D-Link xStack DES-6500 User Manual - Safeguard Engine
xStack DES-6500 Modular Layer 3 Chassis Ethernet Switch User Manual
Safeguard Engine
Developed by D-Link, the
Safeguard Engine
is a robust and innovative technology which will automatically reduce the
negative impact of repeated packet flooding to the Switch's CPU. As a result, D-Link Switches will be better protected
from frequent interruptions by malicious viruses or worm attacks.
Periodically, malicious hosts on the network will attack the Switch by utilizing packet flooding (ARP Storm) or other
methods. These attacks may increase the CPU utilization beyond its capability. To alleviate this problem, the Safeguard
Engine function was added to the Switch’s software.
The Safeguard Engine can help the overall operability of the Switch by minimizing the workload of the Switch while the
attack is ongoing, thus making it capable to forward essential packets over its network in a limited bandwidth. When the
Switch either (a) receives too many packets to process or (b) exerts too much memory, it will enter an
Exhausted
mode.
When in this mode, the Switch will perform the following tasks to mimimize the CPU usage:
1. It will limit bandwidth of receiving ARP packets. The user may implement this in two ways, by using the Mode
pull down menu in the screen below:
a. When
Strict
is chosen, the Switch will stop receiving ARP packets not destined for the Switch. This will
eliminate all unnecessary ARP packets while allowing the essential ARP packets to pass through to the
Switch’s CPU.
b. When
Fuzzy
is chosen, the Switch will mimimze the ARP packet bandwidth received by the Switch by
adjusting the bandwidth for all ARP packets, whether destined for the Switch or not. The Switch uses an
internal algorithm to filter ARP packets through, with a higher percentage set aside for ARP packets
destined for the Switch.
2. It will limit the bandwidth of IP packets received by the Switch. The user may implement this in two ways, by
using the Mode pull down menu in the screen below:
a. When
Strict
is chosen, the Switch will stop receiving all unnecessary broadcast IP packets, even if the
high CPU utilization is not caused by the high receival rate of broadcast IP packets.
b. When
Fuzzy
is chosen, the Switch will mimimze the IP packet bandwidth received by the Switch by
adjusting the bandwidth for all IP packets, by setting a acceptable bandwidth for both unicast and
broadcast IP packets. The Switch uses an internal algorithm to filter IP packets through while adjusting
the bandwidth dynamically.
IP packets may also be limited by the Switch by configuring only certain IP addresses to be accepted. This method can be
accomplished through the CPU Interface Filtering mechanism explained in the previous section. Once the user configures
these acceptable IP addresses, other packets containing different IP addresses will be dropped by the Switch, thus limiting
the bandwidth of IP packets. To keep the process moving fast, be sure not to add many conditions on which to accept these
acceptable IP addresses and their packets, this limiting the CPU utilization.
Once in Exhausted mode, the packet flow will decrease by half of the level that caused the Switch to enter Exhausted
mode. After the packet flow has stabilized, the rate will initially increase by 25% and then return to a normal packet flow.
NOTICE:
When the Safeguard Engine is enabled, the Switch will allot
bandwidth to various traffic flows (ARP, IP) using the FFP (Fast Filter
Processor) metering table to control the CPU utilization and limit traffic.
This may limit the speed of routing traffic over the network.
To configure the Safeguard Engine for the Switch, click
Configuration > Safeguard Engine > Safeguard Engine
Settings
, which will open the following window.
113