Planet XGS3-42000R User Manual page 210

A
B
C
There is a normal communication between B and C on above diagram. A wants switch to forward packets sent
by B to itself, so need switch sends the packets transfer from B to A. firstly A sends ARP reply packet to switch,
format is: 192.168.2.3, 01-01-01-01-01-01, mapping its MAC address to C's IP, so the switch changes IP
address when it updates ARP list., then data packet of 192.168.2.3 is transferred to 01-01-01-01-01-01
address (A MAC address).
In further, a trans fers its received packets to C by modifying source address and destination address, the
mutual communicated data bet ween B and C are received by A unconsciously. Because the ARP list is update
timely, another task for A is to continuously send ARP reply packet, and refreshes switch ARP list.
So it is very important to protect ARP list, configure to forbid ARP learning command in stable environment,
and then change all dynamic ARP to static ARP, the learned A RP will not be refreshed, and protect for users.
XGS 3-42000R#config
XGS 3-42000R(config)#interface vlan 1
XGS 3-42000R(config-If-Vlan1)#arp 192.168.2. 1 01-01-01-01-01-01 interface et h 1/2
XGS 3-42000R(config-If-Vlan1)#int erface vlan 2
XGS 3-42000R(config-If-Vlan2)#arp 192.168.1. 2 02-02-02-02-02-02 interface et h 1/2
XGS 3-42000R(config-If-Vlan2#interface vlan 3
XGS 3-42000R(config-If-Vlan3)#arp 192.168.2. 3 03-03-03-03-03-03 interface et h 1/2
XGS 3-42000R(config-If-Vlan3)#exit
XGS 3-42000R(config)#ip arp-s ecurity learnprotect
XGS 3-42000R(config)#
XGS 3-42000R(config)#ip arp-s ecurity convert
If the environment changing, it enable to forbid A RP refresh, once it learns ARP property, it wont be refreshed
by new A RP reply packet, and protect use data from sniffing.
XGS 3-42000R#config
XGS 3-42000R(config)#ip arp-s ecurity updateprotect
IP:192.168.2.1;
IP:192.168.1.2;
IP:192.168.2.3;
mac: 01-01-01-01-01-01
mac: 02-02-02-02-02-02
mac: 03-03-03-03-03-03
23-3
1
1
some