Filter
Top Products
576 PowerConnect B-Series FCX Configuration Guide
53-1002266-01
Using ACLs to filter ARP packets
16
Specify the <port> variable in the following formats:
• PowerConnect B-Series FCX stackable switches – <stack-unit/slotnum/portnum>
Using ACLs to filter ARP packets
You can use ACLs to filter ARP packets. Without this feature, ACLs cannot be used to permit or deny
incoming ARP packets. Although an ARP packet contains an IP address just as an IP packet does,
an ARP packet is not an IP packet; therefore, it is not subject to normal filtering provided by ACLs.
When a Dell PowerConnect device receives an ARP request, the source MAC and IP addresses are
stored in the device ARP table. A new record in the ARP table overwrites existing records that
contain the same IP address. This behavior can cause a condition called "ARP hijacking", when two
hosts with the same IP address try to send an ARP request to the device.
Normally ARP hijacking is not a problem because IP assignments are done dynamically; however, in
some cases, ARP hijacking can occur, such as when a configuration allows a router interface to
share the IP address of another router interface. Since multiple VLANs and the router interfaces
that are associated with each of the VLANs share the same IP segment, it is possible for two hosts
in two different VLANs to fight for the same IP address in that segment. ARP filtering using ACLs
protects an IP host record in the ARP table from being overwritten by a hijacking host. Using ACLs to
filter ARP requests checks the source IP address in the received ARP packet. Only packets with the
permitted IP address will be allowed to be to be written in the ARP table; others are dropped.
Configuration considerations
• This feature is available on devices running Layer 3 code. This filtering occurs on the
management processor.
• The feature is available on physical interfaces and virtual routing interfaces. It is supported on
the following physical interface types Ethernet and trunks.
• ACLs used to filter ARP packets on a virtual routing interface can be inherited from a previous
interface if the virtual routing interface is defined as a follower virtual routing interface.
Configuring ACLs for ARP filtering
To implement the ACL ARP filtering feature, enter commands such as the following.
PowerConnect(config)# access-list 101 permit ip host 192.168.2.2 any
PowerConnect(config)# access-list 102 permit ip host 192.168.2.3 any
PowerConnect(config)# access-list 103 permit ip host 192.168.2.4 any
PowerConnect(config)# vlan 2
PowerConnect(config-vlan-2)# tag ethe 1/1 to 1/2
PowerConnect(config-vlan-2)# router-interface ve 2
PowerConnect(config-vlan-2)# vlan 3
PowerConnect(config-vlan-3)# tag ethe 1/1 to 1/2
PowerConnect(config-vlan-3)#router-int ve 3
PowerConnect(config-vlan-3)# vlan 4
PowerConnect(config-vlan-4)# tag ethe 1/1 to 1/2
PowerConnect(config-vlan-4)# router-int ve 4
PowerConnect(config-vlan-4)# interface ve 2
PowerConnect(config-ve-2)# ip access-group 101 in
PowerConnect(config-ve-2)# ip address 192.168.2.1/24
PowerConnect(config-ve-2)# ip use-ACL-on-arp 103