Security; Safeguard Engine - D-Link DGS-3200 Series User Manual

Layer 2 gigabit ethernet managed switch

Hide thumbs Also See for DGS-3200 Series:

Cli manual (443 pages)

Hardware installation manual (79 pages)

Reference manual (321 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

page of 287

/ 287
Contents
Table of Contents
Bookmarks

Table of Contents

Security

Safeguard Engine

Trusted Host

IP-MAC-Port Binding

Port Security

Guest VLAN

802.1X

SSL Settings

SSH

Access Authentication Control

MAC Based Access Control

Web Authentication (Web-based Access Control)

JWAC

Safeguard Engine

Periodically, malicious hosts on the network will attack the Switch by utilizing packet flooding (ARP Storm) or other methods.

These attacks may increase the switch load beyond its capability. To alleviate this problem, the Safeguard Engine function was

added to the Switch's software.

The Safeguard Engine can help the overall operability of the Switch by minimizing the workload of the Switch while the attack is

ongoing, thus making it capable to forward essential packets over its network in a limited bandwidth. The Safeguard Engine has

two operating modes that can be configured by the user, Strict and Fuzzy. In Strict mode, when the Switch either (a) receives too

many packets to process or (b) exerts too much memory, it will enter the Exhausted mode. When in this mode, the Switch will

drop all ARP and IP broadcast packets and packets from untrusted IP addresses for a calculated time interval. Every five seconds,

the Safeguard Engine will check to see if there are too many packets flooding the Switch. If the threshold has been crossed, the

Switch will initially stop all ingress ARP and IP broadcast packets and packets from untrusted IP addresses for five seconds. After

another five-second checking interval arrives, the Switch will again check the ingress flow of packets. If the flooding has stopped,

the Switch will again begin accepting all packets. Yet, if the checking shows that there continues to be too many packets flooding

the Switch, it will stop accepting all ARP and IP broadcast packets and packets from untrusted IP addresses for double the time of

the previous stop period. This doubling of time for stopping these packets will continue until the maximum time has been reached,

which is 320 seconds and every stop from this point until a return to normal ingress flow would be 320 seconds. For a better

understanding, please examine the following example of the Safeguard Engine.

DGS-3200 Series Layer 2 Gigabit Ethernet Managed Switch

113

Section 9

Table of Contents

Security; Safeguard Engine - D-Link DGS-3200 Series User Manual

Security

Safeguard Engine

Related Manuals for D-Link DGS-3200 Series

Related Content for D-Link DGS-3200 Series

Table of Contents