Users Guide
258 Fabric OS Administrator’s Guide
53-1002920-02
IP Filter policy
8
Traffic type and destination IP
The traffic type and destination IP elements allow an IP policy rule to specify filter enforcement for
IP forwarding. The INPUT traffic type is the default and restricts rules to manage traffic on IP
management interfaces,
The FORWARD traffic type allows management of bidirectional traffic between the external
management interface and the inband management interface. In this case, the destination IP
element should also be specified.
Implicit filter rules
For every IP Filter policy, the two rules listed in Table 46 are always assumed to be appended
implicitly to the end of the policy. This ensures that TCP and UDP traffic to dynamic port ranges is
allowed, so that management IP traffic initiated from a switch, such as syslog, radius and ftp, is not
affected.
Default policy rules
Switches have a default IP Filter policy for IPv4 and IPv6. The default IP Filter policy cannot be
deleted or changed. When an alternative IP Filter policy is activated, the default IP Filter policy
becomes deactivated. Table 47 lists the rules of the default IP Filter policy.
IP Filter policy enforcement
An active IP Filter policy is a filter applied to the IP packets through the management interface. IPv4
management traffic passes through the active IPv4 filter policy, and IPv6 management traffic
passes through the active IPv6 filter policy. The IP Filter policy applies to the incoming (ingress)
management traffic only. When a packet arrives, it is compared against each rule, starting from the
TABLE 46 Implicit IP Filter rules
Source address Destination port Protocol Action
Any 1024-65535 TCP Permit
Any 1024-65535 UDP Permit
TABLE 47 Default IP policy rules
Rule number Source address Destination port Protocol Action
1Any22TCPPermit
2Any23TCPPermit
6Any80TCPPermit
7Any443TCPPermit
8 Any 161 UDP Permit
10 Any 123 UDP Permit
11
1
1. None of the RPC ports are configurable, even though the action shows “Permit”.
Any 600-1023 TCP Permit
12
1
Any 600-1023 UDP Permit