How to prevent ARP spoofing under static ip？

1.Port-security + ARP-check solution
2.Global IP&MAC binding + ARP-check solution
Introduction of Port-security + ARP-check solution
Port-security + ARP-check solution: Through the port-security function, the correct IP and MAC of the user are written into the hardware table entry of the switch, and the ARP-check function is used to verify the correctness of the ARP message. If a legitimate user's information is not bound, or if an illegal IP or MAC accesses the network, the ARP-check will fail and the user will not be able to use the network.
Applied scenarios

This solution is suitable for environments without802.1X authentication, where user IP addresses are statically assigned. And itneeds to be clear which port of the switch each user is connected to.
Advantages: Very tight control, direct verificationof ARP messages using hardware methods, accurate, no CPU consumption.
Disadvantages: Port security must be configured oneby one and collect all user IP and MAC information, but also more complicatedto configure, not flexible enough, not suitable for users who need tofrequently migrate the port environment.
Case of configuration

a) Requirement

The access switch connects PCs which use static IP addresses. In order to prevent ARP spoofing, the ARP spoofing problem is solved by using the port IP+MAC binding form + ARP-check solution.
b) Network Topology



Configuration Tips:
1. Enable the port security function on the port of the access switch connected to the user, and set IP+MAC binding.
2. Enable the arp-check function on the port of the access switch connecting to the user
c) Configuration

1) Configuration on the Core SW:
Configure the IP address of the Core SW, i.e. thegateway address of the users
Ruijie>enable   
Ruijie#configure terminal
Ruijie(config)#interface vlan 10
Ruijie(config-if-VLAN 10)#ip address 192.168.1.254255.255.255.0
Ruijie(config-if-VLAN 10)#end
Ruijie#wr
2) Configuration on the Access SW
Ruijie>enable   
Ruijie#configure terminal
Ruijie(config)#interface fastEthernet 0/1                                   

Ruijie(config-if-FastEthernet 0/1)#switchportport-security binding 0021.CCCF.6F70 vlan10 192.168.1.1   ------> bind the PC belonging tovlan10 with mac address 0021.CCCF.6F70 and ip address 192.168.1.1 to the first100 megabit interface of the switch   
Ruijie(config-if-FastEthernet 0/1)#switchportport-security  ------>Enable portsecurity
Ruijie(config-if-FastEthernet 0/1)#arp-check                       ------>Enablearp-check
   
Ruijie(config-if-FastEthernet 0/1)#exit
Ruijie#write
The requirement is that port Fa0/2 can only connectcomputers with an ip address of 192.168.1.2 and a mac address of0023.5abd.1975, both of which are considered non-compliant with the securityrules if either does not match.
Ruijie(config)#interfac fastEthernet 0/2
Ruijie(config-if-FastEthernet 0/2)# switchportport-security binding 0023.5abd.1975 vlan10 192.168.1.2  ------> bind the PC belonging tovlan10 with mac address 0023.5abd.1975 and ip address 192.168.1.2 to the second100 megabit interface of the switch
Ruijie(config-if-FastEthernet 0/2)#switchportport-security  ------>Enable portsecurity
Ruijie(config-if-FastEthernet 0/2)#arp-check                        ------>Enablearp-check
   
Ruijie#write   

If restrictions only exist on the IP of the accessdevice and no restrictions on the mac address, it is sufficient to bind the IPaddress to the interface, which is less secure but will be more flexible.
Ruijie(config)#interfac fastEthernet 0/3
Ruijie(config-if-FastEthernet 0/3)# switchportport-security binding 192.168.1.3  ------> Bind the PC with the ipaddress 192.168.1.3 to the third 100 megabit interface of the switch
Ruijie(config-if-FastEthernet 0/3)#switchportport-security  ------>Enable portsecurity
Ruijie(config-if-FastEthernet 0/3)#arp-check                         ------>Enablearp-check
   
Ruijie#write              

Cautions:
If the security channel is enabled (priority is higher than 1x authentication), the user requests to release the IP of some school web pages before authentication, the ARP packets of the users must be allowed to pass in advance, so that the user can communicate with the gateway, because the security channel priority is higher, which will lead to the failure of the anti-ARP spoofing function.   
Ruijie(config)#expert access-list extended permit1x
Ruijie(config-exp-nacl)#permit ip any any host211.58.23.11 any        
Ruijie(config-exp-nacl)#permit arp any any any anyany           ------>Release ARPmessage interaction between user and gateway

Ruijie(config)#security global access-group permit1x

Verification:
1) Check the IP+MAC bounding under port security
Show port-security address
2) Check the users detected by ARP-Check
Show interfaces arp-check list

Introduction of Global IP&MAC binding + ARP-check solution
This solution is suitable for environments without 802.1X authentication where user IP addresses are statically assigned. The administrator does not need to know exactly which port of the switch each user is connected to. It is particularly suitable for scenarios where the customer is unclear about the network's interconnected ports, the distribution of users, or where the user PCs connect ports of the switch at will.
Advantages: strict control, but weaker control than port security, as its address is not bound to a port. Applies a hardware method of directly verifying ARP messages, which is accurate and does not consume CPU.
Disadvantages: Must be configured one by one and collect all user IPs and MACs, more cumbersome to configure, but more flexible than port security, no need to confirm IPs correspond to ports, suitable for scenarios where users have flexible migration requirements on the ports of the switch.
Applied scenarios

The access switch connects PCs which use static IP addresses. In order to prevent ARP spoofing, the ARP spoofing problem is solved by using the Global IP+MAC binding form + ARP-check solution.


Configuration Tips:
1.IP+MAC binding in global mode on the access switch
2.Enable trusted ports on the access switch
3.Enable address-bind function globally
4.Enable the arp-check function on the port of theaccess switch connecting to the user
Configuration:
1) Configuration on the Core SW:
Configure the IP address of the Core SW, i.e. thegateway address of the users
Ruijie>enable
Ruijie#configure terminal
Ruijie(config)#interface vlan 10
Ruijie(config-if-VLAN 10)#ip address 192.168.1.254255.255.255.0
Ruijie(config-if-VLAN 10)#end
Ruijie#wr

2) Configuration on the Access SW
Ruijie>enable   
Ruijie#configure terminal
Ruijie(config)#address-bind 192.168.1.1 0021.cccf.6f70  ------> bind the user with IP 192.168.1.1mac 0021.cccf.6f70
Ruijie(config)#address-bind 192.168.1.20023.5abd.1975 ------> bind user with IP 192.168.1.2 mac 0023.5abd.1975
Ruijie(config)#address-bind uplink gigabitEthernet0/25   ------> sets port 25 as theuplink port, which is unchecked and all user messages can pass through
Ruijie(config)#address-bind install------>Enable this function globally   
Ruijie(config)#interface range fastEthernet 0/1-2
Ruijie(config-if-range)#arp-check------> Enable ARP-Checkunder the interface   
Ruijie(config-if-range)#end
Ruijie#write
Notes:   
1.After the address-bind install is enabled globally, all matched users can access the Internet, but users who are not bound or incorrectly matched cannot access the external network.
2.For users who are bound, the corresponding IPv6 messages cannot be passed, so if you want to allow users who are bound correctly to use IPv6 addresses for access at the same time, then you need to enable IPv6 mode on the switch as compatible mode:
Ruijie(config)#address-bind ipv6-mode?
  compatible IPv6 compatible mode ------>Compatible mode, bound MAC users can access the external network with IPv6 addresses   
  loose IPv6loose mode ------>loose mode, all IPv6 addresses can access the IPv6 network   
  strict IPv6 strict mode (default: strict)------>Strict mode: the switch works in this mode by default, even if the correct user is bound, the IPv6 address cannot be used to access the external network
Ruijie(config)#address-bind ipv6-modecompatible   
3.The bound user has nothing to do with theinterface. The same switch is not controlled by the interface, as long as thebinding is correct, the user can access the Internet on any port of thatswitch.

Verification
1) Check the bound users
Ruijie#show address-bind
2) Check the exception port
Ruijie#show address-bind uplink
3) Check the users detected by ARP-Check
Ruijie#show interfaces arp-check list