Chapter 4 System Guard Configuration; System Guard Overview; Guard Against Ip Attacks; Guard Against Tcn Attacks - H3C S3100-52P Operation Manual

Operation Manual – 802.1x and System Guard
H3C S3100-52P Ethernet switch

Chapter 4 System Guard Configuration

When configuring System Guard, go to these sections for information you are
interested in:

System Guard Overview

Configuring System Guard

Displaying and Maintaining System Guard Configuration
4.1 System Guard Overview

4.1.1 Guard Against IP Attacks

System-guard operates to inspect the IP packets over 10-second intervals for the CPU
for suspicious source IP addresses. Once the packets from such an IP address hit the
predefined threshold, System Guard does one of the following:
The switch logs out the host (hereafter referred to as infected host) by
automatically applying an ACL rule and waits a certain period of time before
resuming forwarding packets for that host.
If the packets from the infected host need processing by the CPU, the switch
decreases the precedence of such packets and discards the packets already
delivered to the CPU.

4.1.2 Guard Against TCN Attacks

System Guard monitors the rate at which TCN/TC packets are received on the ports. If
a port receives an excessive number of TCN/TC packets within a given period of time,
the switch sends only one TCN/TC packet in every 10 seconds to the CPU and
discards the rest TCN/TC packets, while outputting trap and log information.

4.1.3 Layer 3 Error Control

With the Layer 3 error control feature enabled, the switch delivers all Layer 3 packets
that the switch considers to be error packets to the CPU.
4.2 Configuring System Guard

4.2.1 Configuring System Guard Against IP Attacks

Configuration of System Guard against IP attacks includes these tasks:
Enabling System Guard against IP attacks
Setting the maximum number of infected hosts that can be concurrently monitored
Chapter 4 System Guard Configuration
4-1