xStack DES-3800 Series Layer 3 Stackable Fast Ethernet Managed Switch CLI Manual
Prevent ARP spoofing via packet content ACL
Concerning the common DoS attack today caused by the ARP spoofing, D-Link managed switch can effectively mitigate it via its
unique Packet Content ACL.
For the reason that basic ACL can only filter ARP packets based on packet type, VLAN ID, Source and Destination MAC
information, there is a need for further inspections of ARP packets. To prevent ARP spoofing attacks, we will demonstrate here using
the Packet Content ACL on the DES-3800 to block the invalid ARP packets which contain faked gateway’s MAC and IP binding.
Example Topology
Configuration:
The design of the Packet Content ACL on the DES-3800 series can inspect any specified content in the first 48 bytes of an ARP
packet (up to 80 bytes in total at one time). It utilizes offsets to match individual fields in the Ethernet Frame. An offset contains 16
bytes and each offset is divided into four 4-byte values in a HEX format. (refer to the configuration example below for details )
In addition, the configuration logics are:
1.
Only if the ARP matches the Source MAC addresses in Ethernet, Sender’s MAC address and Senders IP address in the ARP
protocol can it pass through the switch. (In this example, it is gateway’s ARP.)
2.
The switch will deny all other ARP packets which claim they are from the gateway’s IP.
When calculating packet offset on DES-3800 series, remember that even though a
port is an untagged port, the packet will add additional
4 bytes
of 802.1Q header (TCI)
for switching internal process, shown in Figure-6.
All packets will be added additional 4 bytes to assign PVID for switching internal process.
446