QTECH
Software Configuration Manual
12-169
arp anti-spoofing unknown { discard | flood }
Example :
! Configure unknown ARP packet handling strategy to be flood
QTECH(config)#arp anti-spoofing unknow flood
Strategy discard means to drop unknown arp packet without corresponded static arp. Strategy flood
means to flood to each interface
(
transmit to each interface
)
. The default strategy is discard.
12.5.14
Enable/disable ARP anti-spoofing valid-check
Source MAC of Ethernet data frame head of some ARP attack packet is different from that of ARP protocol packet.
After enabling this function, it will check whether the source mac of arp packet sending to cpu is the as that in arp
protocol packet. Drop it if they are different. This function is defaulted to be disabled. Use this command in global
configuration mode to enable it :
Enable ARP anti-spoofing valid-check :
QTECH(config)#arp anti-spoofing valid-check
Disable ARP anti-spoofing valid-check :
QTECH(config)#no arp anti-spoofing valid-check
12.5.15
Enable/disable ARP anti-spoofing deny-disguiser
ARP gateway disguiser means attacker disguising gateway address to send free ARP packet whose gateway address is
source IP address in LAN. After host in LAN receiving this packet, the original gateway address will be modified to
be address of attacker to cause all hosts in LAN cannot visit network. Enable arp anti-spoofing deny-disguiser to
solve this problem. After enabling this function, when switch cpu receives the ARP packet which is conflict with
gateway address, push source mac of arp protocol packet to mac blackhole and send its own free arp. It will check arp
broadcast packet. Those arp unicast packet not only for arp will not be checked for no uplink cpu. This function is
defaulted to be disabled. Use following command to enable it :
Enable ARP anti-spoofing deny-disguiser :
QTECH(config)#arp anti-spoofing deny-disguiser
Disable ARP anti-spoofing deny-disguiser :
QTECH(config)#no arp anti-spoofing deny-disguiser
12.5.16
Display ARP anti-spoofing
Use this command to show ARP anti-spoofing :
QTECH(config)#show arp anti-spoofing