Ip-Acl Configuration Guidelines; Filter Contents; Protocol Information; Address Information - Cisco DS-X9530-SF1-K9 - Supervisor-1 Module - Control Processor Configuration Manual

IP Access Control Lists
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .

IP-ACL Configuration Guidelines

Follow these guidelines when configuring IP-ACLs in any switch or director in the Cisco MDS 9000
Family:
•
Tip
Caution
•

Filter Contents

An IP filter contains rules for matching an IP packet based on the protocol, address, port, ICMP type,
and type of service (TOS).

Protocol Information

The protocol information is required in each filter. It identifies the name or number of an IP protocol.
You can specify the IP protocol in one of two ways:
•
•
Note

Address Information

The address information is required in each filter. It identifies the following details:
•
•
•
•
Cisco MDS 9000 Family Configuration Guide
29-2
You could apply IP-ACLs to VSAN interfaces, the management interface, Gigabit Ethernet
interfaces on IPS modules, and Ethernet PortChannel interfaces.
If IP-ACLs are already configured in a Gigabit Ethernet interface, you cannot add this interface
to a Ethernet PortChannel group. Refer to the
page 37-10 for guidelines on configuring IP ACLs.
Do not apply IP-ACLs to only one member of a PortChannel group. Apply IP-ACLs to the
entire channel group.
Configure the order of conditions accurately. As the IP-ACL filters are sequentially applied to the
IP flows, only the first match determines the action taken. Subsequent matches are not considered.
Be sure to configure the most important condition first. If no conditions match, the software drops
the packet.
Specify an integer ranging from 0 to 255. This number represents the IP protocol.
Specify the name of a protocol including, but not restricted to, Internet Protocol (IP), Transmission
Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol
(ICMP).
When configuring IP-ACLs on Gigabit Ethernet interfaces, only use the TCP or ICMP options.
Source: the address of the network or host from which the packet is being sent.
Source-wildcard: the wildcard bits applied to the source.
Destination: the number of the network or host to which the packet is being sent.
Destination-wildcard: the wildcard bits applied to the destination.
Chapter 29 Configuring IP Access Control Lists
"Gigabit Ethernet IP-ACL Guidelines" section on
OL-6973-03, Cisco MDS SAN-OS Release 2.x