3 prevent arp, nd spoofing example, Revent, Poofing – PLANET XGS3-24042 User Manual

24-54

24.3 Prevent ARP, ND Spoofing Example

Equipment Explanation

Equipment

Configuration

Quality

switch

IP:192.168.2.4; IP:192.168.1.4; mac: 00-00-00-00-00-04

1

A

IP:192.168.2.1; mac: 00-00-00-00-00-01

1

B

IP:192.168.1.2; mac: 00-00-00-00-00-02

1

C

IP:192.168.2.3; mac: 00-00-00-00-00-03

some

There is a normal communication between B and C on above diagram. A wants switch to forward packets sent

by B to itself, so need switch sends the packets transfer from B to A. firstly A sends ARP reply packet to switch,

format is: 192.168.2.3, 00-00-00-00-00-01, mapping its MAC address to C’s IP, so the switch changes IP

address when it updates ARP list., then data packet of 192.168.2.3 is transferred to 00-00-00-00-00-01

address (A MAC address).

In further, a transfers its received packets to C by modifying source address and destination address, the

mutual communicated data between B and C are received by A unconsciously. Because the ARP list is update

timely, another task for A is to continuously send ARP reply packet, and refreshes switch ARP list.

So it is very important to protect ARP list, configure to forbid ARP learning command in stable environment,

and then change all dynamic ARP to static ARP, the learned ARP will not be refreshed, and protect for users.

Switch#config

Switch(config)#interface vlan 1

Switch(Config-If-Vlan1)#arp 192.168.2.1 00-00-00-00-00-01 interface eth 1/0/2

Switch(Config-If-Vlan1)#interface vlan 2

Switch(Config-If-Vlan2)#arp 192.168.1.2 00-00-00-00-00-02 interface eth 1/0/2

Switch(Config-If-Vlan2#interface vlan 3

Switch(Config-If-Vlan3)#arp 192.168.2.3 00-00-00-00-00-03 interface eth 1/0/2

Switch(Config-If-Vlan3)#exit

Switch(Config)#ip arp-security learnprotect

Switch(Config)#

Switch(config)#ip arp-security convert

A

B

C

Switch