Acls to filter arp packets – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Brocade ICX 6650 Security Configuration Guide

111

53-1002601-01

ACLs to filter ARP packets

Use this feature when you do not want the IPv4 ACLs to apply to all the ports in the virtual interface
VLAN or when you want to streamline IPv4 ACL performance for the VLAN.

To apply an ACL to a subset of ports within a virtual interface, enter commands such as the
following.

Brocade(config)# enable ACL-per-port-per-vlan
Brocade(config)# vlan 10 name IP-subnet-vlan
Brocade(config-vlan-10)# untag ethernet 1/1/1 to 1/2/12
Brocade(config-vlan-10)# router-interface ve 1
Brocade(config-vlan-10)# exit
Brocade(config)# access-list 1 deny host 10.157.22.26 log
Brocade(config)# access-list 1 deny 10.157.29.12 log
Brocade(config)# access-list 1 deny host IPHost1 log
Brocade(config)# access-list 1 permit any
Brocade(config)# interface ve 1
Brocade(config-vif-1/1)# ip access-group 1 in ethernet 1/1/1 ethernet 1/1/3
ethernet 1/2/1 to 1/2/4

The commands in this example configure port-based VLAN 10, add ports 1/1/1 –1/2/12 to the
VLAN, and add virtual routing interface 1 to the VLAN. The commands following the VLAN
configuration commands configure ACL 1. Finally, the last two commands apply ACL 1 to a subset
of the ports associated with virtual interface 1.

Syntax: [no] ip access-group ACL ID in ethernet port [to port]

The ACL ID parameter is the access list name or number.

Specify the port variable in stack-unit/slotnum/portnum format.

ACLs to filter ARP packets

NOTE

This feature is not applicable to outbound traffic.

You can use ACLs to filter ARP packets. Without this feature, ACLs cannot be used to permit or deny
incoming ARP packets. Although an ARP packet contains an IP address just as an IP packet does,
an ARP packet is not an IP packet; therefore, it is not subject to normal filtering provided by ACLs.

When a Brocade device receives an ARP request, the source MAC and IP addresses are stored in
the device ARP table. A new record in the ARP table overwrites existing records that contain the
same IP address. This behavior can cause a condition called "ARP hijacking", when two hosts with
the same IP address try to send an ARP request to the Brocade device.

Normally ARP hijacking is not a problem because IP assignments are done dynamically; however, in
some cases, ARP hijacking can occur, such as when a configuration allows a router interface to
share the IP address of another router interface. Since multiple VLANs and the router interfaces
that are associated with each of the VLANs share the same IP segment, it is possible for two hosts
in two different VLANs to fight for the same IP address in that segment. ARP filtering using ACLs
protects an IP host record in the ARP table from being overwritten by a hijacking host. Using ACLs to
filter ARP requests checks the source IP address in the received ARP packet. Only packets with the
permitted IP address will be allowed to be to be written in the ARP table; others are dropped.