Netgear XCM8806 - 8800 SERIES 6-SLOT CHASSIS SWITCH ユーザーズマニュアル
462
|
Chapter 17. Security
NETGEAR 8800 User Manual
others, and although normal traffic is not a problem, exception traffic must be handled by the
switch’s CPU in software.
switch’s CPU in software.
Some packets that the switch processes in the CPU software include:
•
Traffic resulting from new MAC learning
Note:
When certain features such as Network Login are enabled, hardware
learning is disabled to let software control new MAC learning.
•
Routing and control protocols including ICMP, BGP, OSPF, STP, and so forth
•
Switch management traffic (switch access by Telnet, SSH, HTTP, SNMP, and so forth)
•
Other packets directed to the switch that must be discarded by the CPU
If any one of these functions is overwhelmed, the CPU may be too busy to service other
functions and switch performance will suffer. Even with very fast CPUs, there will always be
ways to overwhelm the CPU with packets that require costly processing.
functions and switch performance will suffer. Even with very fast CPUs, there will always be
ways to overwhelm the CPU with packets that require costly processing.
DoS Protection is designed to help prevent this degraded performance by attempting to
characterize the problem and filter out the offending traffic so that other functions can
continue. When a flood of CPU bound packets reach the switch, DoS Protection will count
these packets. When the packet count nears the alert threshold, packets headers will be
saved. If the threshold is reached, then these headers are analyzed, and a hardware access
control list (ACL) is created to limit the flow of these packets to the CPU. This ACL will remain
in place to provide relief to the CPU. Periodically, the ACL will expire, and if the attack is still
occurring, it will be re-enabled. With the ACL in place, the CPU will have the cycles to
process legitimate traffic and continue other services.
characterize the problem and filter out the offending traffic so that other functions can
continue. When a flood of CPU bound packets reach the switch, DoS Protection will count
these packets. When the packet count nears the alert threshold, packets headers will be
saved. If the threshold is reached, then these headers are analyzed, and a hardware access
control list (ACL) is created to limit the flow of these packets to the CPU. This ACL will remain
in place to provide relief to the CPU. Periodically, the ACL will expire, and if the attack is still
occurring, it will be re-enabled. With the ACL in place, the CPU will have the cycles to
process legitimate traffic and continue other services.
Note:
User-created ACLs take precedence over the automatically applied
DoS protect ACLs.
DoS Protection will send a notification when the notify threshold is reached.
You can also specify some ports as trusted ports, so that DoS protection will not be applied to
those ports.
those ports.
Configuring Simulated Denial of Service Protection
The conservative way to deploy DoS protection is to use the simulated mode first. In
simulated mode, DoS protection is enabled, but no ACLs are generated. To enable the
simulated mode, use the following command:
simulated mode, DoS protection is enabled, but no ACLs are generated. To enable the
simulated mode, use the following command:
enable dos-protect simulated
This mode is useful to gather information about normal traffic levels on the switch. This will
assist in configuring denial of service protection so that legitimate traffic is not blocked.
assist in configuring denial of service protection so that legitimate traffic is not blocked.