2 prevent arp, nd spoofing configuration, Revent, Poofing configuration – PLANET XGS3-24042 User Manual

24-53

What the essential method on preventing attack and spoofing switches based on ARP in networks is to

disable switch automatic update function; the cheater can’t modify corrected MAC address in order to avoid

wrong packets transfer and can’t obtain other information. At one time, it doesn’t interrupt the automatic

learning function of ARP. Thus it prevents ARP spoofing and attack to a great extent.

ND is neighbor discovering protocol in IPv6 protocol, and it’s similar to ARP on operation principle, therefore

we do in the same way as preventing ARP spoofing to prevent ND spoofing and attack.

24.2 Prevent ARP, ND Spoofing configuration

The steps of preventing ARP, ND spoofing configuration as below:

1. Disable ARP, ND automatic update function

2. Disable ARP, ND automatic learning function

3. Changing dynamic ARP, ND to static ARP, ND

1. Disable ARP, ND automatic update function

Command

Explanation

Global Mode and Port Mode

ip arp-security updateprotect

no ip arp-security updateprotect

ipv6 nd-security updateprotect

no ipv6 nd-security updateprotect

Disable and enable ARP, ND automatic

update function.

2. Disable ARP, ND automatic learning function

Command

Explanation

Global mode and Interface Mode

ip arp-security learnprotect

no ip arp-security learnprotect

ipv6 nd-security learnprotect

no ipv6 nd-security learnprotect

Disable and enable ARP, ND automatic

learning function.

3. Function on changing dynamic ARP, ND to static ARP, ND

Command

Explanation

Global Mode and Port Mode

ip arp-security convert

ipv6 nd-security convert

Change dynamic ARP, ND to static ARP, ND.