HP 6125G HP Networking guide to hardening Comware-based devices - Page 30

firewall packet-filter name ACL-ANTISPOOF-IN inbound # Limiting the CPU impact of data plane traffic The primary purpose of routers and switches is to forward packets and frames to their final destinations. These packets, which transit the devices deployed throughout the network, can impact a device's CPU operations. The data plane, which consists of traffic transiting the network device, should be secured to help ensure the operation of the management and control planes. If transit traffic can cause a device to process switch traffic, the control plane of a device can be affected, which may lead to an operational disruption. Features and traffic types that impact the CPU Although not exhaustive, this list includes types of data plane traffic that require special CPU processing and are process switched by the CPU: • IP options Any IP packets with options included must be processed by the CPU. • Fragmentation Any IP packet that requires fragmentation must be passed to the CPU for processing. • Time-to-Live (TTL) expiry Packets that have a TTL value less than or equal to 1 require Internet Control Message Protocol Time Exceeded (ICMP Type 11, Code 0) messages to be sent, which results in CPU processing. • ICMP unreachables Packets that result in ICMP unreachable messages due to routing, MTU, or filtering are processed by the CPU. • Traffic requiring an ARP request Destinations for which an ARP entry does not exist require processing by the CPU. • Non-IP traffic All non-IP traffic is processed by the CPU. For more information about data plane hardening, see the "General data plane hardening" section of this document. Traffic identification and traceback At times, you need to quickly identify and traceback network traffic, especially during incident response or poor network performance. NetStream and classification ACLs are two primary methods to accomplish this. Using HP Comware, NetStream can provide visibility into all network traffic. Additionally, NetStream can be implemented with collectors that can provide long-term trending and automated analysis. Classification ACLs are a component of ACLs and require preplanning to identify specific traffic and manual intervention during analysis. The sections that follow provide a brief overview of each feature. NetStream NetStream identifies anomalous and security-related network activity by tracking network flows. NetStream data can be viewed and analyzed via the CLI, or the data can be exported to a NetStream collector and data analyzer for aggregation and analysis. A NetStream data analyzer, through long-term trending, can provide network behavior and usage analysis. NetStream, which can be configured on both routers and switches, functions by performing analysis on specific attributes within IP packets and creating flows. Version 9 is the most flexible format and allows users to define templates with different statistics fields. The following example illustrates the basic configuration of this feature. NetStream can be enabled on an interface, or through QoS policy or port mirroring. Different devices choose one of the approaches based on device model: Approach I, enable NetStream on an interface. # interface Ethernet0/1/0 ip netstream { inbound | outbound } # 30