beautypg.com

Configuring acls for arp filtering – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 133

background image

address. This behavior can cause a condition called "ARP hijacking", when two hosts with the same IP
address try to send an ARP request to the Brocade device.

Normally ARP hijacking is not a problem because IP assignments are done dynamically; however, in
some cases, ARP hijacking can occur, such as when a configuration allows a router interface to share
the IP address of another router interface. Since multiple VLANs and the router interfaces that are
associated with each of the VLANs share the same IP segment, it is possible for two hosts in two
different VLANs to fight for the same IP address in that segment. ARP filtering using ACLs protects an
IP host record in the ARP table from being overwritten by a hijacking host. Using ACLs to filter ARP
requests checks the source IP address in the received ARP packet. Only packets with the permitted IP
address will be allowed to be to be written in the ARP table; others are dropped.

Configuration considerations for filtering ARP packets

• This feature is available on devices running Layer 3 code. This filtering occurs on the management

processor.

• The feature is available on physical interfaces and virtual routing interfaces. It is supported on the

following physical interface types Ethernet and trunks.

• ACLs used to filter ARP packets on a virtual routing interface can be inherited from a previous

interface if the virtual routing interface is defined as a follower virtual routing interface.

• Only extended ACLs which are with protocol IP only can be used. If any other ACL is used, an error

is displayed.

Configuring ACLs for ARP filtering

To implement the ACL ARP filtering feature, enter commands such as the following.

device(config)# access-list 101 permit ip host 192.168.2.2 any

device(config)# access-list 102 permit ip host 192.168.2.3 any

device(config)# access-list 103 permit ip host 192.168.2.4 any

device(config)# vlan 2

device(config-vlan-2)# tag ethe 1/1 to 1/2

device(config-vlan-2)# router-interface ve 2

device(config-vlan-2)# vlan 3

device(config-vlan-3)# tag ethe 1/1 to 1/2

device(config-vlan-3)#router-int ve 3

device(config-vlan-3)# vlan 4

device(config-vlan-4)# tag ethe 1/1 to 1/2

device(config-vlan-4)# router-int ve 4

device(config-vlan-4)# interface ve 2

device(config-ve-2)# ip access-group 101 in

device(config-ve-2)# ip address 192.168.2.1/24

device(config-ve-2)# ip use-ACL-on-arp 103

device(config-ve-2)# exit

device(config)# interface ve 3

device(config-ve-3)# ip access-group 102 in

device(config-ve-3)# ip follow ve 2

device(config-ve-3)# ip use-ACL-on-arp

device(config-ve-3)# exit

device(config-vlan-4)# interface ve 4

device(config-ve-4)# ip follow ve 2

device(config-ve-4)# ip use-ACL-on-arp

device(config-ve-4)# exit

Syntax: [no] ip use-ACL-on-arp [ access-list-number ]

When the use-ACL-on-arp command is configured, the ARP module checks the source IP address of
the ARP request packets received on the interface. It then applies the specified ACL policies to the
packet. Only the packet with the IP address that the ACL permits will be allowed to be to be written in
the ARP table; those that are not permitted will be dropped.

Configuration considerations for filtering ARP packets

FastIron Ethernet Switch Security Configuration Guide

133

53-1003088-03

See also other documents in the category Brocade Computer Accessories: