+7(495) 797-3311 www.qtech.ru
Москва, Новозаводская ул., 18, стр. 1
24.3 Prevent ARP Spoofing
Example
Equipment Explanation
IP:192.168.2.4; mac: 00-00-00-00-00-04
IP:192.168.2.1; mac: 00-00-00-00-00-01
IP:192.168.1.2; mac: 00-00-00-00-00-02
IP:192.168.2.3; mac: 00-00-00-00-00-03
There is a normal communication between B and C on above diagram. A wants switch to
forward packets sent by B to itself, so need switch sends the packets transfer from B to A.
firstly A sends ARP reply packet to switch, format is: 192.168.2.3, 00-00-00-00-00-01, mapping
its MAC address to C’s IP, so the switch changes IP address when it updates ARP list., then
data packet of 192.168.2.3 is transferred to 00-00-00-00-00-01 address (A MAC address).
In further, a transfers its received packets to C by modifying source address and destination
address, the mutual communicated data between B and C are received by A unconsciously.
Because the ARP list is update timely, another task for A is to continuously send ARP reply
packet, and refreshes switch ARP list.
So it is very important to protect ARP list, configure to forbid ARP learning command in stable
environment, and then change all dynamic ARP to static ARP, the learned ARP will not be
refreshed, and protect for users.
Switch#config
Switch(config)#interface vlan 1
Switch(config-if-vlan1)#arp 192.168.2.1 00-00-00-00-00-01 interface ethernet 1/1
Switch(config-if-vlan1)#arp 192.168.2.2 00-00-00-00-00-02 interface ethernet 1/2
Switch(config-if-vlan1)#arp 192.168.2.3 00-00-00-00-00-03 interface ethernet 1/3
Switch(Config-If-Vlan3)#exit
Switch(Config)#ip arp-security learnprotect
To Next Page
Loading...
Need help?
General
