4-1
4
System Guard Configuration
When configuring System Guard, go to these sections for information you are interested in:
z
System Guard Overview
z
Configuring System Guard
z
Displaying and Maintaining System Guard Configuration
System Guard Overview
Guard Against IP Attacks
System-guard operates to inspect the IP packets over 10-second intervals for the CPU for suspicious
source IP addresses. Once the packets from such an IP address hit the predefined threshold, the switch
with System Guard enabled will take the following action: If the packets from the source IP address
need to be processed by the CPU, the switch decreases the precedence of delivering such packets to
the CPU.
Guard Against TCN Attacks
System Guard monitors the rate at which TCN/TC packets are received on the ports. If a port receives
an excessive number of TCN/TC packets within a given period of time, the switch sends only one
TCN/TC packet in every 10 seconds to the CPU and discards the rest TCN/TC packets, while outputting
trap and log information.
Layer 3 Error Control
With the Layer 3 error control feature enabled, the switch delivers all Layer 3 packets that the switch
considers to be error packets to the CPU.
Configuring System Guard
Configuring System Guard Against IP Attacks
Configuration of System Guard against IP attacks includes these tasks:
z
Enabling System Guard against IP attacks
z
Setting the maximum number of infected hosts that can be concurrently monitored
z
Configuring parameters related to MAC address learning
Follow these steps to configure System Guard against IP attacks:
To do...
Use the command...
Remarks
Enter system view
system-view
—
Enable System Guard against
IP attacks
system-guard ip enable
Required
Disabled by default