CHAPTER
Send documentation comments to mdsfeedback-doc@cisco.com.
28-1
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
28

IP Access Control Lists

IP access control lists (IP-ACLs) provide basic network security to all switches in the Cisco MDS 9000
Family. IP-ACLs restrict IP-related traffic based on the configured IP filters. A filter contains the rules
to match an IP packet, and if the packet matches, the rule also stipulates if the packet should be permitted
or denied.
This chapter contains the following sections:
IP-ACL Configuration Guidelines, page 28-1
Filter Contents, page 28-2
Using the IP-ACL Wizard, page 28-4
Creating Complex IP-ACLs Using Device Manager, page 28-5
Associating IP-ACL Profiles to Interfaces, page 28-6
Removing Associations Between IP-ACL Profiles and Interfaces, page 28-6
Deleting IP Profiles, page 28-7

IP-ACL Configuration Guidelines

Each switch running Cisco MDS SAN-OS or Cisco FabricWare can have a maximum of 64 IP-ACLs,
and each IP-ACL can have a maximum of 256 filters. IP-ACLs can be associated with the management
interface or any Gigabit Ethernet interface on the IP services modules (IPS-4, IPS-8, and MPS-14/2).
Follow these guidelines when configuring IP-ACLs in any switch or director in the Cisco MDS 9000
Family:
In Cisco MDS SAN-OS Release 1.3 and earlier, you could only apply IP-ACLs to VSAN interfaces
and the management interface. As of Cisco MDS SAN-OS Release 2.0(1b), you can also apply
IP-ACLs to Gigabit Ethernet interfaces (IP services modules, including MPS-14/2 modules) and
Ethernet PortChannel interfaces.
Tip If IP-ACLs are already configured in a Gigabit Ethernet interface, you cannot add this interface
to an Ethernet PortChannel group.
Caution Do not apply IP-ACLs to only one member of a PortChannel group. Apply IP-ACLs to the
entire channel group.