Manual
+7(495) 797-3311 www.qtech.ru
Москва, Новозаводская ул., 18, стр. 1
217
26.3 Prevent ARP Spoofing Example
Equipment Explanation
Equipment
Configuration
Quality
switch
IP:192.168.2.4; mac: 00-00-00-00-00-04
1
A
IP:192.168.2.1; mac: 00-00-00-00-00-01
1
B
IP:192.168.1.2; mac: 00-00-00-00-00-02
1
C
IP:192.168.2.3; mac: 00-00-00-00-00-03
some
There is a normal communication between B and C on above diagram. A wants switch to
forward packets sent by B to itself, so need switch sends the packets transfer from B to A.
firstly A sends ARP reply packet to switch, format is: 192.168.2.3, 00-00-00-00-00-01, mapping
its MAC address to C’s IP, so the switch changes IP address when it updates ARP list., then
data packet of 192.168.2.3 is transferred to 00-00-00-00-00-01 address (A MAC address).
In further, a transfers its received packets to C by modifying source address and destination
address, the mutual communicated data between B and C are received by A unconsciously.
Because the ARP list is update timely, another task for A is to continuously send ARP reply
packet, and refreshes switch ARP list.
So it is very important to protect ARP list, configure to forbid ARP learning command in stable
environment, and then change all dynamic ARP to static ARP, the learned ARP will not be
refreshed, and protect for users.
Switch#config
Switch(config)#interface vlan 1
Switch(config-if-vlan1)#arp 192.168.2.1 00-00-00-00-00-01 interface
ethernet 1/1
Switch(config-if-vlan1)#arp 192.168.2.2 00-00-00-00-00-02 interface
ethernet 1/2
Switch(config-if-vlan1)#arp 192.168.2.3 00-00-00-00-00-03 interface
A
B
C
Switch