Configuring IPv4 and IPv6 Access Control Lists
• Configure the order of conditions accurately. As the IPv4-ACL or the IPv6-ACL filters are sequentially
• Configure explicit deny on the IP Storage Gigabit Ethernet ports to apply IP ACLs because implicit deny
About Filter Contents
An IP filter contains rules for matching an IP packet based on the protocol, address, port, ICMP type, and
type of service (TS).
This section includes the following topics:
Protocol Information
The protocol information is required in each filter. It identifies the name or number of an IP protocol. You
can specify the IP protocol in one of two ways:
• Specify an integer ranging from 0 to 255. This number represents the IP protocol.
• Specify the name of a protocol including, but not restricted to, Internet Protocol (IP), Transmission
Note
When configuring IPv4-ACLs or IPv6-ACLs on Gigabit Ethernet interfaces, only use the TCP or ICMP
options.
Address Information
The address information is required in each filter. It identifies the following details:
• Source—The address of the network or host from which the packet is being sent.
• Source-wildcard—The wildcard bits applied to the source.
• Destination—The number of the network or host to which the packet is being sent.
• Destination-wildcard—The wildcard bits applied to the destination.
Specify the source and source-wildcard or the destination and destination-wildcard in one of two ways:
• Using the 32-bit quantity in four-part, dotted decimal format (10.1.1.2/0.0.0.0 is the same as host 10.1.1.2).
applied to the IP flows, only the first match determines the action taken. Subsequent matches are not
considered. Be sure to configure the most important condition first. If no conditions match, the software
drops the packet.
does not take effect on these ports.
Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).
• Each wildcard bit set to zero indicates that the corresponding bit position in the packet's IPv4 address
must exactly match the bit value in the corresponding bit position in the source.
• Each wildcard bit set to one indicates that both a zero bit and a one bit in the corresponding position
of the packet's IPv4 or IPv6 address will be considered a match to this access list entry. Place ones
in the bit positions you want to ignore. For example, 0.0.255.255 requires an exact match of only
the first 16 bits of the source. Wildcard bits set to one do not need to be contiguous in the
source-wildcard. For example, a source-wildcard of 0.255.0.64 would be valid.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
About Filter Contents
101