Brocade Fabric OS Administrator's Guide Supporting Fabric OS v6.3.0 (53-1001336-02, November 2009)

ManualsBrandsHP ManualsStorageBrocade 8/24c SAN Switch for BladeSystem c-Class

181

182

183

184

185

186

187

188

189

190

144 Fabric OS Administrator’s Guide

53-1001336-02

IP Filter policy

For every IP Filter policy, the two rules listed in Table 30 are always assumed to be appended

implicitly to the end of the policy. This ensures that TCP and UDP traffic to dynamic port ranges is

allowed, so that management IP traffic initiated from a switch, such as syslog, radius and ftp, is not

affected.

A switch with Fabric OS v6.1.0 or later will have a default IP Filter policy for IPv4 and IPv6. The

default IP Filter policy cannot be deleted or changed. When an alternative IP Filter policy is

activated, the default IP Filter policy becomes deactivated. Table 31 lists the rules of the default IP

Filter policy.

IP Filter policy enforcement

An active IP Filter policy is a filter applied to the IP packets through the management interface. IPv4

management traffic passes through the active IPv4 filter policy, and IPv6 management traffic

passes through the active IPv6 filter policy. The IP Filter policy applies to the incoming (ingress)

management traffic only. When a packet arrives, it is compared against each rule, starting from the

first rule. If a match is found for the source address, destination port, and protocol, the

corresponding action for this rule is taken, and the subsequent rules in this policy are ignored. If

there is no match, then it is compared to the next rule in the policy. This process continues until the

incoming packet is compared to all rules in the active policy.

If none of the rules in the policy matches the incoming packet, the two implicit rules are matched to

the incoming packet. If the rules still do not match the packet, the default action, which is to deny,

is taken.

When the IPv4 or IPv6 address for the management interface of a switch is changed through the

ipAddrSet command or manageability tools, the active IP Filter policies automatically become

enforced on the management IP interface with the changed IP address.

TABLE 30 Implicit IP Filter rules

Source address Destination port Protocol Action

Any 1024-65535 TCP Permit

Any 1024-65535 UDP Permit

TABLE 31 Default IP policy rules

Rule number Source address Destination port Protocol Action

1Any22TCPPermit

2Any23TCPPermit

3Any897TCPPermit

4 Any 898 TCP Permit

5Any111TCPPermit

6Any80TCPPermit

7Any443TCPPermit

9 Any 161 UDP Permit

10 Any 111 UDP Permit

11 Any 123 UDP Permit

12 Any 600-1023 UDP Permit