Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron

1791

FastIron Configuration Guide 1737

53-1002494-02

ACLs to filter ARP packets

Normally ARP hijacking is not a problem because IP assignments are done dynamically; however, in

some cases, ARP hijacking can occur, such as when a configuration allows a router interface to

share the IP address of another router interface. Since multiple VLANs and the router interfaces

that are associated with each of the VLANs share the same IP segment, it is possible for two hosts

in two different VLANs to fight for the same IP address in that segment. ARP filtering using ACLs

protects an IP host record in the ARP table from being overwritten by a hijacking host. Using ACLs to

filter ARP requests checks the source IP address in the received ARP packet. Only packets with the

permitted IP address will be allowed to be to be written in the ARP table; others are dropped.

Configuration considerations for filtering ARP packets

• This feature is available on devices running Layer 3 code. This filtering occurs on the

management processor.

• The feature is available on physical interfaces and virtual routing interfaces. It is supported on

the following physical interface types Ethernet and trunks.

• ACLs used to filter ARP packets on a virtual routing interface can be inherited from a previous

interface if the virtual routing interface is defined as a follower virtual routing interface.

Configuring ACLs for ARP filtering

To implement the ACL ARP filtering feature, enter commands such as the following.

Brocade(config)# access-list 101 permit ip host 192.168.2.2 any

Brocade(config)# access-list 102 permit ip host 192.168.2.3 any

Brocade(config)# access-list 103 permit ip host 192.168.2.4 any

Brocade(config)# vlan 2

Brocade(config-vlan-2)# tag ethe 1/1 to 1/2

Brocade(config-vlan-2)# router-interface ve 2

Brocade(config-vlan-2)# vlan 3

Brocade(config-vlan-3)# tag ethe 1/1 to 1/2

Brocade(config-vlan-3)#router-int ve 3

Brocade(config-vlan-3)# vlan 4

Brocade(config-vlan-4)# tag ethe 1/1 to 1/2

Brocade(config-vlan-4)# router-int ve 4

Brocade(config-vlan-4)# interface ve 2

Brocade(config-ve-2)# ip access-group 101 in

Brocade(config-ve-2)# ip address 192.168.2.1/24

Brocade(config-ve-2)# ip use-ACL-on-arp 103

Brocade(config-ve-2)# exit

Brocade(config)# interface ve 3

Brocade(config-ve-3)# ip access-group 102 in

Brocade(config-ve-3)# ip follow ve 2

Brocade(config-ve-3)# ip use-ACL-on-arp

Brocade(config-ve-3)# exit

Brocade(config-vlan-4)# interface ve 4

Brocade(config-ve-4)# ip follow ve 2

Brocade(config-ve-4)# ip use-ACL-on-arp

Brocade(config-ve-4)# exit

Syntax: [no] ip use-ACL-on-arp [ <access-list-number> ]

When the use-ACL-on-arp command is configured, the ARP module checks the source IP address of

the ARP request packets received on the interface. It then applies the specified ACL policies to the

packet. Only the packet with the IP address that the ACL permits will be allowed to be to be written

in the ARP table; those that are not permitted will be dropped.