Filter
Top Products
DES-7200 Configuration Guide Chapter 12 NFPP Configuration
12-3
the anti-attack policy uses the hardware filter in order to make sure that the attack packets will
not be sent to the CPU and ensure the normal device operation.
Caution
After detecting an attack, NFPP sends the warning messages to
the administrator. However, to avoid the frequent displaying of the
warning messages, the warning messages will not be shown
again within the continuous 60s after the sending.
Frequently print the syslog consumes the CPU resources, to this
end, NFPP writes the syslog on the attack detection to the buffer
area and specifies the print rate. No rate-limit is configured for the
TRAP message.
Protocol/Manage/Route flow classification
As shown in the Table-1, the packet types are divided into Manage、Route and Protocol packet.
Each packet type owns the independent bandwidth. The bandwidth between the different
types cannot be shared and the packet flow exceeding the bandwidth threshold will be
discarded. The packet flow classification ensures that the set packet type on the device takes
the precedence over other types of packet. The administrator can flexibly allocate the
bandwidth of the three types of the packet according to the actual network environment and
make sure that the protocol and manage packets takes the precendence of being handled for
the purpose of normal protocol running and the administrator management, thereby
safeguarding the normal operation of each important function on the device and improving the
anti-attack capability.
Table-1
Packet Type Service Type defined in the CPP
Protocol
tp-guard,dot1x,rldp,rerp,slow-packet,
bpdu,isis dhcps,gvrp,ripng,dvmrp,igmp,
mpls,ospf, pim,pimv6,rip,vrrp,ospf3,
dhcp-relay-s,dhcp-relay-c,option82,
tunnel-bpdu,tunnel-gvrp
Route
unknown-ipmc,unknown-ipmcv6,ttl1,ttl0,
udp-helper,ip4-packet-other,
ip6-packet-other,non-ip-packet-other,arp
Manage
ip4-packet-local,ip6-packet-local
3. Focus rate-limit
After the classification rate-limit, focus on all the flow classification in a queue.If the process
rate of one type of the packets is low, the corresponding packets will accumulate in the queue,
and consume the queue resources ultimately. The administrator can configure the packet
percent. If the length of the queue for one type of the packet is more than the total queue