Brocade Fabric OS Administrator's Guide Supporting Fabric OS v6.3.0 (53-1001336-02, November 2009)

ManualsBrandsHP ManualsStorageBrocade 8/24c SAN Switch for BladeSystem c-Class

181

182

183

184

185

186

187

188

189

190

Fabric OS Administrator’s Guide 143

53-1001336-02

IP Filter policy

Each rule contains the following elements:

• Source Address: A source IP address or a group prefix.

• Destination Port: The destination port number or name, such as: Telnet, SSH, HTTP, HTTPS.

• Protocol: The protocol type. Supported types are TCP or UDP.

• Action: The filtering action taken by this rule, either Permit or Deny.

For an IPv4 filter policy, the source address has to be a 32-bit IPv4 address in dot decimal notation.

The group prefix has to be a CIDR block prefix representation. For example, 208.130.32.0/24

represents a 24-bit IPv4 prefix starting from the most significant bit. The special prefix 0.0.0.0/0

matches any IPv4 address. In addition, the keyword any is supported to represent any IPv4

address.

For an IPv6 filter policy, the source address has to be a 128-bit IPv6 address, in a format

acceptable in RFC 3513. The group prefix has to be a CIDR block prefix representation. For

example, 12AB:0:0:CD30::/64 represents a 64-bit IPv6 prefix starting from the most significant bit.

In addition, the keyword any is supported to represent any IPv6 address.

For the destination port, a single port number or a port number range can be specified. According

to IANA (http://www.iana.org), ports 0 to 1023 are well-known port numbers, ports 1024 to 49151

are registered port numbers, and ports 49152 to 65535 are dynamic or private port numbers.

Well-known and registered ports are normally used by servers to accept connections, while

dynamic port numbers are used by clients.

For an IP Filter policy rule, you can only select port numbers in either the well-known or the

registered port number range, between 0 and 49151, inclusive. This means that you have the

ability to control how to expose the management services hosted on a switch, but not the ability to

affect the management traffic that is initiated from a switch. A valid port number range is

represented by a dash, for example 7-30. Alternatively, service names can also be used instead of

port number. Table 29 lists the supported service names and their corresponding port number.

TCP and UDP protocols are valid selections. Fabric OS v6.1.0and later does not support

configuration to filter other protocols. Implicitly, ICMP type 0 and type 8 packets are always allowed

to support ICMP echo request and reply on commands like ping and traceroute. For the action, only

“permit” and “deny” are valid.

TABLE 29 Supported services

Service name Port number

http 443

rpcd 897

securerpcd 898

snmp 161

ssh 22

sunrpc 111

telnet 23

www 80