound filter to M1 on Switch 3 (see
Figure 42-6
The access-group option controls access to an interface. Each interface can only be associated with one
IP-ACL per direction. The ingress direction can have a different IP-ACL than the egress direction. The
IP-ACL becomes active when applied to the interface.
Create all conditions in an IP-ACL before applying it to the interface.
Tip
If you apply an IP-ACL to an interface before creating it, all packets in that interface are dropped because
Caution
the IP-ACL is empty.
OL-16184-01, Cisco MDS SAN-OS Release 3.x
Denying Traffic on the Inbound Interface
traffic
M0
source
Switch 1
M1
Switch 2 Switch 3
Cisco MDS 9000 Family CLI Configuration Guide
Applying an IP-ACL to an Interface
Figure 42-6).
traffic
destination
42-9