25 system-guard configuration, System-guard overview, Configuring the system-guard feature – H3C Technologies H3C WX3000 Series Unified Switches User Manual
Page 243: Displaying and maintaining system-guard, 1 configuring the system-guard feature, Configuring the system-guard feature -1, System-guard configuration
25-1
25
System-Guard Configuration
System-Guard Overview
At first, you must determine whether the CPU is under attack to implement system guard for the CPU.
You should not determine whether the CPU is under attack just according to whether congestion occurs
in a queue. Instead, you must do that in the following ways:
z
According to the number of packets processed in the CPU in a time range.
z
Or according to the time for one hundred packets to be processed.
If the CPU is under attack, the rate of packets to be processed in the CPU in a certain queue will exceed
the threshold value. In this case, you can determine that the CPU is under attack. Through analyzing
these packets, you get to know the characteristics of the attack source, and then you can adopt different
filtering rules according the characteristics of the attack source. Thus, system guard is implemented.
Configuring the System-Guard Feature
Through the following configuration, you can enable the system-guard feature, set the threshold for the
number of packets when an attack is detected and the length of the isolation after an attack is detected.
Configuring the System-Guard Feature
Follow these steps to configure the system-guard feature:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable the system-guard
feature
system-guard enable
Required
By default, the system-guard feature is disabled.
Set the threshold for the
number of packets when an
attack is detected
system-guard
detect-threshold
threshold-value
Optional
The default threshold value is 200 packets.
Set the length of the
isolation after an attack is
detected
system-guard
timer-interval
isolate-timer
Optional
By default, the length of the isolation after an attack
is detected is 10 minutes.
Displaying and Maintaining System-Guard
To do…
Use the command…
Remarks
Display the record of detected
attacks
display system-guard
attack-record
Available in any view
Display the state of the
system-guard feature
display system-guard state
Available in any view