ACLs to filter ARP packets

Configuration considerations for filtering ARP packets

This feature is available on devices running Layer 3 code. This filtering occurs on the management processor.

The feature is available on physical interfaces and virtual routing interfaces. It is supported on the following physical interface types Ethernet and trunks.

ACLs used to filter ARP packets on a virtual routing interface can be inherited from a previous interface if the virtual routing interface is defined as a follower virtual routing interface.

Configuring ACLs for ARP filtering

To implement the ACL ARP filtering feature, enter commands such as the following.

Brocade(config)# access-list 101 permit ip host 192.168.2.2 any

Brocade(config)# access-list 102 permit ip host 192.168.2.3 any

Brocade(config)# access-list 103 permit ip host 192.168.2.4 any

Brocade(config)# vlan 2

Brocade(config-vlan-2)# tag ethernet 1/1/1 to 1/1/2

Brocade(config-vlan-2)# router-interface ve 2

Brocade(config-vlan-2)# vlan 3

Brocade(config-vlan-3)# tag ethernet 1/1/1 to 1/1/2

Brocade(config-vlan-3)# router-interface ve 3

Brocade(config-vlan-3)# vlan 4

Brocade(config-vlan-4)# tag ethe 1/1/1 to 1/1/2

Brocade(config-vlan-4)# router-interface ve 4

Brocade(config-vlan-4)# interface ve 2

Brocade(config-ve-2)# ip access-group 101 in

Brocade(config-ve-2)# ip address 192.168.2.1/24

Brocade(config-ve-2)# ip use-ACL-on-arp 103

Brocade(config-ve-2)# exit

Brocade(config)# interface ve 3

Brocade(config-ve-3)# ip access-group 102 in

Brocade(config-ve-3)# ip follow ve 2

Brocade(config-ve-3)# ip use-ACL-on-arp

Brocade(config-ve-3)# exit

Brocade(config-vlan-4)# interface ve 4

Brocade(config-ve-4)# ip follow ve 2

Brocade(config-ve-4)# ip use-ACL-on-arp

Brocade(config-ve-4)# exit

Syntax: [no] ip use-ACL-on-arp [ access-list-number]

When the use-ACL-on-arpcommand is configured, the ARP module checks the source IP address of the ARP request packets received on the interface. It then applies the specified ACL policies to the packet. Only the packet with the IP address that the ACL permits will be allowed to be to be written in the ARP table; those that are not permitted will be dropped.

The access-list-numberparameter identifies the ID of the standard ACL that will be used to filter the packet. Only the source and destination IP addresses will be used to filter the ARP packet. You can do one of the following for access-list-number:

Enter an ACL ID to explicitly specify the ACL to be used for filtering. In the example above, the line Brocade(config-ve-2)# ip use-ACL-on-arp 103 specifies ACL 103 to be used as the filter.

112

Brocade ICX 6650 Security Configuration Guide

 

53-1002601-01

Page 132
Image 132
Brocade Communications Systems 6650 Configuration considerations for filtering ARP packets, ACLs to filter ARP packets