beautypg.com

Displaying acl filters for arp, Clearing the filter count, Filtering on ip precedence and tos values – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 134

background image

The access-list-number parameter identifies the ID of the standard ACL that will be used to filter the
packet. Only the source and destination IP addresses will be used to filter the ARP packet. You can do
one of the following for access-list-number :

• Enter an ACL ID to explicitly specify the ACL to be used for filtering. In the example above, the line

device#ip use-ACL-on-arp 103 specifies ACL 103 to be used as the filter.

• Allow the ACL ID to be inherited from the IP ACLs that have been defined for the device. In the

example above, the line device#ip use-ACL-on-arp allows the ACL to be inherited from IP ACL
101 because of the ip follow relationship between virtual routing interface 2 and virtual routing
interface 4. Virtual routing interface 2 is configured with IP ACL 101; thus virtual routing interface 4
inherits IP ACL 101.

ARP requests will not be filtered by ACLs if one of the following conditions occur:

• If the ACL is to be inherited from an IP ACL, but there is no IP ACL defined.
• An ACL ID is specified for the use-ACL-on-arp command, but no IP address or "any any" filtering

criteria have been defined under the ACL ID.

Displaying ACL filters for ARP

To determine which ACLs have been configured to filter ARP requests, enter a command such as the
following.

device(config)#show ACL-on-arp

Port ACL ID Filter Count

2 103 10

3 102 23

4 101 12

Syntax: show ACL-on-arp [ interface port ] | loopback [ num ] | ve [ num ]]

If the port variable is not specified, all ports on the device that use ACLs for ARP filtering will be
included in the display.

The Filter Count column shows how many ARP packets have been dropped on the interface since the
last time the count was cleared.

Clearing the filter count

To clear the filter count for all interfaces on the device, enter a command such as the following.

device(config)#clear ACL-on-arp

The above command resets the filter count on all interfaces in a device back to zero.

Syntax: clear ACL-on-arp

Filtering on IP precedence and ToS values

To configure an extended IP ACL that matches based on IP precedence, enter commands such as the
following.

device(config)#access-list 103 deny tcp 10.157.21.0/24 10.157.22.0/24

precedence internet

device(config)#access-list 103 deny tcp 10.157.21.0/24 eq ftp 10.157.22.0/24

Displaying ACL filters for ARP

134

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: