Safeguard Engine Commands - D-Link DES-1228 Reference Manual

Periodically, malicious hosts on the network will attack the Switch by utilizing packet flooding (ARP Storm) or other methods.
These attacks may increase the CPU utilization beyond its capability. To alleviate this problem, the Safeguard Engine function
was added to the Switch's software.
The Safeguard Engine can help the overall operability of the Switch by minimizing the workload of the Switch while the attack is
ongoing, thus making it capable to forward essential packets over its network in a limited bandwidth. When the Switch either (a)
receives too many packets to process or (b) exerts too much memory, it will enter an Exhausted mode. When in this mode, the
Switch will perform the following tasks to minimize the CPU usage:
It will limit bandwidth of receiving ARP packets.
It will limit the bandwidth of IP packets received by the Switch.
IP packets may also be limited by the Switch by configuring only certain IP addresses to be accepted. This method can be
accomplished through the create trusted_host explained in the previous section. Once the user configures these acceptable IP
addresses, other packets containing different IP addresses will be dropped by the Switch, thus limiting the bandwidth of IP packets
The Safeguard Engine commands in the Command Line Interface (CLI) are listed (along with the appropriate parameters) in the
following table.
Command
config safeguard_engine
show safeguard_engine
Each command is listed, in detail, in the following sections.
config safeguard_engine
Purpose
Syntax
Description
Parameters
Restrictions
Example usage:
DES-1228/ME Layer 2 Metro Ethernet Switch CLI Reference Manual
Parameters
{state [enable|disable] |utilization { rising <value 20-100> |falling <value 20-100>}(1) |
trap_log [enable|disable] |mode [ strict | fuzzy] }(1)
To configure ARP storm control for system.
config safeguard_engine {state [enable|disable] |utilization { rising <value 20-100>
|falling <value 20-100>}(1) | trap_log [enable|disable] |mode [ strict | fuzzy] }(1)
Use this command to configure Safeguard Engine to minimize the effects of an ARP
storm.
state [enable | disable] – Select the running state of the Safeguard Engine function as
enable or disable.
cpu_utilization – Select this option to trigger the Safeguard Engine function to enable
based on the following determinates:
rising <value 20-100> − The user can set a percentage value of the rising CPU utilization
which will trigger the Safeguard Engine function. Once the CPU utilization rises to this
percentage, the Safeguard Engine mechanism will initiate.
falling <value 20-100> − The user can set a percentage value of the falling CPU utilization
which will trigger the Safeguard Engine function to cease. Once the CPU utilization falls to
this percentage, the Safeguard Engine mechanism will shut down.
trap_log [enable | disable] – Choose whether to enable or disable the sending of
messages to the device's SNMP agent and switch log once the Safeguard Engine has
been activated by a high CPU utilization rate.
mode [strict | fuzzy] – Toggle between strict and fuzzy mode.
strict − If selected, this function will stop accepting all ARP packets not intended
for the Switch, and will stop receiving all unnecessary broadcast IP packets, until
the storm has subsided.
fuzzy − If selected, this function will instruct the Switch to minimize the IP and
ARP traffic flow to the CPU by dynamically allotting an even bandwidth to all traffic
flows.
Only Administrator-level users can issue this command.
S
AFEGUARD
182
E C
NGINE OMMANDS
23