168
ExtremeWare 7.2e Installation and User Guide
Security
Denial of Service Protection
A Denial-of-Service (DoS) attack occurs when a critical network or computing resource is overwhelmed
and rendered inoperative in a way that legitimate requests for service cannot succeed. In its simplest
form, a Denial of Service attack is indistinguishable from normal heavy traffic. The Summit 400 switch
is not vulnerable to this simple attack because it is designed to process packets in hardware at wire
speed. However, there are some operations in any switch or router that are more costly than others, and
although normal traffic is not a problem, exception traffic must be handled by the switch’s CPU in
software.
Some packets that the switch processes in the CPU software include:
•
Learning new traffic
•
Routing and control protocols including ICMP and OSPF
•
Switch management traffic (switch access by Telnet, SSH, HTTP, SNMP, etc...)
•
Other packets directed to the switch that must be discarded by the CPU
If any one of these functions is overwhelmed, the CPU can be too busy to service other functions and
cause switch performance to suffer. Even with the fast CPU of the Summit 400, there are ways to
overwhelm the CPU with packets requiring costly processing.
DoS Protection is designed to help prevent this degraded performance by attempting to characterize the
problem and filter out the offending traffic so that other functions can continue. It is the responsibility
of DoS Protection to count packets when the switch receives a flood of packets. If the count reaches the
threshold, then the flow of these packets to the CPU is blocked.
Configuring Denial of Service Protection
DoS Protection is not enabled on the Summit 400 as a default. To start protecting the switch from attack,
first determine what ports are at risk and set limits for the traffic on those ports. Use the following
command to identify those ports and to configure the alert-threshold, also known as the disable
threshold:
configure cpu-dos-protect [ports <portnumber> |all] alert-threshold threshold <pkts>
interval-time <seconds>
You can also configure all the ports on the switch to globally implement DoS using the following
default values:
•
alert-threshold—150 packets per second
•
interval-time—1 seconds
To enable all ports on the switch to use DoS Protection, use the following command:
enable cpu-dos-protect
After enabling DoS Protection, you can use monitor the traffic for the port or the switch by issuing the
following command:
show cpu-dos-protect [ports <portnumber>]
CPU DoS Protection must be enabled for the
show
command to have valid values.
Содержание ExtremeWare 7.2e
Страница 14: ...14 ExtremeWare 7 2 0 Software User Guide Contents...
Страница 18: ...18 ExtremeWare 7 2e Installation and User Guide Preface...
Страница 46: ...46 ExtremeWare 7 2e Installation and User Guide Summit 400 48t Switch Overview and Installation...
Страница 80: ...80 ExtremeWare 7 2e Installation and User Guide Accessing the Switch...
Страница 102: ...102 ExtremeWare 7 2e Installation and User Guide Virtual LANs VLANs...
Страница 108: ...108 ExtremeWare 7 2e Installation and User Guide Forwarding Database FDB...
Страница 180: ...180 ExtremeWare 7 2e Installation and User Guide Security...
Страница 194: ...194 ExtremeWare 7 2e Installation and User Guide Ethernet Automatic Protection Switching...
Страница 218: ...218 ExtremeWare 7 2e Installation and User Guide Spanning Tree Protocol STP...
Страница 248: ...248 ExtremeWare 7 2e Installation and User Guide Interior Gateway Protocols...
Страница 256: ...256 ExtremeWare 7 2e Installation and User Guide IP Multicast Routing...
Страница 308: ...308 ExtremeWare 7 2e Installation and User Guide Using ExtremeWare Vista on the Summit 400...
Страница 316: ...316 ExtremeWare 7 2e Installation and User Guide Technical Specifications...
Страница 324: ...324 ExtremeWare 7 2e Installation and User Guide Software Upgrade and Boot Options...