北电5510和8600交换机防止arp欺骗的官方解决方案 - 新补天网

北电5510和8600交换机防止arp欺骗的官方解决方案

来源：北电作者：发布时间：2008-03-14 点击：

In release BOSS 4.2 for the ERS5510, you can enable ARP Spoofing Detection via the WEB
interface or by using a CLI command as shown below.
CLI
• 5510-48T(config)#interface fastEthernet <ALL|port|slot/port>
• 5510-48T(config)#qos arp spoofing [port <port_list>] enable default-gateway <a.b.c.d>
where
Parameter Description
port <port_list> The list of ports to enable QoS ARP spoofing application
on.
default-gateway <A.B.C.D> The IP address of the default gateway to use.

在支持三层交换的版本里面，命令有所更新，在需要防止欺骗的vlan里面做，建议每个vlan都做

ES 8600 with R-Modules:
Assuming:
• The default gateway is 10.1.25.1
• The user ports are ports 4/25-4/27
NOTE: The items high-lighted in red in the configuration file below is the default gateway address
#
# R-MODULE FILTER CONFIGURATION
#
filter act 1 create
filter act 1 ethernet dstMac
filter act 1 arp operation
filter act 1 pattern p1 add ether-begin 224 32
filter act 1 pattern p2 add ether-begin 304 32
filter act 1 apply
filter acl 1 create inPort act 1
filter acl 1 port add 4/25-4/27
filter acl 1 ace 1 create
filter acl 1 ace 1 action permit
filter acl 1 ace 1 debug count enable
filter acl 1 ace 1 ethernet dst-mac eq ff:ff:ff:ff:ff:ff
filter acl 1 ace 1 arp operation eq arprequest
filter acl 1 ace 1 enable
filter acl 1 ace 2 create
filter acl 1 ace 2 action deny
filter acl 1 ace 2 debug count enable
filter acl 1 ace 2 arp operation eq arprequest
filter acl 1 ace 2 enable
filter acl 1 ace 3 create
filter acl 1 ace 3 action deny
filter acl 1 ace 3 debug count enable
filter acl 1 ace 3 advanced custom-filter1 p1 eq a011901
filter acl 1 ace 3 enable
filter acl 1 ace 4 create
filter acl 1 ace 4 action deny
filter acl 1 ace 4 debug count enable
filter acl 1 ace 4 advanced custom-filter2 p2 eq a011901
filter acl 1 ace 4 enable
filter acl 1 ace 5 create
filter acl 1 ace 5 action permit
filter acl 1 ace 5 debug count enable
filter acl 1 ace 5 arp operation eq arpresponse
filter acl 1 ace 5 enable
#
# R-MODULE FILTER CONFIGURATION
#
filter act 1 create
filter act 1 arp operation
filter act 1 pattern p1 add ether-begin 224 32
filter act 1 apply
filter acl 1 create inPort act 1
filter acl 1 port add 4/25
filter acl 1 ace 1 create
filter acl 1 ace 1 action deny
filter acl 1 ace 1 debug count enable
filter acl 1 ace 1 advanced custom-filter1 p1 eq a011901
filter acl 1 ace 1 enable

上一篇：解决忘记Cisco路由器密码的问题下一篇：SSL/TLS/WTLS原理

小鸟：（注册）　密码：　匿名　

评论内容：（不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。）

热门搜索：　FTP 　防火墙　 nat 　arp 　usb禁用

·不要小看路由器引发的故障
·Cisco设备中的ARP命令介绍及ARP欺骗防范技巧
·保证无线网络安全的七个技巧
·X.509第三版的证书结构
·SSL/TLS/WTLS原理
·北电5510和8600交换机防止arp欺骗的官方解决方案
·解决忘记Cisco路由器密码的问题
·路由器默认密码
·轻松九步加强边界路由器的安全防护能力
·加装防火墙前后的路由器配置[Cisco]

·不要小看路由器引发的故障(03-15)
·Cisco设备中的ARP命令介绍及ARP欺骗防范技巧(03-15)
·保证无线网络安全的七个技巧(03-14)
·X.509第三版的证书结构(03-14)
·SSL/TLS/WTLS原理(03-14)
·北电5510和8600交换机防止arp欺骗的官方解决方(03-14)
·解决忘记Cisco路由器密码的问题(03-14)
·路由器默认密码(03-14)
·轻松九步加强边界路由器的安全防护能力(03-14)
·加装防火墙前后的路由器配置[Cisco](01-27)

·路由器默认密码

·加装防火墙前后的路由器配置[Cisco](44)
·Cisco设备中的ARP命令介绍及ARP欺骗防范技巧(25)
·不要小看路由器引发的故障(20)
·路由器默认密码(18)
·保证无线网络安全的七个技巧(10)
·轻松九步加强边界路由器的安全防护能力(9)
·SSL/TLS/WTLS原理(7)
·解决忘记Cisco路由器密码的问题(6)
·X.509第三版的证书结构(4)
·北电5510和8600交换机防止arp欺骗的官方解决方(3)

关于本文的全部评论