Brocade Communications Systems Brocade ICX 6650 6650 Manuel D’Utilisation
Brocade ICX 6650 Security Configuration Guide
113
53-1002601-01
Filtering on IP precedence and ToS values
•
Allow the ACL ID to be inherited from the IP ACLs that have been defined for the device. In the
example above, the line Brocade(config-ve-4)# ip use-ACL-on-arp allows the
example above, the line Brocade(config-ve-4)# ip use-ACL-on-arp allows the
ACL to be inherited from IP ACL 101 because of the ip follow relationship between virtual
routing interface 2 and virtual routing interface 4. Virtual routing interface 2 is configured with
IP ACL 101; thus virtual routing interface 4 inherits IP ACL 101.
routing interface 2 and virtual routing interface 4. Virtual routing interface 2 is configured with
IP ACL 101; thus virtual routing interface 4 inherits IP ACL 101.
ARP requests will not be filtered by ACLs if one of the following conditions occur:
•
If the ACL is to be inherited from an IP ACL, but there is no IP ACL defined.
•
An ACL ID is specified for the use-ACL-on-arp command, but no IP address or “any any” filtering
criteria have been defined under the ACL ID.
criteria have been defined under the ACL ID.
Displaying ACL filters for ARP
To determine which ACLs have been configured to filter ARP requests, enter a command such as
the following.
the following.
Brocade(config)# show ACL-on-arp
Port ACL ID Filter Count
1/1/2 103 10
1/1/3 102 23
1/1/4 101 12
Port ACL ID Filter Count
1/1/2 103 10
1/1/3 102 23
1/1/4 101 12
Syntax: show ACL-on-arp [ethernet port | loopback [ num ] | ve [ num ] ]
Specify the port variable in slotnum/portnum format.
If the port variable is not specified, all ports on the device that use ACLs for ARP filtering will be
included in the display.
included in the display.
The Filter Count column shows how many ARP packets have been dropped on the interface since
the last time the count was cleared.
the last time the count was cleared.
Clearing the filter count
To clear the filter count for all interfaces on the device, enter a command such as the following.
Brocade(config)# clear ACL-on-arp
The above command resets the filter count on all interfaces in a device back to zero.
Syntax: clear ACL-on-arp
Filtering on IP precedence and ToS values
To configure an extended IP ACL that matches based on IP precedence, enter commands such as
the following.
the following.
Brocade(config)# access-list 103 deny tcp 10.157.21.0/24 10.157.22.0/24
precedence internet
Brocade(config)# access-list 103 deny tcp 10.157.21.0/24 eq ftp 10.157.22.0/24
precedence 6
Brocade(config)# access-list 103 permit ip any any
precedence internet
Brocade(config)# access-list 103 deny tcp 10.157.21.0/24 eq ftp 10.157.22.0/24
precedence 6
Brocade(config)# access-list 103 permit ip any any