HP A7533A HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, Dece - Page 128

Creating IP Filter policy rules A maximum of 256 rules can be created for an IP Filter policy. The change to the specified IP Filter policy is not saved to the persistent configuration until a save or activate sub-command is run. To add a rule to an IP Filter policy: 1. Log in to the switch using an account assigned to the admin role. 2. Issue the following command: ipfilter --addrule -rule -sip -dp -proto -act where: policyname Specifies the policy name, which is a unique string composed of a maximum of 20 alphanumeric and underscore characters. The names default_ipv4 and default_ipv6 are reserved for the default IP Filter policies. The policy name is case-insensitive and always stored as lower case. -rule rule number Specifies a valid rule number between 1 and the current maximum rule number plus one. -sip source IP Specifies the source IP address. For IPv4 filter type, the address must be a 32-bit address in dot decimal notation, or a CIDR block IPv4 prefix. For IPv6 filter type, the address must be a 128-bit IPv6 address in any format specified by RFC, or a CIDR block IPv6 prefix. -dp destination port Specifies the destination port number, or a range of port numbers, or a service name. -proto protocol Specifies the protocol type, either TCP or UDP. -act Specifies the permit or deny action associated with this rule. Deleting IP Filter policy rules Deleting a rule in the specified IP Filter policy causes the rules following the deleted rule to shift up in rule order. The change to the specified IP Filter policy is not saved to persistent configuration until a save or activate sub-command is run. To delete a rule to an IP Filter policy: 1. Log in to the switch using an account assigned to the admin role. 2. Issue the following command: ipfilter --delrule -rule Switch session transactions A transaction is associated with a command line or manageability session. It is opened implicitly when the --create, --addrule, --delrule, --clone, and --delete subcommands are run. The --transabort, --save, or --activate subcommands explicitly end the transaction owned by the current command line or manageability session. If a transaction is not ended, other command line or manageability sessions are blocked on the sub-commands that would open a new transaction. Aborting a switch session transaction To abort a transaction associated with IP Filter: 1. Log in to the switch using an account assigned to the admin role. 2. Issue the following command: ipfilter --transabort IP Filter policy distributions The IP Filter policy is manually distributed, using the distribute --p "IPFILTER" command. The distribution includes both active and defined IP Filter policies. All policies are combined as a single entity to be distributed and cannot be selectively distributed. However, you may choose the time at which to 128 Configuring advanced security features