3 arp scanni ng prevention typical examples, Canning, Revention – PLANET XGS3-24042 User Manual

23-50

anti-arpscan log enable

no anti-arpscan log enable

Enable or disable the log function of ARP

scanning prevention.

anti-arpscan trap enable

no anti-arpscan trap enable

Enable or disable the SNMP Trap function

of ARP scanning prevention.

show anti-arpscan [trust <ip | port |

supertrust-port> | prohibited <ip | port>]

Display the state of operation and

configuration of ARP scanning prevention.

Admin Mode

debug anti-arpscan <port | ip>

no debug anti-arpscan <port | ip>

Enable or disable the debug switch of ARP

scanning prevention.

23.3 ARP Scanning Prevention Typical Examples

Figure 23-1 ARP scanning prevention typical configuration example

In the network topology above, port E1/0/1 of SWITCH B is connected to port E1/0/19 of SWITCH A, the port

E1/0/2 of SWITCH A is connected to file server (IP address is 192.168.1.100/24), and all the other ports of

SWITCH A are connected to common PC. The following configuration can prevent ARP scanning effectively

without affecting the normal operation of the system.

SWITCH A configuration task sequence:

SwitchA(config)#anti-arpscan enable

SwitchA(config)#anti-arpscan recovery time 3600

SwitchA(config)#anti-arpscan trust ip 192.168.1.100 255.255.255.0

SwitchA(config)#interface ethernet1/0/2

SwitchA (Config-If-Ethernet1/0/2)#anti-arpscan trust port

SwitchA (Config-If-Ethernet1/0/2)#exit

SwitchA(config)#interface ethernet1/0/19

SwitchA (Config-If-Ethernet1/0/19)#anti-arpscan trust supertrust-port

Switch A(Config-If-Ethernet1/0/19)#exit

SWITCH A

SWITCH B

PC

PC

E1/0/1
E1/0/19

E1/0/2

Server

192.168.1.100/24

E1/0/2