Chapter 4 System-Guard Configuration; System-Guard Overview; Configuring The System-Guard Feature - H3C S5100-SI Series Operation Manual

Operation Manual – 802.1x and System Guard
H3C S5100-SI/EI Series Ethernet Switches

Chapter 4 System-Guard Configuration

4.1 System-Guard Overview

At first, you must determine whether the CPU is under attack to implement system
guard for the CPU.
You should not determine whether the CPU is under attack just according to whether
congestion occurs in a queue. Instead, you must do that in the following ways:
According to the number of packets processed in the CPU in a time range.
Or according to the time for one hundred packets to be processed.
If the CPU is under attack, the rate of packets to be processed in the CPU in a certain
queue will exceed the threshold value. In this case, you can determine that the CPU is
under attack. Through analyzing these packets , you get to know the characteristics of
the attack source, and then you can adopt different filtering rules according the
characteristics of the attack source. Thus, system guard is implemented.

4.2 Configuring the System-Guard Feature

Through the following configuration, you can enable the system-guard feature, set the
threshold for the number of packets when an attack is detected and the length of the
isolation after an attack is detected.
4.2.1 Configuring the System-Guard Feature
Table 4-1 Configure the system-guard feature
Operation
Enter system view
Enable the
system-guard feature
Set the threshold for
the number of packets
when an attack is
detected
Set the length of the
isolation after an attack
is detected
Command
system-view
system-guard enable
system-guard
detect-threshold
threshold-value
system-guard
timer-interval
isolate-timer
4-1
Chapter 4 System-Guard Configuration
Description
—
Required
By default, the system-guard
feature is disabled.
Optional
The default threshold value is
200 packets.
Optional
By default, the length of the
isolation after an attack is
detected is 10 minutes.