Prevent Arp, Nd Spoofing Example - Edge-Core ES4626 User Manual

L3 gigabit ethernet switch

Hide thumbs Also See for ES4626:

Table of Contents

16.4 Prevent ARP, ND Spoofing Example

Equipment Explanation

Configuration

IP:192.168.2.4; IP:192.168.1.4;

IP:192.168.2.1;

IP:192.168.1.2;

IP:192.168.2.3;

There is a normal communication between B and C on above diagram. A wants

switch to forward packets sent by B to itself, so need switch sends the packets transfer

from B to A. firstly A sends ARP reply package to switch, format is: 192.168.2.3,

01-01-01-01-01-01, mapping its MAC address to C's IP, so the switch changes IP

address when it updates ARP list.,then data packet of 192.168.2.3 is transferred to

01-01-01-01-01-01 address (A MAC address).

In further, A transfers its received packets to C by modifying source address and

destination address, the mutual communicated data between B and C are received by A

unconsciously. Because the ARP list is update timely, another task for A is to continuously

send ARP reply packet, and refreshes switch ARP list.

So it is very important to protect ARP list, configure to forbid ARP learning command

in stable environment, and then change all dynamic ARP to static ARP, the learned ARP

will not be refreshed, and protect for users.

Switch#config

Switch(config)#ip arp-security learnprotect

Switch(config)#ip arp-security convert

If the environment changing, it enable to forbid ARP refresh, once it learns ARP

Fig 16-1 Prevent ARP ,ND Spoofing

mac: 01-01-01-01-01-01

mac: 02-02-02-02-02-02

mac: 03-03-03-03-03-03

mac: 04-04-04-04-04-04

Show Quick Links

Table of Contents

Es4650 Es4626 l3 Es4650 l3