2 prevent arp, nd spoofing configuration, Revent, Poofing configuration – QTECH QSW-8300 Инструкция по настройке User Manual
Page 148
+7(495) 797-3311 www.qtech.ru
Москва, Новозаводская ул., 18, стр. 1
147
switches, host computers or network equipment.
What the essential method on preventing attack and spoofing switches based on ARP in
networks is to disable switch automatic update function; the cheater can’t modify corrected
MAC address in order to avoid wrong packets transfer and can’t obtain other information. At
one time, it doesn’t interrupt the automatic learning function of ARP. Thus it prevents ARP
spoofing and attack to a great extent.
ND is neighbor discovering protocol in IPv6 protocol, and it’s similar to ARP on operation
principle, therefore we do in the same way as preventing ARP spoofing to prevent ND spoofing
and attack.
18.2 Prevent ARP, ND Spoofing configuration
The steps of preventing ARP, ND spoofing configuration as below:
Disable ARP, ND automatic update function
Disable ARP, ND automatic learning function
Changing dynamic ARP, ND to static ARP, ND
1. Disable ARP, ND automatic update function
Command
Explanation
Global Mode and Port Mode
ip arp-security updateprotect
no ip arp-security updateprotect
ipv6 nd-security updateprotect
no ipv6 nd-security updateprotect
Disable and enable ARP, ND automatic update
function.
2. Disable ARP, ND automatic learning function
Command
Explanation
Global mode and Interface Mode
ip arp-security learnprotect
no ip arp-security learnprotect
ipv6 nd-security learnprotect
no ipv6 nd-security learnprotect
Disable and enable ARP, ND automatic learning
function.
3. Function on changing dynamic ARP, ND to static ARP, ND
Command
Explanation
Global Mode and Port Mode
ip arp-security convert
ipv6 nd-security convert
Change dynamic ARP, ND to static ARP, ND.