4-1
4 System Guard Configuration
System-Guard Overview
At first, you must determine whether the CPU is under attack to implement system guard for the CPU.
You should not determine whether the CPU is under attack just according to whether congestion occurs
in a queue. Instead, you must do that in the following ways:
z According to the number of packets processed in the CPU in a time range.
z Or according to the time for one hundred packets to be processed.
If the CPU is under attack, the rate of packets to be processed in the CPU in a certain queue will exceed
the threshold value. In this case, you can determine that the CPU is under attack. Through analyzing
these packets , you get to know the characteristics of the attack source, and then you can adopt
different filtering rules according the characteristics of the attack source. Thus, system guard is
implemented.
Configuring the System-Guard Feature
Through the following configuration, you can enable the system-guard feature, set the threshold for the
number of packets when an attack is detected and the length of the isolation after an attack is detected.
Configuring the System-Guard Feature
Table 4-1 Configure the system-guard feature
Operation Command Description
Enter system view
system-view
—
Enable the system-guard
feature
system-guard enable
Required
By default, the system-guard feature is
disabled.
Set the threshold for the
number of packets when an
attack is detected
system-guard
detect-threshold
threshold-value
Optional
The default threshold value is 200
packets.
Set the length of the
isolation after an attack is
detected
system-guard
timer-interval isolate-timer
Optional
By default, the length of the isolation
after an attack is detected is 10
minutes.
Displaying and Maintaining System-Guard
After the above configuration, execute the display command in any view to display the running status of
the system-guard feature, and to verify the configuration.
To Next Page
Loading...
