Table of Contents
Advertisement
Operation Manual - Security
Quidway S3500 Series Ethernet Switches
( record-times-threshold) and isolate time ( isolate-time ) of system-guard function. For
example, set the IP-record-threshold, record-times-threshold, isolate-time of
system-guard function to 50, 3, 5. In this case, the system will consider to be attacked
and not learn the destination IP address of the packet from source IP address for 5
times of aging period if the number of the IP packets (not destined to the switch) the
system detected from one source IP address exceed 50 for consecutive 3 times.
This configuration takes effect only after the system-guard function is enabled.
Perform the following configurations in system view.
Table 6-3 Setting parameters of address learning
Set
record-times-threshold, isolate-time of
system-guard function
Restore
record-times-threshold, isolate-time to
the default values
By default, IP-record-threshold, record-times-threshold, isolate-time of system-guard
function are 30, 1 and 3.
6.2.4 Enabling the Switch not to Learn the Destination IP Address
Note:
Among the S3500 Series Ethernet Switches, the S3526, S3526 FM and S3526 FS
support this configuration.
By default, the S3526, S3526 FM and S3526 FS need to learn the destination IP
address in the packets if the address is not reside in the non-directly connected network
segment. In this way, they can forward multiple times while learning once. When the
switch is enabled not to learn the destination address in the packets, it learns from the
source IP address in the response, thus preventing the hosts from the virus attacks of
destination address scanning.
Perform the following configuration in system view.
Operation
IP-record-threshold,
IP-record-threshold,
Huawei Technologies Proprietary
6-3
Chapter 6 System-guard Configuration
Command
system-guard
IP-record-threshold
record-times-threshold isolate-time
undo system-guard detect-threshold
detect-threshold
Hide quick links:
Advertisement
Table of Contents
