D-Link DES-3528 User Manual page 265

xStack DES-3528 Series Layer 2 Stackable Fast Ethernet Managed Switch User Manual
•
Prevent ARP spoofing via packet content ACL
Concerning the common DoS attack today caused by the ARP spoofing, D-Link managed switch can effectively
mitigate it via its unique Packet Content ACL.
For that reason the basic ACL can only filter ARP packets based on packet type, VLAN ID, Source and Destination
MAC information, there is a need for further inspections of ARP packets. To prevent ARP spoofing attack, we will
demonstrate here using Packet Content ACL on DES-3528 to block the invalid ARP packets which contain fake
gateway's MAC and IP binding.
Configuration
:
The configuration logic is listed below:
1. Only when the ARP matches the Source MAC address in Ethernet, the Sender MAC address and Sender IP
address in the ARP protocol can pass through the switch. (In this example, it is the gateway's ARP.)
2. The switch will deny all other ARP packets which claim they are from the gateway's IP.
The design of Packet Content ACL on DES-3528 series enables users to inspect any offset_chunk. An offset_chunk is
a 4-byte block in a HEX format which is utilized to match the individual field in an Ethernet frame. Each profile is
allowed to contain up to a maximum of 4 offset_chunks. Furthermore, only one single profile of Packet Content ACL
can be supported per switch. In other words, up to 16 bytes of total offset_chunks can be applied to each profile and a
switch. Therefore, careful consideration is needed for planning the configuration of the valuable offset_chunks.
In Table-6, you will notice that the Offset_Chunk0 starts from 127 and ends at the 128
the offset_chunk is scratched from 1 but not zero!!!
Example topology
249
th
byte. It can also be found that