D-Link DGS-3700 user manual Example topology, Prevent ARP spoofing via packet content ACL

DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual

•Prevent ARP spoofing via packet content ACL

Concerning the common DoS attack today caused by the ARP spoofing, D-Link managed switch can effectively mitigate it via its unique Packet Content ACL.

For that reason the basic ACL can only filter ARP packets based on packet type, VLAN ID, Source and Destination MAC information, there is a need for further inspections of ARP packets. To prevent ARP spoofing attack, we will demonstrate here using Packet Content ACL on Switch to block the invalid ARP packets which contain fake gateway’s MAC and IP binding.

Example topology

Configuration:

The configuration logic is listed below:

1.Only when the ARP matches the Source MAC address in Ethernet, the Sender MAC address and Sender IP address in the ARP protocol can pass through the switch. (In this example, it is the gateway’s ARP.)

2.The switch will deny all other ARP packets which claim they are from the gateway’s IP.

The design of Packet Content ACL on the DGS-3700 Series enables users to inspect any offset_chunk. An offset_chunk is a 4-byte block in a HEX format which is utilized to match the individual field in an Ethernet frame. Each profile is allowed to contain up to a maximum of 4 offset_chunks. Furthermore, only one single profile of Packet Content ACL can be supported per switch. In other words, up to 16 bytes of total offset_chunks can be applied to each profile and a switch. Therefore, careful consideration is needed for planning the configuration of the valuable offset_chunks.

In Table-6, you will notice that the Offset_Chunk0 starts from 127 and ends at the 2nd byte. It can also be found that the offset_chunk is scratched from 1 but not zero.

264