4 system guard configuration, System guard overview, Guard against ip attacks – H3C Technologies H3C S3600 Series Switches User Manual
Page 502: Guard against tcn attacks, Layer 3 error control, Cpu protection, System guard configuration
4-1
4
System Guard Configuration
The CPU protection function is added. See
When configuring System Guard, go to these sections for information you are interested in:
z
z
z
Displaying and Maintaining System Guard Configuration
System Guard Overview
Guard Against IP Attacks
System-guard operates to inspect the IP packets over 10-second intervals for the CPU for suspicious
source IP addresses. Once the packets from such an IP address hit the predefined threshold, the switch
with System Guard enabled will take the following action: If the packets from the source IP address
need to be processed by the CPU, the switch decreases the precedence of delivering such packets to
the CPU.
Guard Against TCN Attacks
System Guard monitors the rate at which TCN/TC packets are received on the ports. If a port receives
an excessive number of TCN/TC packets within a given period of time, the switch sends only one
TCN/TC packet in every 10 seconds to the CPU and discards the rest TCN/TC packets, while outputting
trap and log information.
Layer 3 Error Control
With the Layer 3 error control feature enabled, the switch delivers all Layer 3 packets that the switch
considers to be error packets to the CPU.
CPU Protection
When the device is under attack, a large amount of packets will be sent to the device CPU for
processing, which causes the device CPU usage to become exceptionally high and thus adversely
affects normal services on the device. The CPU protection function allows you to control the amount of
packets sent to the CPU within a given time period by setting the CPU protection parameter, thus
preventing exceptionally high CPU usage.