370
13.4 Prevent ARP, ND Spoofing Example
Fig 13-1 Prevent ARP ,ND Spoofing
Equipment Explanation
Equipment
Configuration
Quality
switch IP:192.168.2.4;
IP:192.168.1.4; mac: 04-04-04-04-04-04
1
A
IP:192.168.2.1; mac: 01-01-01-01-01-01
1
B
IP:192.168.1.2; mac: 02-02-02-02-02-02
1
C
IP:192.168.2.3; mac: 03-03-03-03-03-03
some
There is a normal communication between B and C on above diagram. A wants
switch to forward packets sent by B to itself, so need switch sends the packets transfer
from B to A. firstly A sends ARP reply package to switch, format is: 192.168.2.3,
01-01-01-01-01-01, mapping its MAC address to C’s IP, so the switch changes IP
address when it updates ARP list.,then data packet of 192.168.2.3 is transferred to
01-01-01-01-01-01 address (A MAC address).
In further, A transfers its received packets to C by modifying source address and
destination address, the mutual communicated data between B and C are received by A
unconsciously. Because the ARP list is update timely, another task for A is to continuously
send ARP reply packet, and refreshes switch ARP list.
So it is very important to protect ARP list, configure to forbid ARP learning command
in stable environment, and then change all dynamic ARP to static ARP, the learned ARP
will not be refreshed, and protect for users.
Switch#config
Switch(config)#ip arp-security learnprotect
Switch(config)#ip arp-security convert