Ip Filter Policy Enforcement; Adding A Rule To An Ip Filter Policy; Default Ip Policy Rules - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual
Hp storageworks fabric os 6.2 administrator guide (5697-0016, may 2009)
Hide thumbs
Also See for A7533A - Brocade 4Gb SAN Switch Base:
- Administrator's manual (518 pages) ,
- Hardware reference manual (256 pages) ,
- User manual (248 pages)
Table of Contents
Advertisement
A switch with Fabric OS 5.3.0 or later will have a default IP Filter policy for IPv4 and IPv6. The default IP
Filter policy cannot be deleted or changed. When an alternative IP Filter policy is activated, the default IP
Filter policy becomes deactivated.
Table 33
Default IP policy rules
Rule number Source
1
2
3
4
5
6
7
9
10
1 1
12
IP Filter policy enforcement
An active IP Filter policy is a filter applied to the IP packets through the management interface. IPv4
management traffic passes through the active IPv4 filter policy, and IPv6 management traffic passes
through the active IPv6 filter policy. The IP Filter policy applies to the incoming (ingress) management traffic
only. When a packet arrives, it is compared against each rule, starting from the first rule. If a match is
found for the source address, destination port, and protocol, the corresponding action for this rule is taken,
and the subsequent rules in this policy are ignored. If there is no match, it is compared to the next rule in
the policy. This process continues until the incoming packet is compared to all rules in the active policy.
If none of the rules in the policy match the incoming packet, the two implicit rules are matched to the
incoming packet. If the rules still do not match the packet, the default action, which is to deny, is taken.
When the IPv4 or IPv6 address for the management interface of a switch is changed through the
ipAddrSet command or manageability tools, the active IP Filter policies automatically become enforced
on the management IP interface with the changed IP address.
NOTE:
If a switch is part of a LAN behind a Network Address Translation (NAT) server, depending on the
NAT server configuration, the source address in an IP Filter rule may have to be the NAT server address.
Adding a rule to an IP Filter policy
There can be a maximum of 256 rules created for an IP Filter policy. The change to the specified IP Filter
policy is not saved to the persistent configuration until a save or activate subcommand is run.
1.
Log in to the switch using an account assigned to the admin role.
2.
Enter the following command:
ipfilter --addrule <policyname> -rule <rule_number> -sip <source IP> -dp
<dest port> -proto <protocol> -act <permit | deny>
where:
policyname
138 Configuring advanced security features
Table 33
Destination
address
port
Any
22
Any
23
Any
897
Any
898
Any
1 1 1
Any
80
Any
443
Any
161
Any
1 1 1
Any
123
Any
600- 1 023
Specifies the policy name which is a unique string composed of a
maximum of 20 alphanumeric and underscore characters. The names
default_ipv4 and default_ipv6 are reserved for the default IP Filter policies.
The policy name is case-insensitive and always stored as lowercase.
lists the rules of the default IP Filter policy.
Protocol
Action
TCP
Permit
TCP
Permit
TCP
Permit
TCP
Permit
TCP
Permit
TCP
Permit
TCP
Permit
UDP
Permit
UDP
Permit
UDP
Permit
UDP
Permit
Hide quick links:
Advertisement
Table of Contents
