333
System-guard configuration
An attacker can make queue congestions by en-queuing a large amount of packets into CPU packet
queues, which is used to buffer the packets to be submitted to the CPU. As a result, normal protocol
packets are dropped and protocol abnormity or management interruption may occur. To avoid these
problems, the switch provides an anti-attack feature named system-guard.
System-guard provides the following features to detect and prevent attacks:
• Setting rate limits for CPU packet queues
If the number of packets in a queue that are submitted to the CPU per second exceeds the specified rate
limit, the switch drops the excessive traffic to prevent attacks.
• Setting a rate threshold for ports
If the number of packets a port submits to the CPU per second exceeds the specified threshold,
system-guard determines that the port is under an attack and assigns an ACL to filter traffic based
on the protocol type.
• Enabling system-guard control on a port
The system-guard assigned ACLs cannot take effect on the following types of packets:
{ Packets with the source or destination MAC address being the MAC address of the local switch.
{ GVRP, IGMP-snooping, MLD-snooping, NDP, LACP, BPDU Tunnel, OAM, DLDP, and LLDP
packets.
{ Packets received on an 802.1X enabled port that performs port-based access control and has
no user that passes the authentication.
{ Packets whose source MAC addresses have failed the authentication on an 802.1X enabled
port that performs MAC-based access control.
When such an attack is detected, the switch shuts down the port provided the system-guard control
function is enabled on the port.
• Setting an aging timer for system-guard
When an ACL is assigned to a port or a port is shut down upon system-guard detects an attack on
the port, the aging timer starts. When the aging timer expires, the switch removes the ACL or
brings up the port.
Configuring system-guard
To configure system-guard:
To do… Use the command…
Remarks
Enter system view system-view —
Set a rate threshold for
system-guard
system-guard detect-threshold
rate-limit
Optional
By default, the rate threshold is
300 packets per second (pps).
To Next Page
Loading...
