Commands For Preventing Arp Nd Spoofing

6.3 Commands for Preventing ARP, ND Spoofing

6.3.1 ip arp-security updateprotect

Command: ip arp-security updateprotect
no ip arp-security updateprotect
Function: Forbid automatic ARP table updates. The no command enables the automatic updates of the ARP table.
Parameters: None.
Command mode: Global Mode/Interface Configuration
Default: Automatic ARP table updates.
Usage guide: With the forbid automatic ARP table update command, the ARP packets conflicting with the current ARP item (e.g. same IP but different MAC or port) will be dropped, the others will be received (and the aging timer updated) or created as a new item. The current ARP item will remain unchanged and the new item will be learned.
Example: Forbid automatic ARP table updates.

active500EM(config-if-vlan1)#ip arp-security updateprotect.
active500EM(config)#ip arp-security updateprotect

 

6.3.2 ipv6 nd-security updateprotect

Command: ipv6 nd-security updateprotect
no ipv6 nd-security updateprotect
Function: Forbid IPv6 ND automatic update. The no command resets the ND automatic update function.
Parameters: None.
Command mode: Global Mode / Interface Configuration
Default: Update ND normally.
Usage guide: With the forbid ND table automatic update command, the ND packets conflicting with the current ND item (e.g. same IP but different MAC or port) will be dropped. The others will be received (and the aging timer updated) or created as a new item. The current ND item remains unchanged and the new item will be learned.
Example: Forbid IPv6 ND Automatic update.

active500EM(config-if-vlan1)#ipv6 nd-security updateprotect
active500EM(config)#ipv6 nd-security updateprotect

 

6.3.3 ip arp-security learnprotect

Command: ip arp-security learnprotect
no ip arp-security learnprotect
Function: Forbid the IPv4 ARP learning function. The no command enables ARP learning.
Parameters: None.
Command mode: Global Mode / Interface Configuration
Default: ARP learning enabled.
Usage guide: This command prevents automatic ARP learning and updating. Unlike ?ip arp-security updateprotect?, once this command is implemented timeout still exists even if the switch continues to send request/reply messages.
Example: Forbid the IPv4 ARP learning function.

active500EM(config-if-vlan1)# ip arp-security learnprotect
active500EM(config)#ip arp-security learnprotect

 

6.3.4 ipv6 nd-security learnprotect

Command: ipv6 nd-security learnprotect
no ipv6 nd-security learnprotect
Function: Forbid IPv6 ND learning. The no command enables ND learning.
Parameters: None.
Command mode: Global Mode / Interface Configuration
Default: ND learning enabled.
Usage guide: This command prevents automatic ND learning and updating. Unlike ?ip nd-security updateprotect?, once this command is implemented timeout still exists even if the switch continues to send request/reply messages.
Example: Forbid IPv6 ND learning.

active500EM(config-if-vlan1)#ipv6 nd-security learnprotect
active500EM(config)#ipv6 nd-security learnprotect

 

6.3.5 ip arp-security convert

Command: ip arp-security convert
Function: Change all dynamic ARP to static ARP.
Parameters: None.
Command mode: Global Mode / Interface Configuration
Default: None.
Usage guide: This command will convert the dynamic ARP entries to static ones. This command disables automatic learning and can prevent ARP binding.
Example: Change all dynamic ARP to static ARP.

active500EM(config-if-vlan1)#ip arp-security convert
active500EM(config)#ip arp-security convert

 

6.3.6 ipv6 nd-security convert

Command: ipv6 nd-security convert
Function: Change all dynamic ND to static ND.
Parameters: None.
Command mode: Global Mode / Interface Configuration
Default: None.
Usage guide: This command will convert dynamic ND entries to static ones. It disables automatic learning and can prevent ND binding.
Example: Change all dynamic ND to static ND.

active500EM(config-if-vlan1)#ipv6 nd-security convert
active500EM(config)#ipv6 nd-security convert

 

6.3.7 clear ip arp dynamic

Command: clear ip arp dynamic
Function: Clear all dynamic ARP on the interface.
Parameters: None.
Command mode: Interface Configuration
Default: None.
Usage guide: This command will clear dynamic entries before binding ARP.
Example: Clear all dynamic ARP on the interface.

active500EM(config-if-vlan1)#clear ip arp dynamic

 

6.3.8 clear ipv6 nd dynamic

Command: clear ipv6 nd dynamic
Function: Clear all dynamic ND on the interface.
Parameters: None.
Command mode: Interface Configuration
Default: None.
Usage guide: This command will clear dynamic entries before binding ND.
Example: Clear all dynamic ND on the interface.

active500EM(config-if-vlan1)#clear ipv6 nd dynamic

 


Return to Controller Wired CLI Table of Contents