3-13 System-Guard ConfigurationSystem-Guard OverviewAt first, you must determine whether the CPU is under attack to implement system guard for the CPU.You should not determine whether the CPU is under attack just according to whether congestion occursin a queue. Instead, you must do that in the following ways:z According to the number of packets processed in the CPU in a time range.z Or according to the time for one hundred packets to be processed.If the CPU is under attack, the rate of packets to be processed in the CPU in a certain queue will exceedthe threshold value. In this case, you can determine that the CPU is under attack. Through analyzingthese packets, you get to know the characteristics of the attack source, and then you can adopt differentfiltering rules according the characteristics of the attack source. Thus, system guard is implemented.Configuring the System-Guard FeatureThrough the following configuration, you can enable the system-guard feature, set the threshold for thenumber of packets when an attack is detected and the length of the isolation after an attack is detected.Configuring the System-Guard FeatureFollow these steps to configure the system-guard feature:To do… Use the command… RemarksEnter system view system-view —Enable the system-guardfeature system-guard enableRequiredBy default, the system-guard featureis disabled.Set the threshold for thenumber of packets whenan attack is detectedsystem-guarddetect-thresholdthreshold-valueOptionalThe default threshold value is 200packets.Set the length of theisolation after an attack isdetectedsystem-guard timer-intervalisolate-timerOptionalBy default, the length of the isolationafter an attack is detected is 10minutes.
