D-Link DGS-3200-10 Product Manual - Page 133
Safeguard Engine, Trusted Host, IP-MAC-Port Binding (IMPB), Port Security, DHCP Server Screening,
UPC - 790069306310
View all D-Link DGS-3200-10 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 133 highlights
xStack® DGS-3200 Series Layer 2 Gigabit Ethernet Managed Switch Security Safeguard Engine Trusted Host IP-MAC-Port Binding (IMPB) Port Security DHCP Server Screening Guest VLAN 802.1X SSL Settings SSH Access Authentication Control MAC-based Access Control (MAC) Web-based Access Control (WAC) Japanese Web-based Access Control (JWAC) Multiple Authentication IGMP Access Control Settings ARP Spoofing Prevention Settings Section 5 Safeguard Engine Periodically, malicious hosts on the network will attack the Switch by utilizing pac ket flooding (ARP Storm) or other methods. These attacks may increase the switch load beyond its cap ability. To alleviate this problem, the Safeguard Engine function was added to the Switch's software. The Safeguard Engine can help the overall operability of the Switch by minimizing the workload of the Switch while the attack is ongoing, thus making it capable to forward essential packets over its network in a limited bandwidth. The Safeguard Engine has two operating modes that can be configured by the user, Strict and Fuzzy. In Strict mode, when the Switch either (a) receives too many packets to process or (b) exerts too much memory, it will en ter the Exhausted mode. When in this mode, the Switch will drop all ARP and IP broadcast packets and packets from untrusted IP addresses for a calculated time interval. Every five seconds, the Safeguard Engine will check to see if there are too many packets flooding the Switch. If the threshold has been crossed, the Switch will initially stop all ingress ARP and IP broadcast packets and packets from untrusted IP addresses for five seconds. After another five-second checking interval arrives, the Switch will again check the ingress flow of packets. If the flooding has stopped, the Switch will again begin accepting all packets. Yet, if the checking shows that there continues to be too many packets flooding the Switch, it will stop accepting all ARP and IP broadcast packets and packets from untrusted IP addresses for double the time of the previous stop period. This doubling of time for stopping these packets will continue until the maximum time has been reached, which i s 320 seconds and e very st op f rom this p oint until a ret urn t o n ormal i ngress fl ow w ould be 320 sec onds. For a better understanding, please examine the following example of the Safeguard Engine. 120