3com WX3000 Benutzerhandbuch
3-1
3
System-Guard Configuration
System-Guard Overview
At first, you must determine whether the CPU is under attack to implement system guard for the CPU.
You should not determine whether the CPU is under attack just according to whether congestion occurs
in a queue. Instead, you must do that in the following ways:
z
According to the number of packets processed in the CPU in a time range.
z
Or according to the time for one hundred packets to be processed.
If the CPU is under attack, the rate of packets to be processed in the CPU in a certain queue will exceed
the threshold value. In this case, you can determine that the CPU is under attack. Through analyzing
these packets, you get to know the characteristics of the attack source, and then you can adopt different
filtering rules according the characteristics of the attack source. Thus, system guard is implemented.
Configuring the System-Guard Feature
Through the following configuration, you can enable the system-guard feature, set the threshold for the
number of packets when an attack is detected and the length of the isolation after an attack is detected.
Configuring the System-Guard Feature
Follow these steps to configure the system-guard feature:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable the system-guard
feature
feature
system-guard enable
Required
By default, the system-guard feature
is disabled.
is disabled.
Set the threshold for the
number of packets when
an attack is detected
number of packets when
an attack is detected
system-guard
detect-threshold
threshold-value
detect-threshold
threshold-value
Optional
The default threshold value is 200
packets.
packets.
Set the length of the
isolation after an attack is
detected
isolation after an attack is
detected
system-guard timer-interval
isolate-timer
isolate-timer
Optional
By default, the length of the isolation
after an attack is detected is 10
minutes.
after an attack is detected is 10
minutes.