beautypg.com

Configuring system guard, Configuring system guard against ip attacks, Configuring system guard against tcn attacks – H3C Technologies H3C S3600 Series Switches User Manual

Page 503

background image

4-2

Configuring System Guard

Configuring System Guard Against IP Attacks

Configuration of System Guard against IP attacks includes these tasks:

z

Enabling System Guard against IP attacks

z

Setting the maximum number of infected hosts that can be concurrently monitored

z

Configuring parameters related to MAC address learning

Follow these steps to configure System Guard against IP attacks:

To do...

Use the command...

Remarks

Enter system view

system-view

Enable System Guard against IP
attacks

system-guard ip enable

Required

Disabled by default

Set the maximum number of infected
hosts that can be concurrently
monitored

system-guard ip
detect-maxnum number

Optional

30 by default

Set the maximum number of
addresses that the system can learn,
the maximum number of times an
address can be hit before an action is
taken and the address isolation time
(presented in the number of multiples
of MAC address aging time)

system-guard ip
detect-threshold
ip-record-threshold
record-times-threshold
isolate-time

Optional

By default,
ip-record-threshold is 30;
record-times-threshold is 1,
and isolate-time is 3.

The correlations among the arguments of the system-guard ip detect-threshold command can be

clearly described with this example: If you set ip-record-threshold, record-times-threshold and

isolate-time to 30, 1 and 3 respectively, when the system detects successively three times that over 50

IP packets (destined for an address other that an IP address of the switch) from a source IP address are

received within a period of 10 seconds, the system considers that it is being attacked —the system sorts

out the source IP address and decreases the precedence of delivering packets from the source IP

address to the CPU for a period of 5 times the MAC address aging time.

Configuring System Guard Against TCN Attacks

Configuration of System Guard against TCN attacks includes these tasks:

z

Enabling System Guard against TCN attacks

z

Setting the threshold of TCN/TC packet receiving rate

Follow these steps to configure System Guard against TCN attacks:

To do...

Use the command...

Remarks

Enter system view

system-view

Enable System Guard against
TCN attacks

system-guard tcn enable

Required

Disabled by default

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: