Layer 3 Forward and ARP Configuration
Chapter 3 Prevent ARP Spoofing Configuration
http://www.level1.com
3-3
Global Mode and Port Mode
ip arp-security convert
Change dynamic ARP to static ARP.
3.3 Prevent ARP Spoofing Example
Equipment Explanation
Equipment
Configuration
Quality
switch
IP:192.168.2.4; mac: 00-00-00-00-00-04
1
A
IP:192.168.2.1; mac: 00-00-00-00-00-01
1
B
IP:192.168.1.2; mac: 00-00-00-00-00-02
1
C
IP:192.168.2.3; mac: 00-00-00-00-00-03
some
There is a normal communication between B and C on above diagram. A wants
switch to forward packets sent by B to itself, so need switch sends the packets transfer
from B to A. firstly A sends ARP reply packet to switch, format is: 192.168.2.3,
00-00-00-00-00-
01, mapping its MAC address to C’s IP, so the switch changes IP address
when it updates ARP list., then data packet of 192.168.2.3 is transferred to
00-00-00-00-00-01 address (A MAC address).
In further, a transfers its received packets to C by modifying source address and
destination address, the mutual communicated data between B and C are received by A
unconsciously. Because the ARP list is update timely, another task for A is to continuously
send ARP reply packet, and refreshes switch ARP list.
So it is very important to protect ARP list, configure to forbid ARP learning command
in stable environment, and then change all dynamic ARP to static ARP, the learned ARP
will not be refreshed, and protect for users.
Switch#config
A
B
C
Switch