Configuration Guide NFPP Configuration
the anti-attack policy uses the hardware filter in order to make sure that the
attack packets will not be sent to the CPU and ensure the normal device
operation.
After detecting an attack, NFPP sends the warning messages to
the administrator. However, to avoid the frequent displaying of the
warning messages, the warning messages will not be shown
again within the continuous 60s after the sending.
Frequently print the syslog consumes the CPU resources, to this
end, NFPP writes the syslog on the attack detection to the buffer
area and specifies the print rate. No rate-limit is configured for the
TRAP message.
Protocol/Manage/Route flow classification
As shown in the Table-1, the packet types are divided into Manage、Route and
Protocol packet. Each packet type owns the independent bandwidth. The
bandwidth between the different types cannot be shared and the packet flow
exceeding the bandwidth threshold will be discarded. The packet flow
classification ensures that the set packet type on the device takes the
precedence over other types of packet. The administrator can flexibly allocate
the bandwidth of the three types of the packet according to the actual network
environment and make sure that the protocol and manage packets takes the
precendence of being handled for the purpose of normal protocol running and
the administrator management, thereby safeguarding the normal operation of
each important function on the device and improving the anti-attack capability.
Table-1
Service Type defined in the CPP
tp-guard, dot1x, rldp, rerp, slow-packet, bpdu,
isis dhcps, gvrp, ripng, dvmrp, igmp, mpls,
ospf, pim, pimv6, rip, vrrp, ospf3,
dhcp-relay-s, dhcp-relay-c, option82,
tunnel-bpdu, tunnel-gvrp
unknown-ipmc, unknown-ipmcv6, ttl1, ttl0,
udp-helper, ip4-packet-other,
ip6-packet-other, non-ip-packet-other, arp
ip4-packet-local, ip6-packet-local
3. Focus rate-limit
After the classification rate-limit, focus on all the flow classification in a queue.If
the process rate of one type of the packets is low, the corresponding packets
will accumulate in the queue, and consume the queue resources ultimately. The
To Next Page
Loading...
