366
13.1.3 How to prevent void ARP/ND Spoofing for our Layer 3
Switch
There are many sniff, monitor and attack behaviors based on ARP protocol in
networks, and most of attack behaviors are based on ARP spoofing, so it is very
important to prevent ARP spoofing. ARP spoofing accesses normal network environment
by counterfeiting legal IP address firstly, and sends a great deal of counterfeited ARP
application packets to switchs, after switches learn these packets, they will cover
previously corrected IP, mapping of MAC address, and then some corrected IP, MAC
address mapping are modified to correspondence relationship configured by attack
packets so that the switch makes mistake on transfer packets, and takes an effect on the
whole network. Or the switches are maded used of by vicious attackers, and they
intercept and capture packets transferred by switches or attack other switches, host
computers or network equipment.
What the essential method on preventing attack and spoofing switches based on
ARP in networks is to disable switch automatic update function; the cheater can’t modify
corrected MAC address in order to avoid wrong packets transfer and can’t obtain other
information. At one time, it doesn’t interrupt the automatic learning function of ARP and
ND. Thus it prevents ARP spoofing and attack to a great extent.
ND is neighbor discovering protocol in IPv6 protocol, and it’s similar to ARP on
operation principle, therefore we do in the same way as preventing ARP spoofing to
prevent ND spoofing and attack.
13.2 Prevent ARP, ND Spoofing configuration
13.2.1 Prevent ARP, ND Spoofing Configuration Task List
The steps of preventing ARP, ND spoofing configuration as below:
1. Disable ARP, ND automatic update function
2. Disable ARP, ND automatic learning function
3. changing dynamic ARP, ND to static ARP, ND
4. Clear dynamic ARP, ND
1.
Disable ARP, ND automatic update function
Command Explanation
Admin Mode and Interface Mode