xStack DES-3800 Series Layer 3 Stackable Fast Ethernet Managed Switch CLI Manual
347
50
S
AFEGUARD
E
NGINE
Periodically, malicious hosts on the network will attack the Switch by utilizing packet flooding (ARP Storm) or other methods. These
attacks may increase the CPU utilization beyond its capability. To alleviate this problem, the Safeguard Engine function was added to
the Switch’s software.
The Safeguard Engine can help the overall operability of the Switch by minimizing the workload of the Switch while the attack is
ongoing, thus making it capable to forward essential packets over its network in a limited bandwidth. When the Switch either (a)
receives too many packets to process or (b) exerts too much memory, it will enter an
Exhausted
mode. When in this mode, the
Switch only receives a small amount of ARP and IP broadcast packets for a calculated time interval. Every five seconds, the Switch
will check to see if there are too many packets flooding the Switch. If the threshold has been crossed, the Switch will initially limit
and accept a small amount of ingress ARP and IP broadcast packets for five seconds. After another five-second checking interval
arrives, the Switch will again check the ingress flow of packets. If the flooding has stopped, the Switch will again begin accepting all
packets. Yet, if the checking shows that there continues to be too many packets flooding the Switch, it will still accept a small amount
of ARP and IP broadcast packets for double the time of the previous stop period. This doubling of time for limiting ingress ARP and
IP broadcast packets will continue until the maximum time has been reached, which is 320 seconds and every stop from this point
until a return to normal ingress flow would be 320 seconds.
Once in Exhausted mode, the packet flow will decrease by half of the level that caused the Switch to enter Exhausted mode. After the
packet flow has stabilized, the rate will initially increase by 25% and then return to a normal packet flow.
The Safeguard Engine commands in the Command Line Interface (CLI) are listed (along with the appropriate parameters) in the
following table.
Command Parameters
config safeguard_engine
{state [enable | disable] | cpu_utilization {rising_threshold <value 20-100> |
falling_threshold <value 20-100>} | trap_log [enable | disable]}
show safeguard_engine
Each command is listed, in detail, in the following sections.
config safeguard_engine
Purpose
Used to configure the Safeguard Engine for the Switch.
Syntax
config safeguard_engine {state [enable | disable] | cpu_utilization
{rising_threshold <value 20-100> | falling_threshold <value 20-100>} |
trap_log [enable | disable]}
Description
This command is used to configure the settings for the CPU Safeguard Engine
function of this Switch, based on CPU utilization.
Parameters
state [enable | disable]
– Select the running state of the Safeguard Engine function
as enable or disable.
cpu_utilization
– Select this option to trigger the Safeguard Engine function to
enable based on the following determinates:
•
rising <value 20-100>
- The user can set a percentage value of the rising
CPU utilization which will trigger the CPU protection function. Once the
CPU utilization rises to this percentage, the Safeguard Engine
mechanism will initiate.
•
falling <value 20-100>
- The user can set a percentage value of the
falling CPU utilization which will trigger the CPU protection function to
cease. Once the CPU utilization falls to this percentage, the Safeguard
Engine mechanism will shut down.
trap_log [enable | disable]
– Choose whether to enable or disable the sending of
messages to the device’s SNMP agent and switch log once the Safeguard Engine
has been activated by a high CPU utilization rate.
Restrictions
Only Administrator or Operator-level users can issue this command.
Example usage: