CPU Protection by Using Hardware to Implement Automatic Session Reply

As described inFigure 1 The Target is deleted, the forwarding plane of a router is implemented by hardware and therefore provides high performance. The control and management planes, however, run on the CPU. The processing capability of the control and management planes is far lower than that of the forwarding plane. When the router is attacked, the control and management planes may deny services due to insufficient processing capability, and as a result become the target of attackers.

Huawei routers utilize the powerful processing capability of the forwarding plane. The hardware responds intelligently to requests of several protocols that seriously threaten the CPU security, which reduces the CPU load and prevents the CPU from becoming the target of DoS attacks.

Figure 1 CPU protection by using hardware to implement intelligent packet responding

As shown in the preceding figure, the NP hardware on the forwarding plane of a router is used to automatically and intelligently respond to packets that should be sent to the CPU, reducing the CPU usage. In addition, when the router is attacked by the X flood (such as the ARP, ICMP, WEB Portal), the infinite performance of the NP hardware can be used to ensure the operating performance of the CPU.

• For detailed information, see Enabling ARP Bidirectional Isolation and Example for Configuring ARP Bidirectional Isolation and ARP VLAN CAR in the NetEngine 8000 F V800R021C00SPC100 Configuration Guide - Security.
• For detailed information, see Configuring Fast ICMP Reply in the NetEngine 8000 F V800R021C00SPC100 Configuration Guide - IP Service.