Send documentation comments to mdsfeedback-doc@cisco.com.
28-5
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
Chapter 28 IP Access Control Lists
Creating Complex IP-ACLs Using Device Manager

Creating Complex IP-ACLs Using Device Manager

The IP-ACL Wizard in Fabric Manager provides tools to create an ordered list of simple IP filters and
apply those filters to switches in the fabric.
To create more complex IP-ACLs using Device Manager, follow these steps:
Step 1 Choose Security > IP ACLs. You see the IP-ACL dialog box.
Step 2 Click Create ... to create an IP-ACL profile.
Step 3 Enter a profile name and click Create. This creates an empty, named IP-ACL profile.
Step 4 Click on the IP-ACL profile you created and click Rules.... You see the list of IP filters associated with
this profile.
Step 5 Click Create... to create an IP filter. You see the Create IP Filter dialog box.
Step 6 Choose the permit or deny Action radio button and set the Internet Protocol Number in the Protocol
field. The drop-down menu provides common filtered protocols.
Step 7 Set the source IP address you want this filter to match against and the wildcard mask, or check the Any
check box to match this filter against any IP address. This creates an IP filter that will check the source
IP address of frames.
Note The wildcard mask denotes a subset of the IP Address you want to match against. This allows a
range of addresses to match against this filter.
Step 8 Set the transport layer source port range if the protocol chosen is TCP or UDP.
Step 9 Repeat Step 7 and Step 8 for the destination IP address and port range. This creates an IP filter that will
check the destination IP address of frames.
Step 10 Set ToS, ICMPType, and ICMPCode as appropriate.
Step 11 Check the TCPEstablished check box if you want to match TCP connections with
ACK,FIN,PSH,RST,SYN or URG control bits set.
Step 12 Check the LogEnabled check box if you want to log all frames that match this IP filter.
Step 13 Click Create to create this IP filter and add it to your IP-ACL profile or click Close to close the IP Filter
dialog box without creating an IP filter.
Any existing IP filters for this IP-ACL profile can be modified from the IP-ACL profiles dialog box but
the filters cannot be reordered.