beautypg.com

Acls to filter arp packets, Layer 3 devices only), Interface (layer 3 devices only) – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 132

background image

Applying an IPv4 ACL to a subset of ports on a virtual interface (Layer 3
devices only)

NOTE
This section applies to IPv4 ACLs only. IPv6 ACLs do not support ACL filtering based on VE port
membership.

You can apply an IPv4 ACL to a virtual routing interface. The virtual interface is used for routing
between VLANs and contains all the ports within the VLAN. The IPv4 ACL applies to all the ports on
the virtual routing interface. You also can specify a subset of ports within the VLAN containing a
specified virtual interface when assigning an ACL to that virtual interface.

Use this feature when you do not want the IPv4 ACLs to apply to all the ports in the virtual interface
VLAN or when you want to streamline IPv4 ACL performance for the VLAN.

To apply an ACL to a subset of ports within a virtual interface, enter commands such as the following.

device(config)#enable ACL-per-port-per-vlan

...

device(config)#vlan 10 name IP-subnet-vlan

device(config-vlan-10)#untag ethernet 1/1 to 2/12

device(config-vlan-10)#router-interface ve 1

device(config-vlan-10)#exit

device(config)#access-list 1 deny host 10.157.22.26 log

device(config)#access-list 1 deny 10.157.29.12 log

device(config)#access-list 1 deny host IPHost1 log

device(config)#access-list 1 permit any

device(config)#interface ve 1/1

device(config-vif-1/1)#ip access-group 1 in ethernet 1/1 ethernet 1/3 ethernet 2/1

to 2/4

NOTE
The enable ACL-per-port-per-vlan command must be followed by the write-memory and reload
commands to place the change into effect.

The commands in this example configure port-based VLAN 10, add ports 1/1 - 2/12 to the VLAN, and
add virtual routing interface 1 to the VLAN. The commands following the VLAN configuration
commands configure ACL 1. Finally, the last two commands apply ACL 1 to a subset of the ports
associated with virtual interface 1.

Syntax: [no] ip access-group ACL-ID in interface port [ to port ]

The ACL ID parameter is the access list name or number.

ACLs to filter ARP packets

NOTE
This feature is not applicable to outbound traffic.

You can use ACLs to filter ARP packets. Without this feature, ACLs cannot be used to permit or deny
incoming ARP packets. Although an ARP packet contains an IP address just as an IP packet does, an
ARP packet is not an IP packet; therefore, it is not subject to normal filtering provided by ACLs.

When a Brocade device receives an ARP request, the source MAC and IP addresses are stored in the
device ARP table. A new record in the ARP table overwrites existing records that contain the same IP

Applying an IPv4 ACL to a subset of ports on a virtual interface (Layer 3 devices only)

132

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: