Home » D-Link Manuals » Hubs & Switches » D-Link DES-3550 » Manual Viewer

D-Link DES-3550 Product Manual - Page 285

 Prevent ARP spoofing via packet content ACL, Configuration:

UPC - 790069266317

Add to My Manuals
Save this manual to your list of manuals

Page 285 highlights

xStack® DES-3500 Series Layer 2 Stackable Fast Ethernet Managed Switch User Manual • Prevent ARP spoofing via packet content ACL Concerning the common DoS attack today caused by the ARP spoofing, D-Link managed switch can effectively mitigate it via its unique Packet Content ACL. For that reason the basic ACL can only filter ARP packets based on packet type, VLAN ID, Source and Destination MAC information, there is a need for further inspections of ARP packets. To prevent ARP spoofing attack, we will demonstrate here using Packet Content ACL on DES-3526 to block the invalid ARP packets which contain fake gateway's MAC and IP binding. Example topology Configuration: The configuration logic is listed below: 1. Only when the ARP matches the Source MAC address in Ethernet, the Sender MAC address and Sender IP address in the ARP protocol can pass through the switch. (In this example, it is the gateway's ARP.) 2. The switch will deny all other ARP packets which claim they are from the gateway's IP. The design of Packet Content ACL on DES-3500 series enables users to inspect any offset_chunk. An offset_chunk is a 4-byte block in a HEX format which is utilized to match the individual field in an Ethernet frame. Each profile is allowed to contain up to a maximum of 4 offset_chunks. Furthermore, only one single profile of Packet Content ACL can be supported per switch. In other words, up to 16 bytes of total offset_chunks can be applied to each profile and a switch. Therefore, careful consideration is needed for planning the configuration of the valuable offset_chunks. In Table-6, you will notice that the Offset_Chunk0 starts from 127 and ends at the 128th byte. It can also be found that the offset_chunk is scratched from 1 but not zero!!! 270

Section	Page
	1
Table of Contents	3
	9
Preface	10
	10
Intended Readers	11
Typographical Conventions	11
Bold font	11
	11
Notes, Notices, and Cautions	11
Safety Instructions	12
Safety Cautions	12
General Precautions for Rack-Mountable Products	13
Protecting Against Electrostatic Discharge	14
Switch Description	15
Features	15
Ports	15
Front-Panel Components	15
Side Panel Description	15
Rear Panel Description	15
Gigabit Combo Ports	15
Switch Description	15
Features	15
Ports	16
	16
Front-Panel Components	17
LED Indicators	18
Rear Panel Description	19
Side Panel Description	19
Gigabit Combo Ports	20
Package Contents	22
Before You Connect to the Network	22
Installing the Switch without the Rack	22
Rack Installation	22
Power On	22
Package Contents	22
Before You Connect to the Network	22
Installing the Switch without the Rack	23
Installing the Switch in a Rack	24
Mounting the Switch in a Standard 19\	25
Power On (AC Power)	26
Power Failure	26
Connecting DC Power to DES-3526DC	26
Switch to End Node	27
Switch to Hub or Switch	27
Connecting To Network Backbone or Server	27
Switch to End Node	27
Switch to Hub or Switch	28
Connecting To Network Backbone or Server	29
Management Options	30
Web-based Management Interface	30
SNMP-Based Management	30
Managing User Accounts	30
Command Line Console Interface through the Serial Port	30
Connecting the Console Port (RS-232 DCE)	30
First Time Connecting to the Switch	30
Password Protection	30
SNMP Settings	30
IP Address Assignment	30
Connecting Devices to the Switch	30
Management Options	30
Web-based Management Interface	30
SNMP-Based Management	30
Connecting the Console Port (RS-232 DCE)	30
First Time Connecting to the Switch	32
Password Protection	32
	33
SNMP Settings	34
	34
Traps	34
MIBs	34
IP Address Assignment	35
Connecting Devices to the Switch	36
Introduction	37
Login to Web manager	37
Web-Based User Interface	37
Basic Setup	37
Reboot	37
Basic Switch Setup	37
Network Management	37
Switch Utilities	37
Network Monitoring	37
IGMP Snooping Status	37
Introduction	37
Login to Web Manager	37
Web-based User Interface	38
Areas of the User Interface	38
Web Pages	39
Switch Information	40
IP Address	40
Advanced Settings	40
Port Configuration	40
Port Description	40
Port Mirroring	40
Link Aggregation	40
LACP Port Setting	40
MAC Notification	40
IGMP	40
Spanning Tree	40
Forward Filtering	40
VLANs	40
Traffic Control	40
Port Security	40
QoS	40
System Severity Settings	40
System Log Server	40
SNTP Settings	40
ACL	40
Time Range Settings	40
IP-MAC Binding	40
Limited IP Multicast Range Settings	40
Layer 3 IP Networking	40
LLDP	40
	40
Switch Information	41
IP Address	41
Advanced Settings	45
Port Configuration	47
Port Description	49
Port Mirroring	50
	50
Link Aggregation	51
Understanding Port Trunk Groups	51
LACP Port Setting	54
MAC Notification	55
MAC Notification Port Settings	56
IGMP	57
IGMP Snooping	57
Static Router Ports Entry	59
Forbidden Router Ports Entry	60
IGMP Multicast VLAN	61
Spanning Tree	64
802.1s MSTP	64
802.1w Rapid Spanning Tree	64
Port Transition States	64
Edge Port	65
P2P Port	65
802.1d/802.1w/802.1s Compatibility	65
STP Bridge Global Settings	66
MST Configuration Table	69
MSTI Settings	71
STP Instance Settings	72
	73
MSTP Port Information	74
Loopback Detection	77
Forwarding Filtering	78
Unicast Forwarding	78
Multicast Forwarding	79
Multicast Port Filtering Mode	80
VLANs	82
Understanding IEEE 802.1p Priority	82
VLAN Description	82
Notes about VLANs on the xStack® DES-3500 Series switches	82
IEEE 802.1Q VLANs	82
802.1Q VLAN Tags	84
Port VLAN ID	84
Tagging and Untagging	85
Ingress Filtering	85
Default VLANs	85
Port-based VLANs	86
VLAN Segmentation	86
Asymmetric VLANs	87
VLAN and Trunk Groups	88
Static VLAN Entry	88
GVRP Setting	91
Traffic Control	92
Port Security	96
QoS	97
Advantages of QoS	97
Understanding QoS	98
Port Bandwidth	99
Scheduling	100
802.1p Default Priority	101
802.1p User Priority	101
Traffic Segmentation	102
System Severity Alerts	103
System Log Server	103
SNTP Settings	105
Time Setting	105
Time Zone and DST	106
	108
ACL	108
Access Profile Table	108
ACL Flow Meter	126
CPU Interface Filtering	127
CPU Interface Filtering Profile Table	127
Time Range Settings	138
IP-MAC Binding	138
ACL Mode	138
IP-MAC Binding Port	141
IP-MAC Binding Table	142
IP-MAC Binding Blocked	143
DHCP Snooping Entries	143
IP-MAC Binding Permit IP Pool	144
Limited IP Multicast Range	145
Limited IP Multicast Range Profile Settings	145
Limited IP Multicast Range Status Setting	146
Limited IP Multicast Range Setting	147
Layer 3 IP Networking	148
Static ARP Table	148
Gratuitous ARP Settings	149
DHCP/BOOTP Relay	150
DHCP / BOOTP Relay Global Settings	150
The Implementation of DHCP Information Option 82 in the xStack® DES-3500 Series switches	152
DHCP/BOOTP Relay Interface Settings	153
	153
DHCP Option 60 Settings	154
DHCP Option 61 Settings	155
DHCP Local Relay Settings	156
LLDP	157
LLDP Global Settings	157
	158
Basic LLDP Port Settings	159
802.1 Extension LLDP Port Settings	160
802.3 Extension LLDP Port Settings	161
LLDP Management Address Settings	162
LLDP Statistics	163
LLDP Management Address Table	164
LLDP Local Port Table	164
LLDP Remote Port Information	167
Tustred Host	168
User Accounts	168
Port Access Entity	168
Access Authentication Control	168
Secure Sockets Layer (SSL)	168
Secure Shell (SSH)	168
SNMP Manager	168
Safeguard Engine Settings	168
Filter	168
ARP Spoofing Prevention	168
Trusted Host	168
User Accounts	169
Port Access Entity (802.1X)	171
802.1x Port-Based and MAC-Based Access Control	171
Authentication Server	172
Authenticator	172
Client	173
Authentication Process	173
Port-Based Network Access Control	174
MAC-Based Network Access Control	175
Configure Authenticator	176
PAE System Control	179
Port Capability	179
	180
Initializing Ports for Port Based 802.1x	180
Initializing Ports for MAC Based 802.1x	181
Reauthenticate Port(s) for Port Based 802.1x	181
Reauthenticate Port(s) for MAC Based 802.1x	182
RADIUS Server	182
Guest VLANs	183
Limitations Using the Guest VLAN	183
Guest VLAN Configuration	184
Access Authentication Control	184
Policy & Parameters	186
Application's Authentication Settings	186
Authentication Server Group	187
Authentication Server Hosts	188
Login Method Lists	190
Enable Method Lists	191
Local Enable Password	192
Enable Admin	192
Secure Socket Layer (SSL)	195
Download Certificate	195
Configuration	196
Secure Shell (SSH)	197
SSH Configuration	197
SSH Algorithm	198
SSH User Authentication	200
SNMP Manager	202
SNMP Settings	202
Traps	202
MIBs	202
SNMP User Table	203
SNMP View Table	205
SNMP Group Table	206
SNMP Community Table	207
SNMP Host Table	208
SNMP Engine ID	209
SNMP Trap	209
Safeguard Engine	211
Filter	213
DHCP Server Screening Setting	213
DHCP Client Filtering Setting	214
NetBIOS Filtering Setting	215
CPU Filtering Settings	217
ARP Spoofing Prevention	217
Port Utilization	219
CPU Utilization	219
Memory Usage	219
Packets	219
Errors	219
Size	219
MAC Address	219
Switch History Log	219
IGMP Snooping Group	219
IGMP Snooping Forwarding	219
VLAN Status	219
Router Port	219
Port Access Control	219
Layer 3 Feature	219
Safeguard Engine Status	219
Cable Diagnostic	219
Port Utilization	219
	220
CPU Utilization	220
	220
Memory Usage	220
Packets	222
Received (RX)	222
UMB Cast (RX)	223
Transmitted (TX)	226
	227
Errors	228
Received (RX)	228
	229
Transmitted (TX)	230
Size - Packet Size	231
	233
MAC Address	234
Switch History Log	235
	235
IGMP Snooping Group	236
IGMP Snooping Forwarding	237
	237
VLAN Status	238
Router Port	238
Port Access Control	238
Authenticator State	239
Layer 3 Features	241
Browse ARP Table	241
Safeguard Engine Status	242
Cable Diagnostic	243
TFTP Services	244
Multiple Image Services	244
Ping Test	244
Save Changes	244
Reset	244
Reset System	244
Reset Config	244
Reboot Device	244
Logout	244
TFTP Services	244
Download Firmware	244
Download Configuration File	245
Upload Configuration	245
Upload Log	246
	246
Multiple Image Services	246
Firmware Information	246
Config Firmware Image	247
Ping Test	248
Save Changes	248
Reset	249
Reset System	249
Reset Config	250
Reboot Device	250
Logout	250
Single IP Management (SIM) Overview	251
Topology	251
Firmware Upgrade	251
Configuration Backup/Restore	251
Upload Log File	251
Single IP Management (SIM) Overview	251
The Upgrade to v1.6	252
SIM Using the Web Interface	253
Topology	254
Tool Tips	256
Right-Click	257
Group Icon	257
Commander Switch Icon	258
Member Switch Icon	259
Candidate Switch Icon	260
Menu Bar	262
File	262
Group	262
Device	262
View	262
Firmware Upgrade	263
Configuration File Backup/Restore	263
Upload Log File	263
 How Address Resolution Protocol works	280
How ARP spoofing attacks a network	283
 Prevent ARP spoofing via packet content ACL	285
Configuration:	285
Copyright Statement: No part of this publication or documentation accompanying this product may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from D-Link Corporation/D-Link Systems, Inc., as stipulated by the United States Copyright Act of 1976 and any amendments thereto. Contents are subject to change without prior notice. Copyright 2008 by D-Link Corporation/D-Link Systems, Inc. All rights reserved.	295
FCC Statement: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communication. However, there is no guarantee that interference will not occur in a particular installation. Operation of this equipment in a residential environment is likely to cause harmful interference to radio or television reception. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:	295
	297
D-Link Limited Lifetime Warranty	298

Match case Limit results 1 per page

xStack

DES-3500 Series Layer 2 Stackable Fast Ethernet Managed Switch User Manual

270

•

Prevent ARP spoofing via packet content ACL

Concerning the common DoS attack today caused by the ARP spoofing, D-Link managed switch can effectively

mitigate it via its unique Packet Content ACL.

For that reason the basic ACL can only filter ARP packets based on packet type, VLAN ID, Source and Destination

MAC information, there is a need for further inspections of ARP packets. To prevent ARP spoofing attack, we will

demonstrate here using Packet Content ACL on DES-3526 to block the invalid ARP packets which contain fake

gateway’s MAC and IP binding.

Example topology

Configuration

The configuration logic is listed below:

Only when the ARP matches the Source MAC address in Ethernet, the Sender MAC address and Sender IP

address in the ARP protocol can pass through the switch. (In this example, it is the gateway’s ARP.)

The switch will deny all other ARP packets which claim they are from the gateway’s IP.

The design of Packet Content ACL on DES-3500 series enables users to inspect any offset_chunk. An offset_chunk is

a 4-byte block in a HEX format which is utilized to match the individual field in an Ethernet frame. Each profile is

allowed to contain up to a maximum of 4 offset_chunks. Furthermore, only one single profile of Packet Content ACL

can be supported per switch. In other words, up to 16 bytes of total offset_chunks can be applied to each profile and a

switch. Therefore, careful consideration is needed for planning the configuration of the valuable offset_chunks.

In Table-6, you will notice that the Offset_Chunk0 starts from 127 and ends at the 128

byte. It can also be found that

the offset_chunk is scratched from

but not zero!!!