The D-Link DES-3250 series is our choice of switch for our dormitory, as it's cheap and fairly reliable. It can't perform proper DHCP snooping, dymanic-ARP-inspection or even the ARP protection the DES-3526 can, but it can do some filtering, based on IP, MAC or raw ethernet packets.
Credits for the first two go to Gavin McCullagh, not me.
You can filter DHCP replies easily:
create access_profile ip udp src_port_mask 0xFFFF port 1-48 profile_id 1
config access_profile profile_id 1 add access_id 1 ip udp src_port 67 deny
Now this one is a thing of beauty: filtering IPv6 Router advertisements:
create access_profile packet_content_mask offset_0-15 0x0 0x0 0x0 0xFFFF0000 offset_16-31 0x0 0xFF000000 0x0 0x0 offset_48-63 0x0 0xFF00 0x0 0x0 port 1-48 profile_id 2
config access_profile profile_id 2 add access_id 1 packet_content offset_0-15 0x0 0x0 0x0 0x86DD0000 offset_16-31 0x0 0x3A000000 0x0 0x0 offset_48-63 0x0 0x8600 0x0 0x0 deny
IPv6 uses ethertype 0x86dd, and the type for RA in ICMPv6 is 0x86
Yesterday I had 4 TP-Link APs configured as 192.168.1.254. This wouldn't be a big issue normally, but these ones were dead-set on sending gratuitous ARPs against each other at speeds of 10Mpps...
The DES-3250 has broadcast control, which was set at 8pps, but something went wrong, as the switches still forwarded around 4kpps of ARPs on all ports.
So next up is IPv4 ARP filtering for anything with the source 192.168.0.0/16:
create access_profile packet_content_mask offset_0-15 0x0 0x0 0x0 0xFFFF0000 offset_16-31 0x0 0x0 0x0 0xFFFF0000 port 1-48 profile_id 3
config access_profile profile_id 3 add access_id 1 packet_content offset_0-15 0x0 0x0 0x0 0x08060000 offset_16-31 0x0 0x0 0x0 0xC0A80000 deny
The ethertype for ARP is 0x8060, and 192.168 is 0xc0a8.
ARP spoofing of the gateway is not that popular on this subnet, but next time it happens, I'll do an entry with that.
Edit: 19/02/2013 - fixed ethertype value in ARP filter
Edit: 19/02/2013 - fixed ethertype value in ARP filter
