The System Guard feature monitors the IP packets delivered to the CPU within 10 seconds, finds out the source IP addresses of IP packets with attack characteristics within the 10 seconds and counts these packets. Once the packets from a source IP address hit the preset threshold, System Guard will take the corresponding control measure, as follows:

l When a source IP address characterized by an attack is detected, the switch logs out the host corresponding to that source IP address (hereafter referred to infected host) by automatically applying an ACL and waits a certain period of time before resuming forwarding packets from that host.

l When a source IP address characterized by an attack is detected and if the packets from the infected host need processing by the CPU, the switch decreases the precedence of such packets and discards the packets already delivered to the CPU.

1.1.2 Guard Against TCN Attacks

System Guard monitors the rate at which TCN/TC packets are received on the ports. If a port receives an excessive number of TCN/TC packets are received within a given period of time, the switch sends only one TCN/TC packet in 10 seconds to the CPU and discards the rest TCN/TC packets, while outputs trap and log information.

1.1.3 Layer 3 Error Control

With the Layer 3 error control feature enabled, the switch delivers all Layer 3 packets which the switch considers to be error packets to the CPU.

1.2 Configuring System Guard

1.2.1 Configuring System Guard Against IP Attacks

Configuration of System Guard against IP attacks includes these tasks:

l Enabling System Guard against IP attacks

l Setting the maximum number of infected hosts that can be concurrently monitored

l Configuring parameters related to MAC address learning

Table 1-1 Configure System Guard against IP attacks

Operation	Command	Remarks
Enter system view	system-view	—
Enable System Guard against IP attacks	system-guard ip enable	Required Disabled by default
Set the maximum number of infected hosts that can be concurrently monitored	system-guard ip detect-maxnum number	Optional 30 by default
Set the maximum number of addresses that the system can learn, the maximum number of times an address can be hit before an action is taken and the address isolation time (presented in the number of multiples of MAC address aging time)	system-guard ip detect-threshold ip-record-threshold record-times-threshold isolate-time	Optional 30, 1, and 3 respectively by default

& Note:

The correlations among the arguments of the system-guard ip detect-threshold command can be clearly described with this example: If you set ip-record-threshold, record-times-threshold and isolate-time to 30, 1 and 3 respectively, when the system detects successively three times that over 50 IP packets (destined for an address other that an IP address of the switch) from a source IP address are received within a period of 10 seconds, the system considers to be attacked — the system sorts out that source IP address and waits a period of 5 times the MAC address aging time before learning the destination IP address(es) of packets from that source IP address again.

1.2.2 Configuring System Guard Against TCN Attacks

Configuration of System Guard against TCN attacks includes these tasks:

l Enabling System Guard against TCN attacks

l Setting the threshold of TCN/TC packet receiving rate

Table 1-2 Configure System Guard against TCN attacks

Operation	Command	Remakes
Enter system view	system-view	—
Enable System Guard against TCN attacks	system-guard tcn enable	Required Disabled by default
Set the threshold of TCN/TC packet receiving rate	system-guard tcn rate-threshold rate-threshold	Optional 1 pps by default

& Note:

As the system monitoring cycle is 10 seconds, the system sends trap and log information, by default, if more than 10 TCN/TC packets are received within 10 seconds. If the TCN/TC packet receiving rate is lower than the set threshold within a 10-second monitoring cycle, the system will not send trap or log information in the next 10-second monitoring cycle.

1.2.3 Enabling Layer 3 Error Control

With the following command, you can enable the Layer 3 error control feature.

Table 1-3 Enable Layer 3 error control

Operation	Command	Remarks
Enter system view	system-view	—
Enable Layer 3 error control	system-guard l3err enable	Required Enabled by default

Operation

Command

Remarks

Enter system view

system-view

—

Enable Layer 3 error control

system-guard l3err enable

Required

Enabled by default

1.3 Displaying and Maintaining System Guard

After the about-mentioned configuration, you can use the display command in any view to view the running conditions of System Guard to verify your System Guard configuration.

Table 1-4 Display and maintain System Guard

Operation	Command	Remarks
Display the monitoring result and parameter settings of System Guard against IP attacks	display system-guard ip state	The display command can be executed in any view
Display the information about IP packets received by the CPU of the switch	display system-guard ip-record
Display the status of Layer 3 error control	display system-guard l3err state
Display the status of TCN System Guard	display system-guard tcn state

Chapter 2 System Guard Configuration Commands

2.1 System Guard Configuration Commands

2.1.1 display system-guard ip state

Syntax

display system-guard ip state

View

Any view

Parameter

None

Description

Use the display system-guard ip state command to view the monitoring result and parameter settings of System Guard against IP attacks.

Example

# View the monitoring result and parameter settings of System Guard against IP attacks.

<H3C> display system-guard ip state

System-guard IP is running!

IP-record threshold: 30

Deny threshold: 1

Isolated times of aging time: 3

Number of suspicious hosts that can be detected: 30

Number of suspicious hosts detected: 0

Disable destination IP address learning from all ip address in the list

Table 2-1 Description on the fields of the display system-guard ip state command

Field	Description
System-guard IP is running	System Guard against IP attacks is running
IP-record threshold	Threshold of the number of IP addresses that can be learnt within 10 seconds
Deny threshold	The maximum number of times an address can be learnt
Isolated times of aging time	Isolation time (the number of multiples of MAC address aging time)
Number of suspicious hosts that can be detected	The maximum number of hosts to be monitored
Number of suspicious hosts detected	The number of infected hosts detected
Disable destination IP address learning from all ip address in the list	Destination address learning is disabled for the source IP addresses list below.

2.1.2 display system-guard l3err state

Syntax

display system-guard l3err state

View

Any view

Parameter

None

Description

Use the display system-guard l3err state command to view the status of Layer 3 error control.

Example

# View the status of Layer 3 error control.

<H3C> display system-guard l3err state

System-guard l3err status: enabled

2.1.3 display system-guard tcn state

Syntax

display system-guard tcn state

View

Any view

Parameter

None

Description

Use the display system-guard tcn state command to view the status of TCN System Guard.

Example

# View the status of TCN System Guard.

<H3C> display system-guard tcn state

System-guard TCN state: enabled

2.1.4 display system-guard ip-record

Syntax

display system-guard ip-record

View

Any view

Parameter

None

Description

Use the display system-guard ip-record command to view the information about IP packets received by the CPU of the switch in the current monitoring cycle.

Example

# View the information about IP packets received by the CPU of the switch in the current monitoring cycle.

<H3C> display system-guard ip-record

'M': Master port of link aggregation

Index Source IP Destination IP Port

--------------------------------------------------

1 000.000.000.000 000.000.000.000 0/0/0

2 000.000.000.000 000.000.000.000 0/0/0

3 000.000.000.000 000.000.000.000 0/0/0

4 000.000.000.000 000.000.000.000 0/0/0

5 000.000.000.000 000.000.000.000 0/0/0

……

Table 2-2 Description on the fields of the display system-guard ip-record command

Field	Description
Index	Index
Source IP	Source IP address
Destination IP	Destination IP address
Port	Incoming port

2.1.5 system-guard ip detect-maxnum

Syntax

system-guard ip detect-maxnum number

undo system-guard ip detect-maxnum

View

System view

Parameter

number: Maximum number of hosts that can be monitored, in the range of 1 to 100.

Description

Use the system-guard ip detect-maxnum command to set the maximum number of infected hosts that can be monitored currently.

Use the undo system-guard ip detect-maxnum command to restore the maximum number of infected hosts that can be monitored to the default setting.

By default, System Guard can monitor a maximum of 30 infected hosts.

Example

# Set the maximum number of infected hosts that can be concurrently monitored to 50.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] system-guard ip detect-maxnum 50

2.1.6 system-guard ip detect-threshold

Syntax

system-guard ip detect-threshold ip-record-threshold record-times-threshold isolate-time

undo system-guard ip detect-threshold

View

System view

Parameter

ip-record-threshold: Maximum number of IP addresses that can be learnt within a 10-second cycle, in the range of 1 to 100.

record-times-threshold: Maximum number of times an IP address can be hit before an action is taken, in the range of 1 to 10.

isolate-time: Isolation time. After System Guard takes an action to an suspected IP address, the system waits isolate-time before it learns the destination address(es) again for that source IP address. The effective range of isolation-time is 3 to 100, representing how many times the MAC address aging time.

Description

Use the system-guard ip detect-threshold command to set the maximum number of addresses that the system can learn, the maximum number of times an address can be hit and the address isolation time.

Use the undo system-guard ip detect-threshold command to set the maximum number of addresses that the system can learn, the maximum number of times an address can be hit and the address isolation time to the default settings.

By default, ip-record-threshold, record-times-threshold and isolate-time are set to 30, 1 and 3 respectively.

& Note:

Example

# Set the maximum number of addresses that the system can learn to 50, set the maximum number of times an address can be hit to 3, and set the address isolation time to 5 times the MAC address aging time.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] system-guard ip detect-threshold 50 3 5

2.1.7 system-guard ip enable

Syntax

system-guard ip enable

undo system-guard ip enable

View

System view

Parameter

None

Description

Use the system-guard ip enable command to enable System Guard against IP attacks.

Use the undo system-guard ip enable command to disable System Guard against IP attacks.

By default, System Guard against IP attacks is disabled.

The System Guard feature monitors the IP packets delivered to the CPU within 10 seconds, finds out the source IP addresses of the IP packets with attack characteristics within the 10 seconds and counts these packets. Once the packets from such a source IP address hit the preset threshold, System Guard will take the corresponding control measure, as follows:

l When a source IP address characterized by an attack is detected, the switch logs out the host corresponding to this sauce IP address (hereafter referred to infected host) by automatically applying an ACL and waits a certain period of time before resuming forwarding packets from that host.

Example

# Enable System Guard against IP attacks.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] system-guard ip enable

2.1.8 system-guard l3err enable

Syntax

system-guard l3err enable

undo system-guard l3err enable

View

System view

Parameter

None

Description

Use the system-guard l3err enable command to enable Layer 3 error control.

Use the undo system-guard l3err enable command to disable Layer 3 error control.

By default, this feature is enabled.

The Layer 3 error control feature determines how the switch disposes of Layer packets which the switch considers to be error packets:

With the Layer 3 error control feature disabled, the switch delivers all Layer 3 packets which the switch considers to be error packets (including IP packets with the options field) to the CPU for further processing;

With the Layer 3 error control feature enabled, the switch directly discards all Layer 3 packets which the switch considers to be error packets without delivering them to the CPU.

& Note:

In normal situations, we recommend that you enable this feature. Because the switch cannot forward error packets and IP packets with the Options field set, delivering all these packets to the CPU will affect the normal work of the CPU.

Example

# Enable Layer 3 error control.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] system-guard l3err enable

2.1.9 system-guard tcn enable

Syntax

system-guard tcn enable

undo system-guard tcn enable

View

System view

Parameter

None

Description

Use the system-guard tcn enable command to enable System Guard against TCN attacks.

Use the undo system-guard tcn enable command to disable System Guard against TCN attacks.

With this feature enabled, System Guard monitors the TCN/TC packet receiving rate on the ports. If the rate exceeds the preset threshold, the system will output trap and log information to notify the user and starts to send only on TCN/TC packet to the CPU in a 10-second cycle. This can prevent MAC and ARP entries from being frequently deleted by STP or RSTP; in addition, when the TCN/TC packet rate exceeds the preset threshold, proper measures can be taken based on the output trap and log information.

By default, this feature is disabled.

Example

# Enable System Guard against TCN attacks.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] system-guard tcn enable

2.1.10 system-guard tcn rate-threshold

Syntax

system-guard tcn rate-threshold rate-threshold

undo system-guard tcn rate-threshold

View

System view

Parameter

rate-threshold: TCN/TC packet receiving rate in packets per second (pps), with an effective range of 1 to 20.

Description

Use the system-guard tcn rate-threshold command to set the threshold of TCN/TC packet receiving rate, which will trigger the output of trap and log information.

Use the undo system-guard tcn rate-threshold command to restore the default threshold of TCN/TC packet receiving rate.

By default, the default threshold of TCN/TC packet receiving rate is 1 pps.

As the system monitoring cycle is 10 seconds, the system sends trap or log information, by default, if more than 10 TCN/TC packets are received within 10 seconds.

& Note:

If the TCN/TC packet receiving rate is lower than the set threshold within a 10-second monitoring cycle, the system will not send trap or log information in the next 10-second monitoring cycle.

Example

# Sets the threshold of TCN/TC receiving rate to 20 pps.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] system-guard tcn rate-threshold 20

H3C S3600 Series Ethernet Switches System Guard Feature Manual(V1.01)

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us