D-Link DES-3200-10 Switch User Manual


 
xStack
®
DES-3200-10/18/28/28F Layer 2 Ethernet Managed Switch User Manual
Prevent ARP spoofing via packet content ACL
Concerning the common DoS attack today caused by the ARP spoofing, D-Link managed switch can effectively
mitigate it via its unique Packet Content ACL.
For that reason the basic ACL can only filter ARP packets based on packet type, VLAN ID, Source and Destination
MAC information, there is a need for further inspections of ARP packets. To prevent ARP spoofing attack, we will
demonstrate here using Packet Content ACL on Switch to block the invalid ARP packets which contain fake gateway’s
MAC and IP binding.
Example topology
Configuration:
The configuration logic is listed below:
1. Only when the ARP matches the Source MAC address in Ethernet, the Sender MAC address and Sender IP
address in the ARP protocol can pass through the switch. (In this example, it is the gateway’s ARP.)
2. The switch will deny all other ARP packets which claim they are from the gateway’s IP.
The design of Packet Content ACL on DES-3528/DES-3552 Switch Series enables users to inspect any offset_chunk.
An offset_chunk is a 4-byte block in a HEX format which is utilized to match the individual field in an Ethernet frame.
Each profile is allowed to contain up to a maximum of 4 offset_chunks. Furthermore, only one single profile of Packet
Content ACL can be supported per switch. In other words, up to 16 bytes of total offset_chunks can be applied to each
profile and a switch. Therefore, careful consideration is needed for planning the configuration of the valuable
offset_chunks.
In Table-6, you will notice that the Offset_Chunk0 starts from 127 and ends at the 2
nd
byte. It can also be found that
the offset_chunk is scratched from 1 but not zero.
223