Ip-Acl Creation - Cisco DS-X9530-SF1-K9 - Supervisor-1 Module - Control Processor Configuration Manual

Mds 9000 family

Hide thumbs

Table of Contents

Configuring IP Access Control Lists

S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .

IP-ACL Creation

Traffic coming into the switch is compared to IP-ACL filters based on the order that the filters occur in

the switch. New filters are added to the end of the IP-ACL. The switch keeps looking until it has a match.

If no matches are found when the switch reaches the end of the filter, the traffic is denied. For this reason,

you should have the frequently hit filters at the top of the filter. There is an implied deny for traffic that

is not permitted. A single-entry IP-ACL with only one deny entry has the effect of denying all traffic.

To configure an IP-ACL, you must complete the following tasks:

To create an IP-ACL, follow these steps:

switch# config t

switch(config)# ip access-list List1 permit ip any any

switch(config)# no ip access-list List1 permit ip any any

switch(config)# ip access-list List1 deny tcp any any

To define an IP-ACL that restricts management access, follow these steps:

switch# config t

switch(config)# ip access-list restrict_mgmt

permit ip 10.67.16.0 0.0.0.255 any

switch(config)# ip access-list restrict_mgmt

permit icmp any any eq 8

switch(config)# ip access-list restrict_mgmt

deny ip any any

To use the operand and port options, follow these steps:

switch# config t

switch(config)# ip access-list List2 deny tcp

1.2.3.0 0.0.0.255 eq port 5 any

OL-6973-03, Cisco MDS SAN-OS Release 2.x

Create an IP-ACL by specifying a filter name and one or more access condition(s). Filters

require the source and destination address to match a condition. Use optional keywords to

configure finer granularity.

Apply the access filter to specified interfaces.

IP Access Control Lists

Enters configuration mode.

Configures an IP-ACL called List1

and permits IP traffic from any

source address to any destination

Removes the IP-ACL called List1.

Updates List1 to deny TCP traffic

from any source address to any

destination address.

Enters configuration mode.

Defines an entry in IP-ACL named

restrict_mgmt allowing all addresses in the

10.67.16.0/24 subnet.

Adds an entry to IP-ACL named restrict_mgmt

to allow any device to ping the MDS (icmp

Explicitly blocks all other access for

access-list named restrict_mgmt.

Enters configuration mode.

Denies TCP traffic from 1.2.3.0 through

source port 5 to any destination.

Cisco MDS 9000 Family Configuration Guide

Ip-Acl Creation - Cisco DS-X9530-SF1-K9 - Supervisor-1 Module - Control Processor Configuration Manual

IP-ACL Creation

Related Manuals for Cisco DS-X9530-SF1-K9 - Supervisor-1 Module - Control Processor

Related Content for Cisco DS-X9530-SF1-K9 - Supervisor-1 Module - Control Processor

This manual is also suitable for:

Table of Contents