- Device Manager Help
- Configuring Cisco DCNM-SAN Server
- Configuring Authentication in Cisco DCNM-SAN
- Configuring Cisco DCNM-SAN Client
- Device Manager
- Configuring Performance Manager
- Configuring High Availability
- Configuring Trunking
- Configuring PortChannels
- Configuring N Port Virtualization
- Configuring Interfaces
- Configuration of Fibre Channel Interfaces
- Using the CFS Infrastructure
- Configuring SNMP
- Configuring Domain Parameters
- Configuring and Managing Zones
- Configuring FCoE
- Configuring Dense Wavelength Division Multiplexing
- Configuring and Managing VSANs
- Discovering SCSI Targets
- Configuring SAN Device Virtualization
- Configuring Fibre Channel Routing Services and Protocols
- Managing FLOGI, Name Server, FDMI, and RSCN Databases
- Configuring FICON
- Creating Dynamic VSANs
- Distributing Device Alias Services
- Configuring Advanced Fabric Features
- Configuring Users and Common Role
- Configuring Security Features on an External AAA Server
- Configuring Certificate Authorities and Digital Certificates
- Configuring FC-SP and DHCHAP
- Configuring Cisco TrustSec Fibre Channel Link Encryption
- Configuring FIPS
- Configuring IPv4 and IPv6 Access Control Lists
- Configuring IPsec Network Security
- Configuring Port Security
- Configuring Fabric Binding
- Configuring FCIP
- Configuring the SAN Extension Tuner
- Configuring iSCSI
- Configuring IP Services
- Configuring IP Storage
- Configuring IPv4 for Gigabit Ethernet Interfaces
- Configuring IPv6 for Gigabit Ethernet Interfaces
- Configuring SCSI Flow Services
- Configuring SCSI Flow Statistics
- Configuring Fibre Channel Write Acceleration
- Monitoring the Network
- Monitoring Performance
- Configuring Call Home
- Configuring System Message Logging
- Scheduling Maintenance Jobs
- Configuring RMON
- Configuring Fabric Configuration Server
- Monitoring Network Traffic Using SPAN
- Monitoring System Processes and Logs
- Configuring QoS
- Configuring Port Tracking
- Configuring FlexAttach Virtual pWWN
- Configuring Interface Buffers
- Verifying Ethernet Interfaces
- Information About IPv4 and IPv6 Access Control Lists
- Guidelines and Limitations
- Configuring IPv4-ACLs or IPv6-ACLs
- Creating IPv4-ACLs or IPv6-ACLs with the IP-ACL Wizard
- Creating IPv4-ACLs or IPv6-ACLs
- Adding IP Filters to an Existing IPv4-ACL or IPv6-ACL
- Removing IP Filters from an Existing IPv4-ACL or IPv6-ACL
- Deleting IP-ACLs
- Reading the IP-ACL Log Dump
- Applying an IP-ACL to an Interface
- Applying an IP-ACL to mgmt0
- Verifying the IPv4 or IPv6 Configuration
- Configuration Examples for IP-ACL
- Field Descriptions for IPv4 and IPv6 Access Control Lists
Configuring IPv4 and IPv6 Access Control Lists
Cisco MDS 9000 Family switches can route IP version 4 (IPv4) traffic between Ethernet and Fibre Channel interfaces. The IP static routing feature routes traffic between VSANs. To do so, each VSAN must be in a different IPv4 subnetwork. Each Cisco MDS 9000 Family switch provides the following services for network management systems (NMS):
- IP forwarding on the out-of-band Ethernet interface (mgmt0) on the front panel of the supervisor modules.
- IP forwarding on the in-band Fibre Channel interface using the IP over Fibre Channel (IPFC) function—IPFC specifies how IP frames can be transported over Fibre Channel using encapsulation techniques. IP frames are encapsulated into Fibre Channel frames so NMS information can cross the Fibre Channel network without using an overlay Ethernet network.
- IP routing (default routing and static routing)—If your configuration does not need an external router, you can configure a default route using static routing.
Switches are compliant with RFC 2338 standards for Virtual Router Redundancy Protocol (VRRP) features. VRRP is a restartable application that provides a redundant, alternate path to the gateway switch.
IPv4 Access Control Lists (IPv4-ACLs and IPv6-ACLs) provide basic network security to all switches in the Cisco MDS 9000 Family. IPv4-ACLs and IPv6-ACLs restrict IP-related traffic based on the configured IP filters. A filter contains the rules to match an IP packet, and if the packet matches, the rule also stipulates if the packet should be permitted or denied.
Each switch in the Cisco MDS 9000 Family can have a maximum total of 128 IPv4-ACLs or 128 IPv6-ACLs and each IPv4-ACL or IPv6-ACL can have a maximum of 256 filters.
Information About IPv4 and IPv6 Access Control Lists
Cisco MDS 9000 Family switches can route IP version 4 (IPv4) traffic between Ethernet and Fibre Channel interfaces. The IP static routing feature routes traffic between VSANs. To do so, each VSAN must be in a different IPv4 subnetwork. Each Cisco MDS 9000 Family switch provides the following services for network management systems (NMS):
- IP forwarding on the out-of-band Ethernet interface (mgmt0) on the front panel of the supervisor modules.
- IP forwarding on the in-band Fibre Channel interface using the IP over Fibre Channel (IPFC) function—IPFC specifies how IP frames can be transported over Fibre Channel using encapsulation techniques. IP frames are encapsulated into Fibre Channel frames so NMS information can cross the Fibre Channel network without using an overlay Ethernet network.
- IP routing (default routing and static routing)—If your configuration does not need an external router, you can configure a default route using static routing.
IPv4 Access Control Lists (IPv4-ACLs and IPv6-ACLs) provide basic network security to all switches in the Cisco MDS 9000 Family. IPv4-ACLs and IPv6-ACLs restrict IP-related traffic based on the configured IP filters. A filter contains the rules to match an IP packet, and if the packet matches, the rule also stipulates if the packet should be permitted or denied.
Each switch in the Cisco MDS 9000 Family can have a maximum total of 128 IPv4-ACLs or 128 IPv6-ACLs and each IPv4-ACL or IPv6-ACL can have a maximum of 256 filters.
This section contains the following topics:
- About Filter Contents
- Protocol Information
- Address Information
- Port Information
- ICMP Information
- ToS Information
About Filter Contents
An IP filter contains rules for matching an IP packet based on the protocol, address, port, ICMP type, and type of service (ToS).
Protocol Information
The protocol information is required in each filter. It identifies the name or number of an IP protocol. You can specify the IP protocol in one of two ways:
- Specify an integer ranging from 0 to 255. This number represents the IP protocol.
- Specify the name of a protocol including, but not restricted to, Internet Protocol (IP ), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).
Note When configuring IPv4-ACLs or IPv6-ACLs on Gigabit Ethernet interfaces, only use the TCP or ICMP options.
Address Information
The address information is required in each filter. It identifies the following details:
- Source—The address of the network or host from which the packet is being sent.
- Source-wildcard—The wildcard bits applied to the source.
- Destination—The number of the network or host to which the packet is being sent.
- Destination-wildcard—The wildcard bits applied to the destination.
Specify the source and source-wildcard or the destination and destination-wildcard in one of two ways:
- Using the 32-bit quantity in four-part, dotted decimal format (10.1.1.2/0.0.0.0 is the same as host 10.1.1.2).
– Each wildcard bit set to zero indicates that the corresponding bit position in the packet's IPv4 address must exactly match the bit value in the corresponding bit position in the source.
– Each wildcard bit set to one indicates that both a zero bit and a one bit in the corresponding position of the packet's IPv4 or IPv6 address will be considered a match to this access list entry. Place ones in the bit positions you want to ignore. For example, 0.0.255.255 requires an exact match of only the first 16 bits of the source. Wildcard bits set to one do not need to be contiguous in the source-wildcard. For example, a source-wildcard of 0.255.0.64 would be valid.
Port Information
The port information is optional. To compare the source and destination ports, use the eq (equal) option, the gt (greater than) option, the lt (less than) option, or the range (range of ports) option. You can specify the port information in one of two ways:
- Specify the number of the port. Port numbers range from 0 to 65535. Table 34-1 displays the port numbers recognized by the Cisco NX-OS software for associated TCP and UDP ports.
- Specify the name of a TCP or UDP port as follows:
– TCP port names can only be used when filtering TCP.
– UDP port names can only be used when filtering UDP.
TCP1 |
||
ICMP Information
IP packets can be filtered based on the following optional ICMP conditions:
- icmp-type—The ICMP message type is a number from 0 to 255.
- icmp-code—The ICMP message code is a number from 0 to 255.
Table 34-2 displays the value for each ICMP type.
ICMP Type2
|
|
---|---|
Guidelines and Limitations
Follow these guidelines when configuring IPv4-ACLs or IPv6-ACLs in any switch or director in the Cisco MDS 9000 Family:
- You can apply IPv4-ACLs or IPv6-ACLs to VSAN interfaces, the management interface, Gigabit Ethernet interfaces on IPS modules and MPS-14/2 modules, and Ethernet PortChannel interfaces.
Tip If IPv4-ACLs or IPv6-ACLs are already configured in a Gigabit Ethernet interface, you cannot add this interface to an Ethernet PortChannel group. See the Cisco MDS 9000 Family NX-OS IP Services Configuration GuideIP Services Configuration Guide, Cisco DCNM for SAN for guidelines on configuring IPv4-ACLs.
- Configure the order of conditions accurately. As the IPv4-ACL or the IPv6-ACL filters are sequentially applied to the IP flows, only the first match determines the action taken. Subsequent matches are not considered. Be sure to configure the most important condition first. If no conditions match, the software drops the packet.
- Configure explicit deny on the IP Storage Gigabit Ethernet ports to apply IP ACLs because implicit deny does not take effect on these ports.
Configuring IPv4-ACLs or IPv6-ACLs
This section contains the following topics:
- Creating IPv4-ACLs or IPv6-ACLs
- “Adding IP Filters to an Existing IPv4-ACL or IPv6-ACL” section
- Removing IP Filters from an Existing IPv4-ACL or IPv6-ACL
- Deleting IP-ACLs
- Reading the IP-ACL Log Dump
- Applying an IP-ACL to an Interface
- Applying an IP-ACL to mgmt0
Creating IPv4-ACLs or IPv6-ACLs with the IP-ACL Wizard
Traffic coming into the switch is compared to IPv4-ACL or IPv6-ACL filters based on the order that the filters occur in the switch. New filters are added to the end of the IPv4-ACL or the IPv6-ACL. The switch keeps looking until it has a match. If no matches are found when the switch reaches the end of the filter, the traffic is denied. For this reason, you should have the frequently hit filters at the top of the filter. There is an implied deny for traffic that is not permitted. A single-entry IPv4-ACL or IPv6-ACL with only one deny entry has the effect of denying all traffic.
To configure an IPv4-ACL or an IPv6-ACL, follow these steps:
Step 1 Create an IPv4-ACL or an IPv6-ACL by specifying a filter name and one or more access condition(s). Filters require the source and destination address to match a condition. Use optional keywords to configure finer granularity.
Note The filter entries are executed in sequential order. You can only add the entries to the end of the list. Take care to add the entries in the correct order.
Step 2 Apply the access filter to specified interfaces.
To create an ordered list of IP filters in a named IPv4-ACL or IPv6-ACL profile using the IPv4-ACL Wizard, follow these steps:
Step 1 Click the IP ACL Wizard icon from the DCNM-SAN toolbar (see Figure 34-1).
Step 2 Enter a name for the IP-ACL.
Note If you are creating an IPv6-ACL, check the IPv6 check box.
Step 3 Click Add to add a new rule to this IP-ACL. You see a new rule in the table with default values.
Step 4 Modify the Source IP and Source Mask as necessary for your filter.
Note The IP-ACL Wizard only creates inbound IP filters.
Step 5 Choose the appropriate filter type from the Application drop-down list.
Step 6 Choose permit or deny from the Action drop-down list.
Step 7 Repeat Step 3 through Step 6 for additional IP filters.
Step 8 Click Up or Down to order the filters in this IP-ACL.
Tip Order the IP filters carefully. Traffic is compared to the IP filters in order. The first match is applied and the rest are ignored.
You see a list of switches that you can apply this IP-ACL.
Step 10 Uncheck any switches that you do not want to apply this IP-ACL.
Step 11 Select the Interface you want to apply this IP-ACL.
Step 12 Click Finish to create this IP-ACL and apply it to the selected switches.
Creating IPv4-ACLs or IPv6-ACLs
To create an IPv4-ACL, follow these steps:
Configures an IPv4-ACL called List1 and permits IP traffic from any source address to any destination address. |
||
Updates List1 to deny TCP traffic from any source address to any destination address. |
To create an IPv6-ACL, follow these steps:
To define an IPv4-ACL that restricts management access, follow these steps:
To define an IPv6-ACL that restricts management access, follow these steps:
To use the operand and port options for an IPv4-ACL, follow these steps:
switch(config)# ip access-list List2 deny tcp 1.2.3.0 0.0.0.255 eq port 5 any |
Denies TCP traffic from 1.2.3.0 through source port 5 to any destination. |
To use the operand and port options for an IPv6-ACL, follow these steps:
switch(config)# ip access-list List2 deny tcp 2001:0DB8:800:200C::/64 eq port 5 any |
Denies TCP traffic from 2001:0DB8:800:200C::/64 through source port 5 to any destination. |
To add entries to an existing IPv4-ACL or an IPv6-ACL using Device Manager, follow these steps:
Step 1 Choose Security > IP ACL .
Step 2 Click Create to create an IP-ACL profile.
You see the Create IP ACL Profiles dialog box. Enter an IP-ACL profile name.
Step 3 Click Create and then click Close .
This creates a new IP-ACL profile.
Step 4 Click the IP-ACL you created and click Rules .
After you create an IPv4-ACL or an IPv6-ACL, you can add subsequent IP filters at the end of the IPv4-ACL or the IPv6-ACL if you are using Device Manager. DCNM-SAN allows you to reorder existing rules for a profile. You cannot insert filters in the middle of an IPv4-ACL or an IPv6-ACL. Each configured entry is automatically added to the end of a IPv4-ACL or an IPv6-ACL.
Step 5 Click Create to create an IP filter.
Step 6 Choose either permit or deny for the Action and set the IP Number in the Protocol field. The drop-down menu provides common filtered protocols.
Step 7 Set the source IP address you want this filter to match against and the wildcard mask, or check the any check box to match this filter against any IP address.
This creates an IP filter that will check the source IP address of frames.
Note The wildcard mask denotes a subset of the IP address you want to match against. This allows a range of addresses to match against this filter.
Step 8 Set the transport layer source port range if the protocol chosen is TCP or UDP.
Step 9 Repeat Step 7 and Step 8 for the destination IP address and port range.
This creates an IP filter that will check the destination IP address of frames.
Step 10 Set the ToS, ICMPType, and ICMPCode fields as appropriate.
Step 11 Check the TCPEstablished check box if you want to match TCP connections with ACK,FIN,PSH,RST,SYN or URG control bits set.
Step 12 Check the LogEnabled check box if you want to log all frames that match this IP filter.
Step 13 Click Create to create this IP filter and add it to your IP-ACL.
Adding IP Filters to an Existing IPv4-ACL or IPv6-ACL
After you create an IPv4-ACL or an IPv6-ACL, you can add subsequent IP filters at the end of the IPv4-ACL or the IPv6-ACL. You cannot insert filters in the middle of an IPv4-ACL or an IPv6-ACL. Each configured entry is automatically added to the end of a IPv4-ACL or a IPv6-ACL.
To add entries to an existing IPv4-ACL, follow these steps:
To add entries to an existing IPv6-ACL, follow these steps:
Removing IP Filters from an Existing IPv4-ACL or IPv6-ACL
To remove configured entries from an IPv4-ACL, follow these steps:
To remove configured entries from an IPv6-ACL, follow these steps:
Configures an IPv6-ACL and enters IPv6-ACL configuration submode. |
||
switch(config-ipv6-acl)# no deny tcp 2001:0DB8:800:2010::/64 eq port 5 any |
||
To remove configured entries from an IPv4-ACL or an IPv6-ACL using Device Manager, follow these steps:
Step 1 Choose Security > IP ACLs .
You see the IP-ACL dialog box.
Step 2 Click the IP-ACL you want to modify and click Rules .
You see the list of IP filters associated with this IP-ACL.
Step 3 Select the filter that you want to delete and click Delete to delete that IP filter.
Prerequisites
You must delete the association between the IP-ACL and interfaces before deleting the IP-ACL.
To delete an IP-ACL, follow these steps:
Step 1 Expand Switches > Security, and then select IP ACL from the Physical Attributes pane.
You see the IP-ACL configuration in the Information pane.
Step 2 Click the Profiles tab.
You see a list of switches, ACLs, and profile names.
Step 3 Select the row you want to delete. To delete multiple rows, hold down the Shift key while selecting rows.
Step 4 Click Delete Row . The IP-ACLs are deleted.
Reading the IP-ACL Log Dump
Use the LogEnabled check box option during IP filter creation to log information about packets that match this filter. The log output displays the ACL number, permit or deny status, and port information.
Use the log-deny option at the end of a filter condition to log information about packets that match dropped entries. The log output displays the ACL number, permit or deny status, and port information.
Note To capture these messages in a logging destination, you must configure severity level 7 for the kernel and ipacl facilities and severity level 7 for the logging destination: logfile, monitor or console. For example:switch#
config tswitch(config)#
logging level kernel 7switch(config)#
logging level ipacl 7switch(config)#
logging logfile message 7
For the input ACL, the log displays the raw MAC information. The keyword “MAC=” does not refer to showing an Ethernet MAC frame with MAC address information. It refers to the Layer 2 MAC-layer information dumped to the log. For the output ACL, the raw Layer 2 information is not logged.
The following example is an input ACL log dump:
Applying an IP-ACL to an Interface
You can define IP-ACLs without applying them. However, the IP-ACLs will have no effect until they are applied to an interface on the switch. You can apply IP-ACLs to VSAN interfaces, the management interface, Gigabit Ethernet interfaces on IPS modules and MPS-14/2 modules, and Ethernet PortChannel interfaces.
Tip Apply the IP-ACL on the interface closest to the source of the traffic.
When you are trying to block traffic from source to destination, you can apply an inbound IPv4-ACL to M0 on Switch 1 instead of an outbound filter to M1 on Switch 3 (see Figure 34-2).
Figure 34-2 Denying Traffic on the Inbound Interface
The access-group option controls access to an interface. Each interface can only be associated with one IP-ACL per direction. The ingress direction can have a different IP-ACL than the egress direction. The IP-ACL becomes active when applied to the interface.
Tip Create all conditions in an IP-ACL before applying it to the interface.
The terms in , out , source , and destination are used as referenced by the switch:
- In—Traffic that arrives at the interface and goes through the switch; the source is where it transmitted from and the destination is where it is transmitted to (on the other side of the router).
Tip The IP-ACL applied to the interface for the ingress traffic affects both local and remote traffic.
- Out—Traffic that has already been through the switch and is leaving the interface; the source is where it transmitted from and the destination is where it is transmitted to.
Tip The IP-ACL applied to the interface for the egress traffic only affects local traffic.
To apply an IPv4-ACL to an interface, follow these steps:
Applying an IP-ACL to mgmt0
A system default ACL called mgmt0 exists on the mgmt0 interface. This ACL is not visible to the user, so mgmt0 is a reserved ACL name that cannot be used. The mgmt0 ACL blocks most ports and only allows access to required ports in compliance to accepted security policies.
To apply an IP-ACL to an interface, follow these steps:
Step 1 Expand Switches > Security , and then select IP ACL in the Physical Attributes pane.
You see the IP-ACL configuration in the Information pane.
Step 2 Click the Interfaces tab.
You see a list of interfaces and associated IP-ACLs.
Step 4 (Optional) Remove the switches you do not want to include in the IP-ACL by unchecking the check boxes next to the switch addresses.
Set the interface you want associated with an IPv4-ACL or IPv6-ACL in the Interface field.
Step 5 Choose a ProfileDirection (either inbound or outbound ).
Step 6 Enter the IP-ACL name in the Profile Name field.
Note This IP-ACL name must have already been created using the Create Profiles dialog box. If not, no filters will be enabled until you to go to the Create Profiles dialog box and create the profile.
Step 7 Click Create to associate the IP-ACL.
You see the newly associated access list in the list of IP-ACLs.
Verifying the IPv4 or IPv6 Configuration
To display the IPv4 or IPv6 configuration information, perform one of the following tasks:
For detailed information about the fields in the output from these commands, refer to the Cisco DC-OS Command Reference .
- “Displaying the IPv4-ACL or IPv6-ACL Configuration” section
- “Displaying Interface IP-ACL Configuration” section
- “IP-ACL Counter Cleanup” section
Displaying the IPv4-ACL or IPv6-ACL Configuration
Use the show ip access-list command to view the contents of configured IPv4-ACLs. An IPv4-ACL can have one or more filters. (See Example 34-1).
Example 34-1 Displays Filters Configured for an IPv4-ACL
Use the show ipv6 access-list command to view the contents of configured access filters. Each access filter can have several conditions. (See Example 34-2 and Example 34-3).
Displaying Interface IP-ACL Configuration
Use the show interface command to display the IPv4-ACL configuration on an interface.
Use the show interface command to display the IPv6-ACL configuration on an interface.
IP-ACL Counter Cleanup
Use the clear command to clear the counters for a specified IPv4-ACL filter entry.
Note You cannot use this command to clear the counters for individual filters.
Use the clear ipv6 access-list command to clear the counters for all IPv6-ACLs.
Use the clear ipv6 access-list name command to clear the counters for a specified IPv6-ACL.
Note You cannot use this command to clear the counters for each individual filter.
Configuration Examples for IP-ACL
To define an IP-ACL that restricts management access using Device Manager, follow these steps:
Step 1 Choose Security > IP ACL .
You see the IP-ACL dialog box.
Step 2 Click Create to create an IP-ACL.
You see the Create IP ACL Profiles dialog box.
Step 3 Enter RestrictMgmt as the profile name and click Create .
This creates an empty IP-ACL named RestrictMgmt (see Figure 34-3).
Figure 34-3 RestrictMgmt Profile Added to the List
Step 4 Select RestrictMgmt and click Rules .
You see an empty list of IP filters associated with this IP-ACL.
Step 5 Click Create to create the first IP filter.
You see the Create IP Filter dialog box.
Step 6 Create an IP filter to allow management communications from a trusted subnet:
a. Choose the permit Action and select 0 IP from the Protocol drop-down menu.
b. Set the source IP address to 10.67.16.0 and the wildcard mask to 0.0.0.255.
Note The wildcard mask denotes a subset of the IP address you want to match against. This allows a range of addresses to match against this filter.
c. Check the any check box for the destination address.
d. Click Create to create this IP filter and add it to the RestrictMgmt IP-ACL.
Repeat Step a through Step d to create an IP filter that allows communications for all addresses in the 10.67.16.0/24 subnet.
Step 7 Create an IP filter to allow ICMP ping commands:
a. Choose the permit Action and select 1-ICMP from the Protocol drop-down menu.
b. Check the any check box for the source address.
c. Check the any check box for the destination address.
d. Select 8 echo from the ICMPType drop-down menu.
e. Click Create to create this IP filter and add it to the RestrictMgmt IP-ACL.
Repeat Step a through Step e to create an IP filter that allows ICMP ping.
Step 8 Create a final IP Filter to block all other traffic:
a. Choose the deny Action and select 0 IP from the Protocol drop-down menu.
b. Check the any check box for the source address.
c. Check the any check box for the destination address.
d. Click Create to create this IP filter and add it to the RestrictMgmt IP-ACL.
e. Click Close to close the Create IP Filter dialog box.
Repeat Step a through Step d to create an IP filter that blocks all other traffic.
Step 9 Apply the RestrictMgmt IP ACL to the mgmt0 interface:
a. Click Security , select IP ACL, and then click the Interfaces tab in the IP ACL dialog box.
You see the Create IP-ACL Interfaces dialog box.
c. Select mgmt0 from the Interfaces drop-down menu.
d. Select the inbound Profile Director.
e. Select RestrictMgmt from the ProfileName drop-down menu.
f. Click Create to apply the RestrictMgmt IP-ACL to the mgmt0 interface.
Repeat Step a through Step f to apply the new IP-ACL to the mgmt0 interface.
Field Descriptions for IPv4 and IPv6 Access Control Lists
The following are the field descriptions for IPv4 and IPv6 access control lists: