Configuring acls for arp filtering – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 132

Advertising
background image

112

Brocade ICX 6650 Security Configuration Guide

53-1002601-01

ACLs to filter ARP packets

Configuration considerations for filtering ARP packets

This feature is available on devices running Layer 3 code. This filtering occurs on the
management processor.

The feature is available on physical interfaces and virtual routing interfaces. It is supported on
the following physical interface types Ethernet and trunks.

ACLs used to filter ARP packets on a virtual routing interface can be inherited from a previous
interface if the virtual routing interface is defined as a follower virtual routing interface.

Configuring ACLs for ARP filtering

To implement the ACL ARP filtering feature, enter commands such as the following.

Brocade(config)# access-list 101 permit ip host 192.168.2.2 any
Brocade(config)# access-list 102 permit ip host 192.168.2.3 any
Brocade(config)# access-list 103 permit ip host 192.168.2.4 any
Brocade(config)# vlan 2
Brocade(config-vlan-2)# tag ethernet 1/1/1 to 1/1/2
Brocade(config-vlan-2)# router-interface ve 2
Brocade(config-vlan-2)# vlan 3
Brocade(config-vlan-3)# tag ethernet 1/1/1 to 1/1/2
Brocade(config-vlan-3)# router-interface ve 3
Brocade(config-vlan-3)# vlan 4
Brocade(config-vlan-4)# tag ethe 1/1/1 to 1/1/2
Brocade(config-vlan-4)# router-interface ve 4
Brocade(config-vlan-4)# interface ve 2
Brocade(config-ve-2)# ip access-group 101 in
Brocade(config-ve-2)# ip address 192.168.2.1/24
Brocade(config-ve-2)# ip use-ACL-on-arp 103
Brocade(config-ve-2)# exit
Brocade(config)# interface ve 3
Brocade(config-ve-3)# ip access-group 102 in
Brocade(config-ve-3)# ip follow ve 2
Brocade(config-ve-3)# ip use-ACL-on-arp
Brocade(config-ve-3)# exit
Brocade(config-vlan-4)# interface ve 4
Brocade(config-ve-4)# ip follow ve 2
Brocade(config-ve-4)# ip use-ACL-on-arp
Brocade(config-ve-4)# exit

Syntax: [no] ip use-ACL-on-arp [ access-list-number ]

When the use-ACL-on-arp command is configured, the ARP module checks the source IP address of
the ARP request packets received on the interface. It then applies the specified ACL policies to the
packet. Only the packet with the IP address that the ACL permits will be allowed to be to be written
in the ARP table; those that are not permitted will be dropped.

The access-list-number parameter identifies the ID of the standard ACL that will be used to filter the
packet. Only the source and destination IP addresses will be used to filter the ARP packet. You can
do one of the following for access-list-number:

Enter an ACL ID to explicitly specify the ACL to be used for filtering. In the example above, the
line Brocade(config-ve-2)# ip use-ACL-on-arp 103 specifies ACL 103 to be

used as the filter.

Advertising
Popular Brands
Popular manuals