Deployment Guide
Local Switch configuration parameters are needed to control whether a switch accepts or rejects
distributions of the AUTH policy using the distribute command and whether the switch may initiate
distribution of the policy. To set the local switch configuration parameter, refer to Policy database
distribution on page 238.
NOTE
This is not supported for Access Gateway mode.
IP Filter policy
The IP Filter policy is a set of rules applied to the IP management interfaces as a packet filtering
firewall. The firewall permits or denies the traffic to go through the IP management interfaces according
to the policy rules.
Fabric OS supports multiple IP Filter policies to be defined at the same time. Each IP Filter policy is
identified by a name and has an associated type. Two IP Filter policy types, IPv4 and IPv6, exist to
provide separate packet filtering for IPv4 and IPv6. It is not allowed to specify an IPv6 address in the
IPv4 filter, or specify an IPv4 address in the IPv6 filter. There can be up to six different IP Filter policies
defined for both types. Only one IP Filter policy for each IP type can be activated on the affected
management IP interfaces.
Audit messages will be generated for any changes to the IP Filter policies.
The rules in the IP Filter policy are examined one at a time until the end of the list of rules. For
performance reasons, the most commonly used rules should be specified at the top.
On a chassis system, changes to persistent IP Filter policies are automatically synchronized to the
standby CP when the changes are saved persistently on the active CP. The standby CP will enforce the
filter policies to its management interface after policies are synchronized with the active CP.
Virtual Fabrics considerations for IP Filter policy
Each logical switch cannot have its own different IP Filter policies. IP Filter policies are treated as a
chassis-wide configuration and are common for all the logical switches in the chassis.
Creating an IP Filter policy
You can create an IP Filter policy specifying any name and using type IPv4 or IPv6. The policy created
is stored in a temporary buffer, and is lost if the current command session logs out. The policy name is
a unique string composed of a maximum of 20 alpha, numeric, and underscore characters. The names
"default_ipv4" and "default_ipv6" are reserved for default IP filter policies. The policy name is case-
insensitive and always stored as lowercase. The policy type identifies the policy as an IPv4 or IPv6
filter. There can be a maximum of six IP Filter policies.
1. Log in to the switch using an account with admin permissions, or an account associated with the
chassis role and having OM permissions for the IPfilter RBAC class of commands.
2. Enter in the ipFilter --create command.
IP Filter policy
Fabric OS Administrators Guide 231
53-1003130-01