Fabric OS Administrator's Guide v6.4.0 (53-1001763-01, June 2010)
Fabric OS Administrator’s Guide 157
53-1001763-01
IP Filter policy
7
IP Filter policy enforcement
An active IP Filter policy is a filter applied to the IP packets through the management interface. IPv4
management traffic passes through the active IPv4 filter policy, and IPv6 management traffic
passes through the active IPv6 filter policy. The IP Filter policy applies to the incoming (ingress)
management traffic only. When a packet arrives, it is compared against each rule, starting from the
first rule. If a match is found for the source address, destination port, and protocol, the
corresponding action for this rule is taken, and the subsequent rules in this policy are ignored. If
there is no match, then it is compared to the next rule in the policy. This process continues until the
incoming packet is compared to all rules in the active policy.
If none of the rules in the policy matches the incoming packet, the two implicit rules are matched to
the incoming packet. If the rules still do not match the packet, the default action, which is to deny,
is taken.
When the IPv4 or IPv6 address for the management interface of a switch is changed through the
ipAddrSet command or manageability tools, the active IP Filter policies automatically become
enforced on the management IP interface with the changed IP address.
NOTE
If a switch is part of a LAN behind a Network Address Translation (NAT) server, depending on the NAT
server configuration, the source address in an IP Filter rule may have to be the NAT server address.
Adding a rule to an IP Filter policy
There can be a maximum of 256 rules created for an IP Filter policy. The change to the specified IP
Filter policy is not saved to the persistent configuration until a save or activate subcommand is run.
1. Log in to the switch using an account assigned to the admin role.
2. Enter the ipFilter
--addrule command.
Deleting a rule to an IP Filter policy
Deleting a rule in the specified IP Filter policy causes the rules following the deleted rule to shift up
in rule order. The change to the specified IP Filter policy is not saved to persistent configuration
until a save or activate subcommand is run.
1. Log in to the switch using an account assigned to the admin role.
2. Enter the ipFilter
–-delrule command:
Aborting an IP Filter transaction
A transaction is associated with a command line or manageability session. It is opened implicitly
when the
--create, --addrule, --delrule, --clone, and --delete subcommands are run. The
--transabort, --save, or --activate subcommands explicitly end the transaction owned by the
current command line or manageability session. If a transaction is not ended, other command line
or manageability sessions are blocked on the subcommands that would open a new transaction.
1. Log in to the switch using an account assigned to the admin role.
2. Enter the ipFilter
–-transabort command.