XGS-5240-Series User Manual

Table Of Contents
Configuration Guide of XGS-5240-Series
33-3
3. Function on changing dynamic ARP, ND to static ARP, ND
Command
Explanation
Global Mode and Port Mode
ip arp-security convert
ipv6 nd-security convert
Change dynamic ARP, ND to static ARP, ND.
33.3 Prevent ARP, ND Spoofing Example
Equipment Explanation
Equipment
Configuration
Quality
switch
IP:192.168.2.4; IP:192.168.1.4; mac: 00-00-00-00-00-04
1
A
IP:192.168.2.1; mac: 00-00-00-00-00-01
1
B
IP:192.168.1.2; mac: 00-00-00-00-00-02
1
C
IP:192.168.2.3; mac: 00-00-00-00-00-03
some
There is a normal communication between B and C on above diagram. A wants switch to
forward packets sent by B to itself, so need switch sends the packets transfer from B to A.
firstly A sends ARP reply packet to switch, format is: 192.168.2.3, 00-00-00-00-00-01, mapping
its MAC address to C’s IP, so the switch changes IP address when it updates ARP list., then
data packet of 192.168.2.3 is transferred to 00-00-00-00-00-01 address (A MAC address).
In further, a transfers its received packets to C by modifying source address and
destination address, the mutual communicated data between B and C are received by A
unconsciously. Because the ARP list is update timely, another task for A is to continuously
send ARP reply packet, and refreshes switch ARP list.
So it is very important to protect ARP list, configure to forbid ARP learning command in
stable environment, and then change all dynamic ARP to static ARP, the learned ARP will not
be refreshed, and protect for users.
A B
C
Switch