4-14 System Guard ConfigurationSystem-Guard OverviewAt first, you must determine whether the CPU is under attack to implement system guard for the CPU.You should not determine whether the CPU is under attack just according to whether congestion occursin a queue. Instead, you must do that in the following ways:z According to the number of packets processed in the CPU in a time range.z Or according to the time for one hundred packets to be processed.If the CPU is under attack, the rate of packets to be processed in the CPU in a certain queue will exceedthe threshold value. In this case, you can determine that the CPU is under attack. Through analyzingthese packets , you get to know the characteristics of the attack source, and then you can adoptdifferent filtering rules according the characteristics of the attack source. Thus, system guard isimplemented.Configuring the System-Guard FeatureThrough the following configuration, you can enable the system-guard feature, set the threshold for thenumber of packets when an attack is detected and the length of the isolation after an attack is detected.Configuring the System-Guard FeatureTable 4-1 Configure the system-guard featureOperation Command DescriptionEnter system view system-view —Enable the system-guardfeature system-guard enableRequiredBy default, the system-guard feature isdisabled.Set the threshold for thenumber of packets when anattack is detectedsystem-guarddetect-thresholdthreshold-valueOptionalThe default threshold value is 200packets.Set the length of theisolation after an attack isdetectedsystem-guardtimer-interval isolate-timerOptionalBy default, the length of the isolationafter an attack is detected is 10minutes.Displaying and Maintaining System-GuardAfter the above configuration, execute the display command in any view to display the running status ofthe system-guard feature, and to verify the configuration.
