Linksys DES-3028/DES-3028P/DES-3052/DES-3052P 用户手册
DES-3028 DES-3028P DES-3052 DES-3052P Layer 2 Fast Ethernet Switch CLI Reference Manual
24
S
AFEGUARD
E
NGINE
C
OMMANDS
Periodically, malicious hosts on the network will attack the Switch by utilizing packet flooding (ARP Storm) or other methods.
These attacks may increase the CPU utilization beyond its capability. To alleviate this problem, the Safeguard Engine function
was added to the Switch’s software.
The Safeguard Engine can help the overall operability of the Switch by minimizing the workload of the Switch while the attack is
ongoing, thus making it capable to forward essential packets over its network in a limited bandwidth. When the Switch either (a)
receives too many packets to process or (b) exerts too much memory, it will enter an Exhausted mode. When in this mode, the
Switch will perform the following tasks to minimize the CPU usage:
These attacks may increase the CPU utilization beyond its capability. To alleviate this problem, the Safeguard Engine function
was added to the Switch’s software.
The Safeguard Engine can help the overall operability of the Switch by minimizing the workload of the Switch while the attack is
ongoing, thus making it capable to forward essential packets over its network in a limited bandwidth. When the Switch either (a)
receives too many packets to process or (b) exerts too much memory, it will enter an Exhausted mode. When in this mode, the
Switch will perform the following tasks to minimize the CPU usage:
a. It will limit bandwidth of receiving ARP packets.
b. It will limit the bandwidth of IP packets received by the Switch.
b. It will limit the bandwidth of IP packets received by the Switch.
IP packets may also be limited by the Switch by configuring only certain IP addresses to be accepted. This method can be
accomplished through the CPU Interface Filtering mechanism explained in the previous section. Once the user configures these
acceptable IP addresses, other packets containing different IP addresses will be dropped by the Switch, thus limiting the
bandwidth of IP packets. To keep the process moving fast, be sure not to add many conditions on which to accept these acceptable
IP addresses and their packets, this limiting the CPU utilization.
Once in Exhausted mode, the packet flow will decrease by half of the level that caused the Switch to enter Exhausted mode. After
the packet flow has stabilized, the rate will initially increase by 25% and then return to a normal packet flow.
accomplished through the CPU Interface Filtering mechanism explained in the previous section. Once the user configures these
acceptable IP addresses, other packets containing different IP addresses will be dropped by the Switch, thus limiting the
bandwidth of IP packets. To keep the process moving fast, be sure not to add many conditions on which to accept these acceptable
IP addresses and their packets, this limiting the CPU utilization.
Once in Exhausted mode, the packet flow will decrease by half of the level that caused the Switch to enter Exhausted mode. After
the packet flow has stabilized, the rate will initially increase by 25% and then return to a normal packet flow.
NOTICE: When the Safeguard Engine is enabled, the Switch will allot bandwidth to various traffic
flows (ARP, IP) using the FFP (Fast Filter Processor) metering table to control the CPU utilization
and limit traffic. This may limit the speed of routing traffic over the network.
flows (ARP, IP) using the FFP (Fast Filter Processor) metering table to control the CPU utilization
and limit traffic. This may limit the speed of routing traffic over the network.
The Safeguard Engine commands in the Command Line Interface (CLI) are listed (along with the appropriate parameters) in the
following table.
following table.
Command Parameters
config safeguard_engine
{state [enable | disable] |utilization {rising <value 20-100> | falling <value
20-100>} | trap_log [enable | disable] | mode [strict | fuzzy]}
20-100>} | trap_log [enable | disable] | mode [strict | fuzzy]}
show safeguard_engine
Each command is listed, in detail, in the following sections.
config safeguard_engine
Purpose
To configure ARP storm control for system.
Syntax
{state [enable | disable] | utilization {rising <value 20-100> | falling
<value 20-100>} | trap_log [enable | disable] | mode [strict | fuzzy]}
<value 20-100>} | trap_log [enable | disable] | mode [strict | fuzzy]}
Description
Use this command to configure Safeguard Engine to minimize the effects of
an ARP storm.
an ARP storm.
Parameters
state [enable | disable] – Select the running state of the Safeguard Engine
function as enable or disable.
cpu_utilization – Select this option to trigger the Safeguard Engine function
to enable based on the following determinates:
rising <value 20-100> - The user can set a percentage value of the rising
CPU utilization which will trigger the Safeguard Engine function. Once the
CPU utilization rises to this percentage, the Safeguard Engine mechanism
will initiate.
falling <value 20-100> - The user can set a percentage value of the falling
CPU utilization which will trigger the Safeguard Engine function to cease.
Once the CPU utilization falls to this percentage, the Safeguard Engine
mechanism will shut down.
trap_log [enable | disable] – Choose whether to enable or disable the
sending of messages to the device’s SNMP agent and switch log once the
Safeguard Engine has been activated by a high CPU utilization rate.
mode [strict | fuzzy] – Toggle between strict and fuzzy mode.
function as enable or disable.
cpu_utilization – Select this option to trigger the Safeguard Engine function
to enable based on the following determinates:
rising <value 20-100> - The user can set a percentage value of the rising
CPU utilization which will trigger the Safeguard Engine function. Once the
CPU utilization rises to this percentage, the Safeguard Engine mechanism
will initiate.
falling <value 20-100> - The user can set a percentage value of the falling
CPU utilization which will trigger the Safeguard Engine function to cease.
Once the CPU utilization falls to this percentage, the Safeguard Engine
mechanism will shut down.
trap_log [enable | disable] – Choose whether to enable or disable the
sending of messages to the device’s SNMP agent and switch log once the
Safeguard Engine has been activated by a high CPU utilization rate.
mode [strict | fuzzy] – Toggle between strict and fuzzy mode.
166