Security, Safeguard Engine | D-Link DGS-3700 instruction

DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual

Section 5

Security

Safeguard Engine Trusted Host IP-MAC-Port Binding

Port Security

DHCP Server Screening Settings 802.1X

SSL Settings

SSH

Access Authentication Control MAC-based Access Control Web Authentication NetBIOS Filtering

Safeguard Engine

Periodically, malicious hosts on the network will attack the Switch by utilizing packet flooding (ARP Storm) or other methods. These attacks may increase the Safeguard Engine beyond its capability. To alleviate this problem, the Safeguard Engine function was added to the Switch’s software.

The Safeguard Engine can help the overall operability of the Switch by minimizing the workload of the Switch while the attack is ongoing, thus making it capable to forward essential packets over its network in a limited bandwidth. When the Switch either (a) receives too many packets to process or (b) exerts too much memory, it will enter an Exhausted mode. When in this mode, the Switch only receives a small amount of ARP or IP broadcast packets for a calculated time interval. Every five seconds, the Switch will check to see if there are too many packets flooding the Switch. If the threshold has been crossed, the Switch will do a rate limit and only allow a small amount of ARP and IP broadcast packets for five seconds. After another five-second checking interval arrives, the Switch will again check the ingress flow of packets. If the flooding has stopped, the Switch will again begin accepting all packets. Yet, if the checking shows that there continues to be too many packets flooding the Switch, it will still only accept a small amount of ARP and IP broadcast packets for double the time of the previous stop period. This doubling of time for stopping ingress ARP and IP broadcast packets will continue until the maximum time has been reached, which is 320 seconds and every stop from this point until a return to normal ingress flow would be 320 seconds. For a better understanding, examine the following example of the Safeguard Engine.

145

Image 156

D-Link DGS-3700 user manual Security, Safeguard Engine

Contents

Copyright 2009. All rights reserved Page Table of Contents DDM L2 Features QoS Security ACL Save Services and Tools 258 Preface Intended Readers Typographical Conventions Login to Web Manager Introduction Web-based User Interface Areas of the User Interface Web Pages AreaArea Function Page Configuration Device Information System Information Serial Port Settings Fields that can be configured are described belowParameter Description Baud Rate Auto Logout IP Address Settings window IP Address Bootp Dhcp Interface Settings Setting the Swith’s IP Address using the Console Interface Parameter Description Interface Name IPv6 NetworkAddress IPv6 State IPv6 Route Settings IPv6 Neighbor SettingsAutomatic Link Local Address Port Configuration Port SettingsNeighbor IPv6 Address Link Layer MAC Port Description Static ARP Settings Port Error Disabled User Accounts Admin, Operator and User Privileges New PasswordPassword Management Admin Operator User Admin, Operator and User Privileges User Account Management System Log Configuration System Log SettingsSystem Log Server Parameter Description Server ID Server IP AddressUDP Port 514 or Severity System Severity Settings Parameter Description System SeveritySeverity Level Dhcp Relay Global Settings Dhcp Relay Dhcp Relay Agent Information OptionCheck Policy Implementation of Dhcp Information Option 82 on the Switch Circuit ID sub-option formatRemote ID sub-option format Dhcp Relay Interface Settings Dhcp Relay Option 60 Default SettingsParameter Description Relay IP Address Mode Dhcp Relay Option 60 Settings Dhcp Relay Option 61 Default Settings Out of Band Management Settings Dhcp Relay Option 61 SettingsParameter Description Client ID Relay Rule External Alarm Settings Dhcp Auto Configuration SettingsParameter Description IP Address Link Status Web Settings Telnet SettingsMAC Address Aging Time Password Encryption Clipaging SettingsFirmware Information Parameter Description Dual Configuration Settings Update TimeVersion Size Bytes Ping Test Local Loopback Ports Settings TimeoutIPv6 Ping Test Size Vlan Counter Settings Sntp Settings Time Settings TimeZone Settings Hhmm MAC Notification Settings MAC Notification Global Settings MAC Notification Port Settings ParameterDescription Snmp Settings TrapsMIBs Snmp Global State Settings Snmp View TableParameter Description View Name Subtree OID Snmp Group Table Snmp User Table Snmp Community Table Parameter Description Community Name Snmp Host Table Snmp v6Host Table Snmp Engine ID CommunityString/SNMPv3 User Name Time Range Settings Snmp Trap ConfigurationParameter Description Range Name Hours SFlow Global State Settings SFlow Analyzer Server SettingsSFlow ParameterDescription Analyzer Server ID SFlow Flow Sampler Settings SFlow Counter Poller Settings Following parameters can be configured Single IP Management Single IP Settings Upgrade to Topology Parameter Description Device Name Remote PortSpeed Local Port 62 Topology view Icon Description Tool Tips 63 Device Information Utilizing the Tool Tip Right-Click Group Icon Commander Switch Icon Member Switch IconCandidate Switch Icon Menu Bar Firmware Upgrade Configuration File Backup/Restore DDM Settings Upload Log FileBrowse DDM Status List DDM Temperature Threshold Settings DDM Voltage Threshold Settings DDM Bias Current Threshold Settings DDM Tx Power Threshold Settings DDM Rx Power Threshold Settings Parameter Description From Port / To Port Jumbo Frame Jumbo Frame window VLANs Understanding Ieee 802.1p PriorityVlan Description Ieee 802.1Q VLANs Ieee 802.1Q Packet Forwarding 802.1Q Vlan Tags Ieee 802.1Q Tag Port Vlan ID Tagging and UntaggingIngress Filtering Default VLANs Port-based VLANsVlan Segmentation VID Double VLANs Vlan and Trunk GroupsDestination Source Spvlan Tpid + Regulations for Double VLANs Double Vlan Example 802.1Q Vlan Current 802.1Q Static VLANs Entries window 802.1Q Vlan window Add/Edit Vlan Tab Port Settings AdvertisementTagged Untagged 10 802.1Q Vlan window Vlan Batch Settings window Subnet Vlan Settings Vlan Precedence SettingsSubnet Vlan Vlan ID In-Q Settings In-QVlan Precedence Vlan Translation Settings In-Q and Vlan Translation Rules For ingress untagged packets at UNI portsFor ingress tagged packets at UNI ports 802.1v Protocol Group Settings 802.1v Protocol Vlan 802.1v Protocol Vlan Settings 802.1p PriorityCheck the Select All Ports box Search Port List Rspan Settings Gvrp Settings Gvrp Global Settings GvrpPvid MAC-based Vlan Settings Pvid Auto Assign SettingsLeave All Time NNI Bpdu Port Trunking Understanding Port Trunk Groups Parameter Description Algorithm Master PortActive Port Member Ports Lacp Port Settings Activity Traffic Segmentation Forward Portlist Bpdu Tunneling Settings 27 Bpdu Tunneling window Igmp Snooping Settings Igmp SnoopingRate Limit Querier IP Time Query Interval Max ResponseRobustness Value 255 Igmp Snooping Rate Limit Settings Igmp Snooping Static Group Settings Igmp Multicast Group Profile Settings Igmp Snooping Multicast Vlan SettingsFollowing fields can be set IPv4 Multicast Profile Settings IPv4 Limited Multicast Range Settings IPv4 Max Multicast Group Settings MLD Snooping Settings MLD SnoopingMLD Control Messages Query Expiry Time Query Interval 1-65535 secMax Response Time 25 sec MLD Snooping Rate Limit Settings 43 MLD Snooping Router IP Settings Modify window MLD Snooping Static Group Settings MLD Multicast Group Profile SettingsIPv6 Address MLD Snooping Multicast Vlan Settings 1,6 Source Port1,6 IPv6 Multicast Profile Settings Tagged Member Port e.g.1-4,6 IPv6 Limited Multicast Range Settings IPv6 Max Multicast Group Settings Port Mirror 55 Port Mirror window Loopback Detection Settings Recover TimeParameter Description LBD State Trap Status Spanning Tree 802.1w Rapid Spanning TreePort Transition States Edge Port P2P Port 802.1D and 802.1w Compatibility STP Bridge Global Settings Max Hops NNI Bpdu Address STP Port Settings External Cost 0=Auto MST Configuration Identification P2P STP Instance Settings Parameter Description Configuration NameRevision Level Msti ID Mstp Port Information Instance IDInternal Path cost 200000000 Forwarding & Filtering Unicast ForwardingMulticast Forwarding Multicast Filtering Mode Multicast MAC Lldp Global Settings Lldp Port Settings Admin StatusParameter Description From Port /To Port Notification Lldp Basic TLVs Settings Lldp Management Address ListParameter Description Address Lldp Dot1 TLVs Settings Vlan Lldp Dot3 TLVs Settings Lldp Statistics SystemMAC/PHY Lldp Local Port Information 72 Lldp Statistics System window CFM Port Settings Lldp Remote Port Information CFM CCM PDUs Forwarding Mode CFM MPs Reply LTRsCFM Mipccm List Connectivity Fault Management Settings Connectivity Fault Management CreateMDConnectivity Fault Management SettingsMD Parameter Description CFM State CFM Loopback Settings MIPMEP LBM CFM Linktrace Settings Ethernet OAM Settings Ethernet OAMRemote Loopback Received Remote Ethernet OAM Configuration Settings QoS Advantages of QoS Mapping QoS on the Switch Understanding QoSPage HOL Blocking Pevention Bandwidth ControlNo Limit Traffic Control Traffic Control window Traffic Trap Setting Traffice Trap SettingsCount Down Time Interval 802.1p Default Priority 802.1p Default Priority window 802.1p User Priority QoS Scheduling Mechanism QoS Scheduling SchedulingMechanism Band Manage Settings Class ID Sred Settings Band Manage Settings Click Apply to implement changes 141 Dscp Trust Settings Dscp Map SettingsSred Drop Counter Dscp Map Dscp List0-63 802.1p Map Settings Priority List0-7Color Safeguard Engine Security Safeguard Engine window IMP Binding Global Settings Trusted HostIP-MAC-Port Binding IMP Binding Port Settings Parameter ACL Mode Trap / Log Dhcp Snoop State Allow Zero IP Forward DhcpPacket Max Entry IMP Binding Entry Settings Ports Port Security Port Settings Port SecurityDhcp Snooping Entries MAC Block List Port Security Vlan Settings Admin StateLock Address Max. Learning Dhcp Server Screening Settings Port Security EntriesVlan ID e.g.1,4-6 Max Learning Dhcp Screening Port Settings Dhcp Offer FilteringParameterDescription Server IP Address 802.1X Port-Based and Host-Based Access Control Authentication Server802.1X Client’s MAC Address Authenticator 16 The Authentication Server Authentication Process Client Port-Based Network Access Control 20 Example of Typical Port-Based Configuration Host-Based Network Access Control 21 Example of Typical Host-Based Configuration 802.1X Global Settings 802.1X Port SettingsPDU SuppTimeout ServerTimeoutReAuthentication QuietPeriod Authentication Radius Server 802.1X User Reauthenticate Ports Initialize PortsConfirm Key Guest Vlan Configuration Limitations Using the Guest Vlan SSL Settings Guest Vlan Download Certificate Ciphersuite CBC SHA EDE CBC SHA SSH Settings SSH Authmode and Algorithm Settings SSH User Authentication Lists HMAC-SHA1HMAC-MD5 HMAC-RSA Access Authentication Control Host NamePage Authentication Policy Settings Application Authentication Settings Authentication Server Group 37 Authentication Server Group Settings window Authentication Server 38 Authentication Server Group Settings Edit window Login Method Lists Enable Method Lists ParameterDescription Method List NamePriority 1, 2, 3 Local Enable Password Settings 41 Enable Method List window Radius Accounting Settings 42 Local Enable Password window MAC-based Access Control MAC-based Access Control Settings Parameter Description Settings MBA Global State MethodGuest Vlan Name Guest Vlan ID MAC-based Access Control Local Settings Hold Time Web Authentication Web-based Access Control Settings Conditions and LimitationsParameterDescription State Web-based Access Control User Settings Logout Timer1440 Authentication Redirection NetBIOS Filtering NetBIOS Filtering SettingsConfirmation ACL Configuration Wizard Access IDParameterDescription Type Access Profile List OptionApply To Add Access Profile Ethernet Parameter Description Ethernet ACL Source MAC MaskDestination MAC Mask Select ACL Type Access Profile List Ethernet Ethernet Type Parameter Description Access ID Vlan MaskReplace Priority Replace Dscp Precedence Time RangeRx Rate Counter Dscp Source IP MaskDestination IP Mask Icmp Type 11 Access Profile List IPv4 12 Access Profile Details IPv4 Icmp Time Range Name Parameter Description IPv6 Class IPv6 Flow LabelIPv6 TCP IPv6 UDP 17 Access Profile List IPv6 Class Flow Label 20 Access Rule List IPv6 22 Add Packet Content ACL Profile Parameter Description Chunk 23 Access Profile List Packet Content 25 Access Profile Packet Content 26 Access Rule List Packet Content CPU Interface Filtering CPU Access Profile List 28 CPU Access Profile List window Source MAC Mask Destination MACMask 802.1Q Vlan Parameter Description Select Profile ID IPv4 Dscp 209 33 Add CPU ACL Profile window for IPv6 Parameter Description Select Profile Select ACLOffset 37 CPU Access Rule List window for Ethernet 39 CPU Access Rule Detail Information window for Ethernet 40 CPU Access Rule List window for IP 42 CPU Access Rule Detail Information window for IP 45 CPU Access Rule Detail Information window for IPv6 ACL Finder ACL Flow Meter 50 ACL Flow Meter window Mode Cable Diagnostic Device Status CPU Utilization Parameter Description Time IntervalRecord Number Show/Hide Port Utilization Packet Size Packet Size window Memory Utilization PacketsReceived RX Received RX window for Bytes and Packets UMBcast RX Transmitted TX 12 Transmitted TX window for Bytes and Packets Bytes Errors 14 Received RX window for errors CRCError SymbolUnderSize OverSize 16 Transmitted TX window for errors ExDefer Port Access Control Radius Authentication Radius Account Client ServerAddress RequestsRetransmissions Responses Authenticator State Parameter Description MAC AddressAuth PAE State Backend State Authenticator Statistics 22 Authenticator Statistics window for MAC-based Authenticator Session Statistics Authenticator Diagnostics Auth Timeout Connect EnterConnect LogOff Auth Enter Browse ARP Table Browse Vlan 27 Browse ARP Table window Show Vlan Ports Browse Igmp Router PortIgmp Snooping Group Igmp Snooping Forwarding Table Browse Igmp Snooping Counter Browse MLD Router Port MLD Snooping Group MLD Snooping Forwarding Table 35 MLD Snooping Group window Browse Session Table Browse MLD Snooping CounterCFM Packet Counter List Browse CFM Fault MEP CFM Packet Counter CCM ListBrowse CFM Port MP List MAC Address Table Browse Vlan Counter StatisticsFunctions used in the MAC address table are described below Browse Ethernet OAM Event Log Browse Ethernet OAM Statistics 46 Browse Ethernet OAM Statistics window Packet/Error Historical Counter & UtilizationBrowse Historical Counter Minutes/1 Day System Log Browse Historical Utilization Parameter Description Log Type Date-TimeLog Text Save Configuration ID Save Configuration ID 1 window Save Log Save All Configuration File Backup & Restore ResetUpload Log File Reboot System Download Firmware ARP ARP FCS Ethernet frame format Forwarding Table Destination address Source address Ether-type Port2 00-20-5C-01-22-22 How ARP spoofing attacks a network Ethernet Gratuitous ARP Prevent ARP spoofing via packet content ACL Example topology Ethernet Offset Chunk 266 System Log Entries Category Event Description Log Information Severity SSL AAA Page Page Page IP-MAC DOS DDM DGS-3700 Series Trap List Proprietary Trap ListTrap Name/OID Variable Bind Format MIB Name Severity Equipment Glossary Page Password Recovery Procedure Command Parameters Command Parameters