Filter
Top Products
DES-7200 Configuration Guide Chapter 12 NFPP Configuration
12-1
12 NFPP Configuration
12.1 NFPP Overview
NFPP is the abbreviation of Network Foundation Protection Policy.
NFPP Function
NFPP Principle
12.1.1 NFPP Function
In the network, some malicious attacks put too much burden on the switch. When the packet
traffic bandwidth or the packet percent exceeds the limit, it leads to the CPU over-utilization
and abnormal operation of the switch.
DoS attack may lead to the consumption of a large amount of the switch memory, entries and
other resources, resulting in the system service failure.
A large amount of the packet traffic uses the CPU bandwidth, resulting in the handling failure of
the protocol packet and manage packet by the CPU, influencing the data forwarding, the
device management of the administrator and the normal device/network running.
In the NFPP-enabled enviroment, it prevents the system from being attacked, releasing the
CPU load and ensuring the normal and stable operation of various system services and the
whole network.
12.1.2 NFPP Principle
As shown in the Figure-1, the processes of the NFPP datagram processing include hardware
filtering、CPU Protect Policy(CPP)、packet attack detection/rate-limit、Protocol/Manage/Route
flow classification、focus rate-limit and ultimately the application-layer handling.
1. CPU Protect Policy(CPP)
The CPP classification and rate-limit configurations not only classify the CPU datagram
according to the CPP service classificaction principle, but also limit the rate of the packet
transmission, preventing different packets from competing for the bandwidth and resolving the
problem that when a large amount of one packet flow attack occurs, it fails to handle other
packets in time. For example, with both the OSPF packet and BPDU packet in the
NFPP-enabled device, if the OSPF/BPDU packets consume a large amount of the CPU
bandwidth, it will not influence receiving the BPDU/OSPF packets.