4 system-guard configuration (for s3100-ei), System-guard overview, Configuring the system-guard feature – H3C Technologies H3C S3100 Series Switches User Manual

4-1

4

System-Guard Configuration (For S3100-EI)

The configuration introduced in this chapter is only supported by the S3100-EI series switches.

System-Guard Overview

At first, you must determine whether the CPU is under attack to implement system guard for the CPU.

You should not determine whether the CPU is under attack just according to whether congestion occurs

in a queue. Instead, you must do that in the following ways:

z

According to the number of packets processed in the CPU in a time range.

z

Or according to the time for one hundred packets to be processed.

If the CPU is under attack, the rate of packets to be processed in the CPU in a certain queue will exceed

the threshold value. In this case, you can determine that the CPU is under attack. Through analyzing

these packets , you get to know the characteristics of the attack source, and then you can adopt

different filtering rules according the characteristics of the attack source. Thus, system guard is

implemented.

Configuring the System-Guard Feature

Through the following configuration, you can enable the system-guard feature, set the threshold for the

number of packets when an attack is detected and the length of the isolation after an attack is detected.

Configuring the System-Guard Feature

Table 4-1 Configure the system-guard feature

Operation

Command

Description

Enter system view

system-view

—

Enable the system-guard
feature

system-guard enable

Required

By default, the system-guard
feature is disabled.

Enable system-guard on
specified ports

system-guard permit
interface-list

Required

By default, the system-guard
function is disabled on a port.

Set the threshold for the
number of packets when an
attack is detected

system-guard
detect-threshold
threshold-value

Optional

The default threshold value is 200
packets.