xStack DGS-3400 Series Layer 2 Gigabit Ethernet Managed Switch
Safeguard Engine
Periodically, malicious hosts on the network will attack the Switch by utilizing packet flooding (ARP Storm) or other methods.
These attacks may increase the switch load beyond its capability. To alleviate this problem, the Safeguard Engine function was
added to the Switch’s software.
The Safeguard Engine can help the overall operability of the Switch by minimizing the workload of the Switch while the attack is
ongoing, thus making it capable to forward essential packets over its network in a limited bandwidth. The Safeguard Engine has
two operating modes which can be configured by the user,
Strict
and
Fuzzy
. In Strict mode, when the Switch either (a) receives
too many packets to process or (b) exerts too much memory, it will enter the
Exhausted
mode. When in this mode, the Switch
will drop all ARP and IP broadcast packets and packets from untrusted IP addresses for a calculated time interval. Every five
seconds, the Safeguard Engine will check to see if there are too many packets flooding the Switch. If the threshold has been
crossed, the Switch will initially stop all ingress ARP and IP broadcast packets and packets from untrusted IP addresses for five
seconds. After another five-second checking interval arrives, the Switch will again check the ingress flow of packets. If the
flooding has stopped, the Switch will again begin accepting all packets. Yet, if the checking shows that there continues to be too
many packets flooding the Switch, it will stop accepting all ARP and IP broadcast packets and packets from untrusted IP
addresses for double the time of the previous stop period. This doubling of time for stopping these packets will continue until the
maximum time has been reached, which is 320 seconds and every stop from this point until a return to normal ingress flow would
be 320 seconds. For a better understanding, examine the following example of the Safeguard Engine.
Figure 6- 32. Safeguard Engine example
For every consecutive checking interval that reveals a packet flooding issue, the Switch will double the time it will discard ingress
ARP and IP broadcast packets and packets from untrusted IP addresses. In the example above, the Switch doubled the time for
dropping ARP and IP broadcast packets when consecutive flooding issues were detected at 5-second intervals. (First stop = 5
seconds, second stop = 10 seconds, third stop = 20 seconds) Once the flooding is no longer detected, the wait period for dropping
ARP and IP broadcast packets will return to 5 seconds and the process will resume.
In Fuzzy mode, once the Safeguard Engine has entered the Exhausted mode, the Safeguard Engine will decrease the packet flow
by half. After returning to Normal mode, the packet flow will be increased by 25%. The switch will then return to its interval
checking and dynamically adjust the packet flow to avoid overload of the Switch.
NOTICE:
When Safeguard Engine is enabled, the Switch will allot bandwidth to various
traffic flows (ARP, IP) using the FFP (Fast Filter Processor) metering table to control the
CPU utilization and limit traffic. This may limit the speed of routing traffic over the network.
67
Summary of Contents for xStack DGS-3400 Series
Page 303: ...D Link D Link D Link D Link 495 744 00 99 http www dlink ru email support dlink ru...
Page 306: ......
Page 323: ......
Page 326: ......