Chapter 6 System-Guard Configuration; System-Guard Overview; System-Guard Configuration; Enabling System-Guard Function - Huawei Quidway S3500 Series Operation Manual

Operation Manual - Security
Quidway S3500 Series Ethernet Switches

Chapter 6 System-guard Configuration

Note:
Among S3500 series ethernet switches, S3526, S3526 FM, S3526 FS, S3526E,
S3526E FM, S3526E FS and S3526C support system-guard function.

6.1 System-guard Overview

System-guard detects the source IP address featuring attacks and counts the number
of those IP packets by monitoring the packets that the CPU receives at the interval of 10
seconds. Once the number exceeds the preconfigured threshold, some measures are
taken to treat the host with this IP address:
For S3526, S3526FM, and S3526FS: The switch applies the ACL automatically to
force the host with this IP address (affected host for short) to log off. And after a
specified time, the switch will recover normal forwarding of the affected host.
For S3526E, S3526E FM, S3526E FS and S3526C: If the packets from the host
with the source IP address needs to be handled by the switch CPU, the switch
reduces the priority of the packets and drops the packets that has been sent to the
CPU.

6.2 System-guard Configuration

System-guard configuration includes:

Enabling system-guard function

Setting the max detection count of the affected hosts
Setting parameters of address learning
Enabling the switch not to learn the destination IP address
6.2.1 Enabling system-guard function
The following commands can be used to enable/disable system-guard function.
Perform the following configurations in system view.
Huawei Technologies Proprietary
6-1
Chapter 6 System-guard Configuration