Accton Technology ES4626 User Manual

357

Fig 12-1 Prevent ARP ,ND Spoofing

Equipment Explanation

Equipment

Configuration

Quality

switch IP:192.168.2.4;

IP:192.168.1.4; mac: 04-04-04-04-04-04

1

A

IP:192.168.2.1; mac: 01-01-01-01-01-01

1

B

IP:192.168.1.2; mac: 02-02-02-02-02-02

1

C

IP:192.168.2.3; mac: 03-03-03-03-03-03

some

There is a normal communication between B and C on above diagram. A wants

switch to forward packets sent by B to itself, so need switch sends the packets transfer

from B to A. firstly A sends ARP reply package to switch, format is: 192.168.2.3,

01-01-01-01-01-01, mapping its MAC address to C’s IP, so the switch changes IP

address when it updates ARP list.,then data packet of 192.168.2.3 is transferred to

01-01-01-01-01-01 address (A MAC address).

In further, A transfers its received packets to C by modifying source address and

destination address, the mutual communicated data between B and C are received by A

unconsciously. Because the ARP list is update timely, another task for A is to continuously

send ARP reply packet, and refreshes switch ARP list.

So it is very important to protect ARP list, configure to forbid ARP learning command

in stable environment, and then change all dynamic ARP to static ARP, the learned ARP

will not be refreshed, and protect for users.

Switch#config

Switch(config)#ip arp-security learnprotect

Switch(config)#ip arp-security convert

If the environment changing, it enable to forbid ARP refresh, once it learns ARP

property, it wont be refreshed by new ARP reply package, and protect use data from

sniffing.

Switch#config