Adding a rule to an ip filter policy, Deleting a rule from an ip filter policy, Aborting an ip filter transaction – Brocade Fabric OS Administrators Guide (Supporting Fabric OS v7.3.0) User Manual
Page 237: Ip filter policy distribution
NOTE
If a switch is part of a LAN behind a Network Address Translation (NAT) server, depending on the NAT
server configuration, the source address in an IP Filter rule may have to be the NAT server address.
Adding a rule to an IP Filter policy
There can be a maximum of 256 rules created for an IP Filter policy. The change to the specified IP
Filter policy is not saved to the persistent configuration until a save or activate subcommand is run.
1. Log in to the switch using an account with admin permissions, or an account associated with the
chassis role and having the OM permissions for the IPfilter RBAC class of commands.
2. Enter the ipFilter --addrule command.
Deleting a rule from an IP Filter policy
Deleting a rule in the specified IP Filter policy causes the rules following the deleted rule to shift up in
rule order. The change to the specified IP Filter policy is not saved to persistent configuration until a
save or activate subcommand is run.
1. Log in to the switch using an account with admin permissions, or an account associated with the
chassis role and having the OM permissions for the IPfilter RBAC class of commands.
2. Enter the ipFilter --delrule command.
Aborting an IP Filter transaction
A transaction is associated with a command line or manageability session. It is opened implicitly when
the --create, --addrule, --delrule, --clone, and --delete subcommands are run. The --transabort, --
save, or --activate subcommands explicitly end the transaction owned by the current command line or
manageability session. If a transaction is not ended, other command line or manageability sessions are
blocked on the subcommands that would open a new transaction.
1. Log in to the switch using an account with admin permissions, or an account associated with the
chassis role and having the OM permissions for the IPfilter RBAC class of commands.
2. Enter the ipFilter --transabort command.
IP Filter policy distribution
The IP Filter policy is manually distributed by command. The distribution includes both active and
defined IP Filter policies. All policies are combined as a single entity to be distributed and cannot be
selectively distributed. However, you may choose the time at which to implement the policy for
optimization purposes. If a distribution includes an active IP Filter policy, the receiving switches activate
the same IP Filter policy automatically. When a switch receives IP Filter policies, all uncommitted
changes left in its local transaction buffer are lost, and the transaction is aborted.
The IP Filter policy can be manually distributed to the fabric by command; there is no support for
automatic distribution. To distribute the IPFilter policy, see
Distributing the local ACL policies
on page
240 for instructions.
You can accept or deny IP Filter policy distribution through the commands fddCfg --localaccept or
fddCfg --localreject . See
on page 238 for more information on
distributing the IP Filter policy.
Adding a rule to an IP Filter policy
Fabric OS Administrators Guide
237
53-1003130-01