Configuration - D-Link xStack DGS-3420 Series Reference Manual
Xstack dgs-3420 series layer 2 managed stackable gigabit switch web ui reference guide
Hide thumbs
Also See for xStack DGS-3420 Series:
- Reference manual (1117 pages) ,
- Hardware installation manual (53 pages) ,
- How to set up (2 pages)
Table of Contents
Advertisement
xStack® DGS-3420 Series Layer 2 Managed Stackable Gigabit Switch Web UI Reference Guide
For the reason that basic ACL can only filter ARP packets based on packet type, VLAN ID, Source, and Destination
MAC information, there is a need for further inspections of ARP packets. To prevent ARP spoofing attack, we will
demonstrate here via using Packet Content ACL on the Switch to block the invalid ARP packets which contain
faked gateway's MAC and IP binding.
Configuration
The configuration logic is as follows:
1. Only if the ARP matches Source MAC address in Ethernet, Sender MAC address and Sender IP address
in ARP protocol can pass through the switch. (In this example, it is the gateway's ARP.)
2. The switch will deny all other ARP packets which claim they are from the gateway's IP.
The design of Packet Content ACL on the Switch enables users to inspect any offset chunk. An offset chunk is a 4-
byte block in a HEX format, which is utilized to match the individual field in an Ethernet frame. Each profile is
allowed to contain up to a maximum of four offset chunks. Furthermore, only one single profile of Packet Content
ACL can be supported per switch. In other words, up to 16 bytes of total offset chunks can be applied to each
profile and a switch. Therefore, a careful consideration is needed for planning and configuration of the valuable
offset chunks.
In Table 1, you will notice that the Offset_Chunk0 starts from the 127th byte and ends at the 128th byte. It also can
be found that the offset chunk is scratched from 1 but not zero.
Offset
Offset
Offset
Offset
Chunk
Chunk0
Chunk1
Chunk2
127
3
7
Byte
Byte
128
4
8
Byte
1
5
9
Byte
2
6
10
Offset
Offset
Offset
Offset
Chunk
Chunk16
Chunk17
Chunk18
63
67
71
Byte
64
68
72
Byte
65
69
73
Byte
66
70
74
Byte
The following figure indicates a completed ARP packet contained in Ethernet frame which is the pattern for the
calculation of packet offset.
Offset
Offset
Offset
Offset
Chunk3
Chunk4
Chunk5
Chunk6
11
15
19
23
12
16
20
24
13
17
21
25
14
18
22
26
Offset
Offset
Offset
Chunk19
Chunk20
Chunk21
Chunk22
75
79
83
76
80
84
77
81
85
78
82
86
Table 1 - Chunk and Packet Offset
Figure 14 - A Completed ARP Packet Contained in an Ethernet Frame
Offset
Offset
Offset
Chunk7
Chunk8
Chunk9
27
31
35
28
32
36
29
33
37
30
34
38
Offset
Offset
Offset
Offset
Chunk23
Chunk24
Chunk25
87
91
95
99
88
92
96
100
89
93
97
101
90
94
98
102
395
Offset
Offset
Offset
Chunk10
Chunk11
Chunk12
Chunk13
39
43
47
40
44
48
41
45
49
42
46
50
Offset
Offset
Offset
Chunk26
Chunk27
Chunk28
103
107
111
104
108
112
105
109
113
106
110
114
Offset
Offset
Offset
Chunk14
Chunk15
51
55
59
52
56
60
53
57
61
54
58
62
Offset
Offset
Offset
Chunk29
Chunk30
Chunk31
115
119
123
116
120
124
117
121
125
118
122
126
- Quick Links:
- Upload Configuration to Http
- Reset
Hide quick links:
Advertisement
Table of Contents
