Home » D-Link Manuals » Hubs & Switches » D-Link DGS-3426P » Manual Viewer

D-Link DGS-3426P Product Manual - Page 400

Appendix A, Mitigating ARP Spoofing Attacks Using Packet Content ACL

UPC - 790069291982

Add to My Manuals
Save this manual to your list of manuals

Page 400 highlights

xStack® DGS-3400 Series Layer 2 Gigabit Ethernet Managed Switch Appendix A Mitigating ARP Spoofing Attacks Using Packet Content ACL How Address Resolution Protocol works Address Resolution Protocol (ARP) is the standard method for finding a host's hardware address (MAC address) when only its IP address is known. However, this protocol is vulnerable because crackers can spoof the IP and MAC information in the ARP packets to attack a LAN (known as ARP spoofing). This document is intended to introduce the ARP protocol, ARP spoofing attacks, and the countermeasures brought by D-Link's switches to thwart ARP spoofing attacks. In the process of ARP, PC A will first issue an ARP request to query PC B's MAC address. The network structure is shown in Figure 1. Figure 1 C Who is 10.10.10.2? A Sender 00-20-5C-01-33-33 10.10.10.3 D Port 3 Port 4 Port 1 Port 2 00-20-5C-01-11-11 10.10.10.1 B Target 00-20-5C-01-44-44 10.10.10.4 00-20-5C-01-22-22 10.10.10.2 In the meantime, PC A's MAC address will be written into the "Sender H/W Address" and its IP address will be written into the "Sender Protocol Address" in the ARP payload. As PC B's MAC address is unknown, the "Target H/W Address" will be "00-0000-00-00-00," while PC B's IP address will be written into the "Target Protocol Address," shown in Table1. Table 1. ARP Payload H/W Protocol Type Type H/W Address Length Protocol Address Length Operation ARP request Sender H/W Address 00-20-5C-01-11-11 Sender Protocol Address 10.10.10.1 Target H/W Address 00-00-00-00-00-00 Target Protocol Address 10.10.10.2 The ARP request will be encapsulated into an Ethernet frame and sent out. As can be seen in Table 2, the "Source Address" in the Ethernet frame will be PC A's MAC address. Since an ARP request is sent via broadcast, the "Destination address" is in a format of Ethernet broadcast (FF-FF-FF-FF-FF-FF). Table 2. Ethernet Frame Format Destination Address Source Address Ether-Type ARP FCS FF-FF-FF-FF-FF-FF 00-20-5C-01-11-11 When the switch receives the frame, it will check the "Source Address" in the Ethernet frame's header. If the address is not in its Forwarding Table, the switch will learn PC A's MAC and the associated port into its Forwarding Table. Forwarding Table Port 1 00-20-5C-01-11-11 In addition, when the switch receives the broadcasted ARP request, it will flood the frame to all ports except the source port, port 1 (see Figure 2). 391

Section	Page
Table of Contents	3
Intended Readers	9
Typographical Conventions	9
Notes, Notices, and Cautions	9
Web-based Switch Configuration	10
Introduction	10
Logging in to the Web Manager	10
Web-based User Interface	10
Web Pages	10
Introduction	10
Logging in to the Web Manager	10
Web-based User Interface	11
Areas of the User Interface	11
Area 2	11
Area 1	11
Area 3	11
Web Pages	12
Administration	13
DGS-3400 Web Management Tool	13
IP Address	13
Interface Settings	13
Stacking	13
Port Configuration	13
User Accounts	13
Password Encryption	13
Mirror	13
System Log	13
System Severity Settings	13
Command Logging Settings	13
SNTP Settings	13
MAC Notification Settings	13
TFTP Services	13
Multiple Image Services	13
RCP	13
Ping Test	13
IPv6 Neighbor	13
Route Redistribution Settings	13
Static/Default Route Settings	13
Route Preference Settings	13
Gratuitous ARP Settings	13
Static ARP Settings	13
DHCP Auto Configuration Settings	13
DHCP/BOOTP Relay	13
DHCP/BOOTP Local Relay Settings	13
DHCPv6 Relay	13
DHCP Server	13
DHCPv6 Server	13
Filter DHCP Server	13
Layer 2 Protocol Tunneling Settings	13
RSPAN	13
DNS Relay	13
DNS Resolver	13
SNMP Manager	13
Trap Source Interface Settings	13
PoE	13
sFlow	14
IP Multicast VLAN Replication	14
Single IP Management (SIM) Overview	14
RIP	14
IP Tunnel Settings	14
Device Information	14
IPv6	16
Overview	16
Packet Format	18
IPv6 Header	18
Extension Headers	19
Packet Fragmentation	19
Address Format	19
Types	20
ICMPv6	21
Neighbor Discovery	21
Neighbor Unreachability Detection	21
Duplicate Address Detection (DAD)	22
Assigning IP Addresses	22
IP Interface Setup	22
IP Address	23
Setting the Switch's IP Address using the Console Interface	24
Interface Settings	25
IPv4 Interface Settings	25
IPv6 Interface Settings	27
Stacking	30
Stack Switch Swapping	32
Stacking Mode Settings	32
Force Master Role Settings	33
Box Information	33
Port Configuration	34
Port Configuration	34
Port Error Disabled	35
Port Description	36
Port Auto Negotiation Information	37
Port Details	38
Port Media Type	39
Cable Diagnostics	40
User Accounts	41
Password Encryption	42
Mirror	43
Port Mirror Global Settings	43
Port Mirror Settings	43
Mirroring within the Switch Stack	45
System Log	45
System Log Host	45
System Log Save Mode Settings	47
System Log Source Interface Settings	48
System Severity Settings	48
Command Logging Settings	49
SNTP Settings	49
Time Settings	49
Time Zone and DST	50
MAC Notification Settings	53
TFTP Services	53
Global Settings	53
Port Settings	53
Multiple Image Services	55
Firmware Information	55
Config Firmware Image	56
RCP	57
RCP Server Settings	57
RCP Services	58
Ping Test	59
IPv4 Ping Test	59
IPv6 Ping Test	60
IPv6 Neighbor	61
IPv6 Neighbor Settings	61
Route Redistribution Settings	62
Static/Default Route Settings	63
IPv4 Static/Default Route Settings	63
IPv6 Static/Default Route Settings	65
Route Preference Settings	66
Gratuitous ARP Settings	67
Static ARP Settings	68
DHCP Auto Configuration Settings	69
DHCP/BOOTP Relay	69
DHCP / BOOTP Relay Global Settings	69
The Implementation of DHCP Information Option 82	72
DHCP/BOOTP Relay Interface Settings	73
DHCP Relay Option 60 Default Settings	73
DHCP Relay Option 60 Settings	74
DHCP Relay Option 61 Default Settings	75
DHCP Relay Option 61 Settings	75
DHCP/BOOTP Local Relay Settings	76
DHCPv6 Relay	77
DHCPv6 Relay Global Settings	77
DHCPv6 Relay Interface Settings	77
DHCP Server	79
DHCP Server Global Settings	79
DHCP Server Exclude Address Settings	80
DHCP Server Pool Settings	80
DHCP Server Dynamic Binding	83
DHCP Server Manual Binding	84
DHCPv6 Server	85
DHCPv6 Server Global Settings	85
DHCPv6 Server Pool Settings	86
DHCPv6 Server Manual Binding Settings	87
DHCPv6 Server Dynamic Binding Settings	88
DHCPv6 Server Interface Settings	89
DHCPv6 Server Excluded Address Settings	90
Filter DHCP Server	91
Filter DHCP Server Global Settings	91
Filter DHCP Server Port Settings	92
Layer 2 Protocol Tunneling Settings	93
RSPAN	94
RSPAN State Settings	94
RSPAN Settings	95
DNS Relay	97
Mapping Domain Names to Addresses	97
Domain Name Resolution	97
DNS Relay Global Settings	98
DNS Relay Static Settings	98
DNS Resolver	99
DNS Resolver Global Settings	99
DNS Resolver Static Name Server Settings	99
DNS Resolver Dynamic Name Server Table	100
DNS Resolver Static Host Name Settings	100
DNS Resolver Dynamic Host Name Table	101
SNMP Manager	102
SNMP Settings	102
Traps	102
MIBs	102
SNMP Trap Settings	103
SNMP User Table	104
SNMP View Table	106
SNMP Group Table	107
SNMP Community Table	108
SNMP Host Table	109
SNMP Engine ID	111
Trap Source Interface Settings	111
PoE	112
PoE System Settings	112
PoE Port Settings	114
sFlow	116
sFlow Global Settings	117
sFlow Analyzer Settings	117
sFlow Sampler Settings	119
sFlow Poller Settings	121
IP Multicast VLAN Replication	123
IP Multicast VLAN Replication Global Settings	123
IP Multicast VLAN Replication Settings	124
Single IP Management (SIM) Overview	127
The Upgrade to v1.61	128
Single IP vs. Switch Stacking	129
SIM Settings	129
Topology	130
Tool Tips	133
Right-click	135
Group Icon	135
Commander Switch Icon	136
Member Switch Icon	136
Candidate Switch Icon	136
Menu Bar	137
File	137
Group	137
Device	137
View	137
Help	138
Firmware Upgrade	138
Configuration Backup/Restore	138
Upload Log	139
RIP	139
RIP Version 1 Message Format	140
RIP Command Codes	140
RIP 1 Message	140
RIP 1 Route Interpretation	140
RIP Version 2 Extensions	140
RIP2 Message Format	140
RIP	140
RIP Global Settings	141
RIP Interface Settings	141
RIPng	142
RIPng Global Settings	142
RIPng Interface Settings	143
IP Tunnel Settings	144
L2 Features	146
VLANs	146
Trunking	146
IGMP Snooping	146
MLD Snooping	146
Loop-back Detection Global Settings	146
Spanning Tree	146
Forwarding & Filtering	146
LLDP	146
Q-in-Q	146
ERPS	146
DULD Settings	146
NLB Multicast FDB Settings	146
VLANs	146
VLAN Description	146
Notes about VLANs on the DGS-3400 Series	146
IEEE 802.1Q VLANs	146
802.1Q VLAN Tags	148
Port VLAN ID	149
Tagging and Untagging	150
Ingress Filtering	150
Default VLANs	150
Port-based VLANs	151
VLAN Segmentation	151
VLAN and Trunk Groups	151
Protocol VLANs	151
Static VLAN Entry	151
VLAN Trunk	153
GVRP Settings	155
Double VLANs	156
Regulations for Double VLANs	157
Double VLAN Settings	158
PVID Auto Assign	160
MAC-based VLAN Settings	161
Protocol VLAN	161
Protocol VLAN Group Settings	162
Protocol VLAN Port Settings	163
Subnet VLAN	164
Subnet VLAN Settings	165
VLAN Precedence Settings	165
Trunking	167
Understanding Port Trunk Groups	167
Link Aggregation	168
LACP Port Settings	171
IGMP Snooping	173
IGMP Snooping Settings	173
Router Port Settings	175
IGMP Snooping Static Group Settings	177
ISM VLAN Settings	178
Restrictions and Provisos	179
Limited IP Multicast Address Range Settings	181
MLD Snooping	183
MLD Control Messages	183
MLD Snooping Settings	183
MLD Router Port Settings	186
Loop-back Detection Global Settings	188
Spanning Tree	190
802.1Q-2005 MSTP	190
802.1D-2004 Rapid Spanning Tree	190
Port Transition States	191
Edge Port	191
P2P Port	191
802.1D-1998/802.1D-2004/802.1Q-2005 Compatibility	191
STP Bridge Global Settings	192
MST Configuration Identification	194
MSTP Port Information	197
STP Instance Settings	199
STP Port Settings	200
Forwarding & Filtering	202
Unicast Forwarding	202
Multicast Forwarding	202
Multicast Filtering Mode	203
LLDP	204
LLDP Global Settings	205
Basic LLDP Port Settings	206
802.1 Extension LLDP Port Settings	207
802.3 Extension LLDP Port Settings	209
LLDP Management Address Settings	211
LLDP Statistics	213
LLDP Management Address Table	214
LLDP Local Port Table	214
LLDP Remote Port Table	217
Q-in-Q	219
Q-in-Q Settings	219
VLAN Translation Settings	220
ERPS	221
ERPS Global Settings	221
ERPS RAPS VLAN Settings	222
DULD Settings	225
NLB Multicast FDB Settings	227
QoS	229
802.1p Settings	229
Bandwidth Control	229
HOL Prevention Settings	229
Schedule Settings	229
QoS	229
The Advantages of QoS	229
Understanding QoS	230
Understanding IEEE 802.1p Priority	232
802.1p Settings	232
802.1p Default Priority Settings	233
802.1p User Priority Settings	234
Bandwidth Control	235
Bandwidth Control Settings	235
Per Queue Bandwidth Control Settings	237
HOL Prevention Settings	239
Schedule Settings	239
QoS Output Scheduling Settings	239
Configuring the Combination Queue	241
QoS Scheduling Mechanism Settings	241
ACL (Access Control List)	244
Time Range	244
Access Profile Table	244
ACL Flow Meter	244
CPU Interface Filtering	244
Time Range	244
Access Profile Table	245
ACL Flow Meter	263
CPU Interface Filtering	267
CPU Interface Filtering State	267
CPU Interface Filtering Table	268
Security	284
Authorization Attributes State Settings	284
Traffic Control	284
Port Security	284
IP-MAC-Port Binding	284
802.1X	284
Web-based Access Control (WAC)	284
Trust Host	284
BPDU Attack Protection Settings	284
ARP Spoofing Prevention Settings	284
Access Authentication Control	284
MAC-based Access Control (MAC)	284
Safeguard Engine	284
Traffic Segmentation	284
Secure Socket Layer (SSL)	284
Secure Shell (SSH)	284
Compound Authentication	284
Japanese Web-based Access Control (JWAC)	284
Authorization Attributes State Settings	284
Traffic Control	285
Port Security	287
Port Security Settings	287
Port Security Entries	288
IP-MAC-Port Binding	289
IMPB Global Settings	291
IMPB Port Settings	292
IMPB Entry Settings	294
DHCP Snoop Entries	295
MAC Block List	296
ND Snoop Entries	296
802.1X	297
802.1X Port-based and Host-based Access Control	297
Authentication Server	297
Authenticator	298
Client	298
Authentication Process	299
Understanding 802.1X Port-based and MAC-based Network Access Control	299
Port-based Network Access Control	300
MAC-Based Network Access Control	301
Guest VLANs	302
Limitations Using the Guest VLAN	302
802.1X Port Settings	302
Guest VLAN Settings	305
Authentication RADIUS Server Settings	306
802.1X User Settings	307
Initialize Port(s)	308
Reauthenticate Port(s)	309
Web-based Access Control (WAC)	311
Conditions and Limitations	311
WAC Global Settings	312
WAC Port Settings	313
WAC User Account	315
WAC Authentication State	316
Trust Host	317
BPDU Attack Protection Settings	319
ARP Spoofing Prevention Settings	320
Access Authentication Control	321
Authentication Policy and Parameter Settings	323
Application's Authentication Settings	323
Authentication Server Group	324
Authentication Server Host	325
Login Method Lists	327
Enable Method Lists	328
Configure Local Enable Password	330
Enable Admin	331
RADIUS Accounting Settings	332
MAC-based Access Control (MAC)	334
Notes about MAC-based Access Control	334
MAC-based Access Control Global Settings	334
MAC-based Access Control Local MAC Settings	337
Safeguard Engine	338
Safeguard Engine Settings	339
Traffic Segmentation	340
Secure Socket Layer (SSL)	341
SSL	342
Secure Shell (SSH)	343
SSH Server Configuration	344
SSH Authentication Mode and Algorithm Settings	345
SSH User Authentication Mode	347
Compound Authentication	348
Any (MAC, 802.1X, WAC or JWAC) Mode	348
802.1X + IMPB Mode	349
IMPB + JWAC Mode	349
Compound Authentication Global Settings	349
Compound Authentication Settings	350
Authentication Guest VLAN Settings	352
Japanese Web-based Access Control (JWAC)	353
JWAC Global Settings	353
JWAC Port Settings	356
JWAC User Account	359
JWAC Authentication State	360
JWAC Customize Page Language Settings	361
JWAC Customize Page	362
Monitoring	363
Device Status	363
Stacking Information	363
Stacking Device	363
Module Information	363
DRAM & Flash Utilization	363
CPU Utilization	363
Port Utilization	363
Packets	363
Errors	363
Packet Size	363
Browse Router Port	363
Browse MLD Router Port	363
VLAN Status	363
VLAN Status Port	363
Port Access Control	363
MAC Address Table	363
IGMP Snooping Group	363
IGMP Snooping Data Driven Group	363
MLD Snooping Group	363
MLD Snooping Data Driven Group	363
Trace Route	363
Switch Logs	363
Browse ARP Table	363
Session Table	363
IP Forwarding Table	363
Routing Table	363
MAC-based Access Control Authentication Status	363
Device Status	363
Stacking Information	364
Stacking Device	365
Module Information	365
DRAM & Flash Utilization	366
CPU Utilization	367
Port Utilization	368
Packets	369
Received (RX)	369
UMB Cast (RX)	371
Transmitted (TX)	373
Errors	375
Received (RX)	375
Transmitted (TX)	377
Packet Size	379
Browse Router Port	381
Browse MLD Router Port	382
VLAN Status	382
VLAN Status Port	383
Port Access Control	383
Authenticator State	383
Authenticator Statistics	384
Authenticator Session Statistics	384
Authenticator Diagnostics	385
RADIUS Authentication	385
RADIUS Account Client	385
MAC Address Table	387

Match case Limit results 1 per page

xStack

DGS-3400 Series Layer 2 Gigabit Ethernet Managed Switch

391

Appendix A

Mitigating ARP Spoofing Attacks Using Packet Content ACL

How Address Resolution Protocol works

Address Resolution Protocol (ARP) is the standard method for finding a host’s hardware address (MAC address) when only its IP

address is known. However, this protocol is vulnerable because crackers can spoof the IP and MAC information in the ARP

packets to attack a LAN (known as ARP spoofing). This document is intended to introduce the ARP protocol, ARP spoofing

attacks, and the countermeasures brought by D-Link’s switches to thwart ARP spoofing attacks.

In the process of ARP, PC A will first issue an ARP request to query PC B’s MAC address. The network structure is shown in

Figure 1.

Figure 1

In the meantime, PC A’s MAC address will be written into the “Sender H/W Address” and its IP address will be written into the

“Sender Protocol Address” in the ARP payload. As PC B’s MAC address is unknown, the “Target H/W Address” will be “00-00-

00-00-00-00,” while PC B’s IP address will be written into the “Target Protocol Address,” shown in Table1.

Table 1.

ARP Payload

H/W

Type

Protocol

Type

H/W

Address

Length

Protocol

Address

Length

Operation

Sender

H/W Address

Sender

Protocol

Address

Target

H/W Address

Target

Protocol

Address

ARP request

00-20-5C-01-11-11

10.10.10.1

00-00-00-00-00-00

10.10.10.2

The ARP request will be encapsulated into an Ethernet frame and sent out. As can be seen in Table 2, the “Source Address” in the

Ethernet frame will be PC A’s MAC address. Since an ARP request is sent via broadcast, the “Destination address” is in a format

of Ethernet broadcast (FF-FF-FF-FF-FF-FF).

Table 2. Ethernet Frame Format

Destination Address

FF-FF-FF-FF-FF-FF

Source Address

00-20-5C-01-11-11

Ether-Type

ARP

FCS

When the switch receives the frame, it will check the “Source Address” in the Ethernet frame’s header. If the address is not in its

Forwarding Table, the switch will learn PC A’s MAC and the associated port into its Forwarding Table.

Port 1

00-20-5C-01-11-11

In addition, when the switch receives the broadcasted ARP request, it will flood the frame to all ports except the source port, port

1 (see Figure 2).

Sender

Port 4

Port 1

Port 2

Port 3

00-20-5C-01-33-33

10.10.10.3

00-20-5C-01-44-44

10.10.10.4

00-20-5C-01-11-11

10.10.10.1

00-20-5C-01-22-22

10.10.10.2

Target

Who is 10.10.10.2?

Forwarding Table