Prevent Arp, Nd Spoofing Example - Edge-Core ES4624-SFP Basic Management Manual

Example：Switch(Config-if-Vlan1)#clear ipv6 nd dynamic

22.4 Prevent ARP, ND Spoofing Example

Equipment Explanation
Equipment Configuration
switch IP:192.168.2.4; IP:192.168.1.4;
A IP:192.168.2.1;
B IP:192.168.1.2;
C IP:192.168.2.3;
There is a normal communication between B and C on above diagram. A wants
switch to forward packets sent by B to itself, so need switch sends the packets transfer
from B to A. firstly A sends ARP reply packet to switch, format is: 192.168.2.3,
00-00-00-00-00-01, mapping its MAC address to C's IP, so the switch changes IP
address when it updates ARP list.,then data packet of 192.168.2.3 is transferred to
00-00-00-00-00-01 address (A MAC address).
In further, A transfers its received packets to C by modifying source address and
destination address, the mutual communicated data between B and C are received by A
unconsciously. Because the ARP list is update timely, another task for A is to continuously
send ARP reply packet, and refreshes switch ARP list.
So it is very important to protect ARP list, configure to forbid ARP learning command
in stable environment, and then change all dynamic ARP to static ARP, the learned ARP
will not be refreshed, and protect for users.
Switch#config
Switch(config)#ip arp-security learnprotect
Fig 22-1 Prevent ARP ,ND Spoofing
mac: 00-00-00-00-00-01
mac: 00-00-00-00-00-02
mac: 00-00-00-00-00-03
546
mac: 00-00-00-00-00-04
Quality
1
1
1
some