Configuration Guide NFPP Configuration
NFPP Configuration
NFPP Overview
NFPP is the abbreviation of Network Foundation Protection Policy.
NFPP Function
NFPP Principle
NFPP Function
In the network, some malicious attacks put too much burden on the switch.
When the packet traffic bandwidth or the packet percent exceeds the limit, it
leads to the CPU over-utilization and abnormal operation of the switch.
DoS attack may lead to the consumption of a large amount of the switch
memory, entries and other resources, resulting in the system service failure.
A large amount of the packet traffic uses the CPU bandwidth, resulting in the
handling failure of the protocol packet and manage packet by the CPU,
influencing the data forwarding, the device management of the administrator
and the normal device/network running.
In the NFPP-enabled enviroment, it prevents the system from being attacked,
releasing the CPU load and ensuring the normal and stable operation of various
system services and the whole network.
NFPP Principle
As shown in the Figure-1, the processes of the NFPP datagram processing
include hardware filtering 、 CPU Protect Policy(CPP) 、 packet attack
detection/rate-limit、Protocol/Manage/Route flow classification、focus rate-limit
and ultimately the application-layer handling.
1. CPU Protect Policy(CPP)
The CPP classification and rate-limit configurations not only classify the CPU
datagram according to the CPP service classificaction principle, but also limit
the rate of the packet transmission, preventing different packets from competing
for the bandwidth and resolving the problem that when a large amount of one
packet flow attack occurs, it fails to handle other packets in time. For example,
with both the OSPF packet and BPDU packet in the NFPP-enabled device, if
the OSPF/BPDU packets consume a large amount of the CPU bandwidth, it will
not influence receiving the BPDU/OSPF packets.
To Next Page
Loading...
