Applying an IP-ACL to an Interface
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
The access-group option controls access to an interface. Each interface can only be associated with one
IP-ACL per direction. The ingress direction can have a different IP-ACL than the egress direction. The
IP-ACL becomes active when applied to the interface.
Create all conditions in an IP-ACL before applying it to the interface.
If you apply an IP-ACL to an interface before creating it, all packets in that interface are dropped because
the IP-ACL is empty.
The terms in, out, source, and destination are used as referenced by the switch:
In—Traffic that arrives at the interface and goes through the switch; the source is where it
transmitted from and the destination is where it is transmitted to (on the other side of the router).
Out—Traffic that has already been through the switch and is leaving the interface; the source is
where it transmitted from and the destination is where it is transmitted to.
To apply an IPv4-ACL to an interface, follow these steps:
switch# config t
switch(config)# interface mgmt0
switch(config-if)# ip access-group restrict_mgmt
switch(config-if)# no ip access-group NotRequired
Cisco MDS 9000 Family CLI Configuration Guide
Denying Traffic on the Inbound Interface
The IP-ACL applied to the interface for the ingress traffic affects both local and remote traffic.
The IP-ACL applied to the interface for the egress traffic only affects local traffic.
Enters configuration mode.
Configures a management interface
Applies an IPv4-ACL called
restrict_mgmt for both the ingress and
egress traffic (default).
Removes the IPv4-ACL called
Configuring IPv4 and IPv6 Access Control Lists
OL-16184-01, Cisco MDS SAN-OS Release 3.x