Cisco Systems MDS 9000 Filter Contents

Send documentation comments to mdsfeedback-doc@cisco.com.

28-2

Cisco MDS 9000 Family Fabric Manager Configuration Guide

OL-6965-03, Cisco MDS SAN-OS Release 2.x

Chapter 28 IP Access Control Lists

Filter Contents

•Configure the order of conditions accurately. As the IP-ACL filters are sequentially applied to the

IP flows, only the first match determines the action taken. Subsequent matches are not considered.

Be sure to configure the most important condition first. If no conditions match, the software drops

the packet.

Filter Contents

An IP filter contains rules for matching an IP packet based on the protocol, address, port, ICMP type,

and type of service (TOS).

The protocol information is required in each filter. It identifies the name or number of an IP protocol.

You can specify the IP protocol in one of two ways:

•Specify an integer ranging from 0 to 255. This number represents the IP protocol.

•Specify the name of a protocol including, but not restricted to, IP, Transmission Control Protocol

(TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).

Note When configuring IP-ACLs on Gigabit Ethernet interfaces, only use the TCP or ICMP options.

The address information is required in each filter. It identifies the following details:

•Source—The address of the network or host from which the packet is being sent.

•Source-wildcard—The wildcard bits applied to the source.

•Destination—The number of the network or host to which the packet is being sent.

•Destination-wildcard—The wildcard bits applied to the destination.

Specify the source and source-wildcard or the destination and destination-wildcard in one of two ways:

•Using the 32-bit quantity in four-part, dotted decimal format (10.1.1.2/0.0.0.0 is the same as host

10.1.1.2).

–

Each wildcard bit set to zero indicates that the corresponding bit position in the packet's IP

address must exactly match the bit value in the corresponding bit position in the source.

–

Each wildcard bit set to one indicates that both a zero bit and a one bit in the corresponding

position of the packet's IP address will be considered a match to this access list entry. Place ones

in the bit positions you want to ignore. For example, 0.0.255.255 to require an exact match of

only the first 16 bits of the source. Wildcard bits set to one do not need to be contiguous in the

source-wildcard. For example, a source-wildcard of 0.255.0.64 would be valid.

•Using the any option as an abbreviation for a source and source-wildcard or destination and

destination-wildcard (0.0.0.0/255.255.255.255)

The port information is optional. You can specify the port information in one of two ways: