Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron

1791

1736 FastIron Configuration Guide

53-1002494-02

ACLs to filter ARP packets

To apply an ACL to a subset of ports within a virtual interface, enter commands such as the

following.

Brocade(config)#enable ACL-per-port-per-vlan

...

Brocade(config)#vlan 10 name IP-subnet-vlan

Brocade(config-vlan-10)#untag ethernet 1/1 to 2/12

Brocade(config-vlan-10)#router-interface ve 1

Brocade(config-vlan-10)#exit

Brocade(config)#access-list 1 deny host 209.157.22.26 log

Brocade(config)#access-list 1 deny 209.157.29.12 log

Brocade(config)#access-list 1 deny host IPHost1 log

Brocade(config)#access-list 1 permit any

Brocade(config)#interface ve 1/1

Brocade(config-vif-1/1)#ip access-group 1 in ethernet 1/1 ethernet 1/3 ethernet

2/1 to 2/4

NOTE

For FastIron X Series devices, the enable ACL-per-port-per-vlan command must be followed by the

write-memory and reload commands to place the change into effect.

The commands in this example configure port-based VLAN 10, add ports 1/1 – 2/12 to the VLAN,

and add virtual routing interface 1 to the VLAN. The commands following the VLAN configuration

commands configure ACL 1. Finally, the last two commands apply ACL 1 to a subset of the ports

associated with virtual interface 1.

Syntax: [no] ip access-group <ACL ID> in ethernet <port> [to <port>]

The <ACL ID> parameter is the access list name or number.

Specify the port variable in one of the following formats:

• FWS, FCX, and ICX stackable switches – stack-unit/slotnum/portnum

• FSX 800 and FSX 1600 chassis devices – slotnum/portnum

• ICX devices – slotnum/portnum

• FESX compact switches – portnum

ACLs to filter ARP packets

NOTE

This feature is not applicable to outbound traffic.

You can use ACLs to filter ARP packets. Without this feature, ACLs cannot be used to permit or deny

incoming ARP packets. Although an ARP packet contains an IP address just as an IP packet does,

an ARP packet is not an IP packet; therefore, it is not subject to normal filtering provided by ACLs.

When a Brocade device receives an ARP request, the source MAC and IP addresses are stored in

the device ARP table. A new record in the ARP table overwrites existing records that contain the

same IP address. This behavior can cause a condition called "ARP hijacking", when two hosts with

the same IP address try to send an ARP request to the Brocade device.