About IPv4 and IPv6 Access Control Lists
•
•
•
•
•
•
•
•
•
•
About IPv4 and IPv6 Access Control Lists
Cisco MDS 9000 Family switches can route IP version 4 (IPv4) traffic between Ethernet and Fibre Channel
interfaces. The IP static routing feature routes traffic between VSANs. To do so, each VSAN must be in a
different IPv4 subnetwork. Each Cisco MDS 9000 Family switch provides the following services for network
management systems (NMS):
• IP forwarding on the out-of-band Ethernet interface (mgmt0) on the front panel of the supervisor modules.
• IP forwarding on the in-band Fibre Channel interface using the IP over Fibre Channel (IPFC)
• IP routing (default routing and static routing)-If your configuration does not need an external router,
IPv4 Access Control Lists (IPv4-ACLs and IPv6-ACLs) provide basic network security to all switches in the
Cisco MDS 9000 Family. IPv4-ACLs and IPv6-ACLs restrict IP-related traffic based on the configured IP
filters. A filter contains the rules to match an IP packet, and if the packet matches, the rule also stipulates if
the packet should be permitted or denied.
Each switch in the Cisco MDS 9000 Family can have a maximum total of 128 IPv4-ACLs or 128 IPv6-ACLs
and each IPv4-ACL or IPv6-ACL can have a maximum of 256 filters.
IPv4-ACL and IPv6-ACL Configuration Guidelines
Follow these guidelines when configuring IPv4-ACLs or IPv6-ACLs in any switch or director in the Cisco
MDS 9000 Family:
• You can apply IPv4-ACLs or IPv6-ACLs to VSAN interfaces, the management interface, Gigabit Ethernet
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
100
function-IPFC specifies how IP frames can be transported over Fibre Channel using encapsulation
techniques. IP frames are encapsulated into Fibre Channel frames so NMS information can cross the
Fibre Channel network without using an overlay Ethernet network.
you can configure a default route using static routing.
interfaces on IPS modules and MPS-14/2 modules, and Ethernet PortChannel interfaces.
Caution
If IPv4-ACLs or IPv6-ACLs are already configured in a Gigabit Ethernet interface,
you cannot add this interface to an Ethernet PortChannel group. Do not apply
IPv4-ACLs or IPv6-ACLs to only one member of a PortChannel group. Apply
IPv4-ACLs or IPv6-ACLs to the entire channel group.
Configuring IPv4 and IPv6 Access Control Lists