Layer 3 Forward and ARP Configuration
Chapter 3 Prevent ARP Spoofing Configuration
http://www.level1.com
3-2
counterfeiting legal IP address firstly, and sends a great deal of counterfeited ARP
application packets to switches, after switches learn these packets, they will cover
previously corrected IP, mapping of MAC address, and then some corrected IP, MAC
address mapping are modified to correspondence relationship configured by attack
packets so that the switch makes mistake on transfer packets, and takes an effect on the
whole network. Or the switches are made used of by vicious attackers, and they intercept
and capture packets transferred by switches or attack other switches, host computers or
network equipment.
What the essential method on preventing attack and spoofing switches based on
ARP in networks is to di
sable switch automatic update function; the cheater can’t modify
corrected MAC address in order to avoid wrong packets transfer and can’t obtain other
information. At one time, it doesn’t interrupt the automatic learning function of ARP. Thus it
prevents ARP spoofing and attack to a great extent.
3.2 Prevent ARP Spoofing configuration
The steps of preventing ARP spoofing configuration as below:
1. Disable ARP automatic update function
2. Disable ARP automatic learning function
3. Changing dynamic ARP to static ARP
1.
Disable ARP automatic update function
Command
Explanation
Global Mode and Port Mode
ip arp-security updateprotect
no ip arp-security updateprotect
Disable and enable ARP automatic update
function.
2.
Disable ARP automatic learning function
Command
Explanation
Global mode and Interface Mode
ip arp-security learnprotect
no ip arp-security learnprotect
Disable and enable ARP automatic learning
function.
3.
Function on changing dynamic ARP to static ARP
Command
Explanation
