xStack
®
DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual
296
36
S
AFEGUARD
E
NGINE
C
OMMANDS
Periodically, malicious hosts on the network will attack the Switch by utilizing packet flooding (ARP Storm) or other methods. These
attacks may increase the CPU utilization beyond its capability. To alleviate this problem, the Safeguard Engine function was added to
the Switch’s software.
The Safeguard Engine can help the overall operability of the Switch by minimizing the workload of the Switch while the attack is
ongoing, thus making it capable to forward essential packets over its network in a limited bandwidth. When the Switch either (a)
receives too many packets to process or (b) exerts too much memory, it will enter an Exhausted
mode. When in this mode, the Switch
will perform the following tasks to minimize the CPU usage:
1.
It will limit bandwidth of receiving ARP packets. The user may implement this in two ways, by using the
config
safeguard_engine
command.
a.
When strict is chosen, the Switch will stop receiving ARP packets not destined for the Switch. This will eliminate
all unnecessary ARP packets while allowing the essential ARP packets to pass through to the Switch’s CPU.
b.
When fuzzy is chosen, the Switch will minimize the ARP packet bandwidth received by the switch by adjusting the
bandwidth for all ARP packets, whether destined for the Switch or not. The Switch uses an internal algorithm to
filter ARP packets through, with a higher percentage set aside for ARP packets destined for the Switch.
2.
It will limit the bandwidth of IP packets received by the Switch. The user may implement this in two ways, by using the
config safeguard_engine
command.
a.
When strict is chosen, the Switch will stop receiving all unnecessary broadcast IP packets, even if the high CPU
utilization is not caused by the high reception rate of broadcast IP packets.
b.
When fuzz
y
is chosen, the Switch will minimize the IP packet bandwidth received by the Switch by adjusting the
bandwidth for all IP packets, by setting a acceptable bandwidth for both unicast and broadcast IP packets. The
Switch uses an internal algorithm to filter IP packets through while adjusting the bandwidth dynamically.
IP packets may also be limited by the Switch by configuring only certain IP addresses to be accepted. This method can be
accomplished through the CPU Interface Filtering mechanism explained in the previous section. Once the user configures these
acceptable IP addresses, other packets containing different IP addresses will be dropped by the Switch, thus limiting the bandwidth of
IP packets. To keep the process moving fast, be sure not to add many conditions on which to accept these acceptable IP addresses and
their packets, this limiting the CPU utilization.
Once in Exhausted mode, the packet flow will decrease by half of the level that caused the Switch to enter Exhausted mode. After the
packet flow has stabilized, the rate will initially increase by 25% and then return to a normal packet flow.
NOTICE:
When the Safeguard Engine is enabled, the Switch will allot
bandwidth to various traffic flows (ARP, IP) using the FFP (Fast Filter
Processor) metering table to control the CPU utilization and limit traffic.
This may limit the speed of routing traffic over the network.
The Safeguard Engine commands in the Command Line Interface (CLI) are listed (along with the appropriate parameters) in the
following table.
Command Parameters
config safeguard_engine
{state [enable | disable] | utilization {rising <value 20-100> | falling <value
20-100>} | trap_log [enable | disable] | mode [strict | fuzzy]}
show safeguard_engine
Each command is listed, in detail, in the following sections.
config safeguard_engine
Purpose
To config ARP storm control for system.
Syntax
config safeguard_engine {state [enable | disable] | utilization {rising
<value 20-100> | falling <value 20-100>} | trap_log [enable | disable] |
mode [strict | fuzzy]}
Description
Use this command to configure Safeguard Engine to minimize the effects of
an ARP storm.