Safeguard Engine Commands - D-Link xStack DES-3528 Series Cli Reference Manual

xStack® DES-3528/DES-3552 Series Layer 2 Fast Ethernet Managed Switch CLI Reference Guide
S
AFEGUARD
Periodically, malicious hosts on the network will attack the Switch by utilizing packet flooding (ARP Storm) or other
methods. These attacks may increase the CPU utilization beyond its capability. To alleviate this problem, the
Safeguard Engine function was added to the Switch's software.
The Safeguard Engine can help the overall operability of the Switch by minimizing the workload of the Switch while the
attack is ongoing, thus making it capable to forward essential packets over its network in a limited bandwidth. When
the Switch either (a) receives too many packets to process or (b) exerts too much memory, it will enter an Exhausted
mode. When in this mode, the Switch will perform the following tasks to minimize the CPU usage:
It will limit bandwidth of receiving ARP packets.
a.
b. It will limit the bandwidth of IP packets received by the Switch.
IP packets may also be limited by the Switch by configuring only certain IP addresses to be accepted. This method
can be accomplished through the CPU Interface Filtering mechanism explained in the previous section. Once the user
configures these acceptable IP addresses, other packets containing different IP addresses will be dropped by the
Switch, thus limiting the bandwidth of IP packets. To keep the process moving fast, be sure not to add many
conditions on which to accept these acceptable IP addresses and their packets, this limiting the CPU utilization.
Once in Exhausted mode, the packet flow will decrease by half of the level that caused the Switch to enter Exhausted
mode. After the packet flow has stabilized, the rate will initially increase by 25% and then return to a normal packet
flow.
NOTICE: When the Safeguard Engine is enabled, the Switch will allot bandwidth to various traffic flows
(ARP, IP) using the FFP (Fast Filter Processor) metering table to control the CPU utilization and limit
traffic. This may limit the speed of routing traffic over the network.
The Safeguard Engine commands in the Command Line Interface (CLI) are listed (along with the appropriate
parameters) in the following table.
Command
config safeguard_engine
show safeguard_engine
Each command is listed, in detail, in the following sections.
config safeguard_engine
Purpose
Syntax
Description
Parameters
E C
NGINE OMMANDS
Parameters
{ state [enable | disable] | utilization { rising <value 20-100> | falling <value 20-100>}
| trap_log [enable | disable] | mode [ strict | fuzzy] }(1)
Used to configure ARP storm control for system.
config safeguard_engine { state [enable | disable] | utilization { rising <value 20-100> |
falling <value 20-100>} | trap_log [enable | disable] | mode [ strict | fuzzy] }(1)
This command is used to configure Safeguard Engine to minimize the effects of an ARP
storm.
state [enable | disable] – Select the running state of the Safeguard Engine function as enable
or disable.
utilization – Select this option to trigger the Safeguard Engine function to enable based on
the following determinates:
rising <value 20-100> – The user can set a percentage value of the rising CPU utilization
which will trigger the Safeguard Engine function. Once the CPU utilization rises to this
percentage, the Safeguard Engine mechanism will initiate.
falling <value 20-100> – The user can set a percentage value of the falling CPU utilization
which will trigger the Safeguard Engine function to cease. Once the CPU utilization falls to
this percentage, the Safeguard Engine mechanism will shut down.
trap_log [enable | disable] – Choose whether to enable or disable the
messages to the device's SNMP agent and Switch log once the Safeguard Engine has been
activated by a high CPU utilization rate.
mode [ strict | fuzzy] – Used to select the type of Safeguard Engine to be activated by the
Switch when the CPU utilization reaches a high rate. The user may select:
strict – If selected, this function will stop accepting all ARP packets not intended for the
Switch, and will stop receiving all unnecessary broadcast IP packets, until the storm has
258
sending of