Acfp architecture, Oaa collaboration, Acfp management – H3C Technologies H3C SecBlade IPS Cards User Manual

3-21

ACFP architecture

Figure 3-18 Diagram for ACFP architecture

As shown in

Figure 3-18

, the ACFP architecture consists of:

z

Routing/switching component: As the main part of a router and a switch, it performs complete

router/switch functions and is also the core of user management control.

z

Independent service component: It is also known as the Open Application Platform (OAP), the

main part open for development by a third party and is mainly used to provide various unique

service functions.

z

Interface-connecting component: It connects the interface of the routing/switching component to

that of the independent service component, allowing the devices of two manufacturers to be

interconnected.

OAA collaboration

OAA collaboration means that the independent service component can send instructions to the

routing/switching component to change its functions. OAA collaboration is mainly implemented through

the Simple Network Management Protocol (SNMP). Acting as a network management system, the

independent service component sends various SNMP commands to the routing/switching component,

which can then execute the instructions received because it supports SNMP agent. In this process, the

cooperating MIB is the key to associating the two components with each other.

ACFP management

ACFP collaboration provides a mechanism, which enables the ACFP client (the independent service

component in

Figure 3-18

) to control the traffic on the ACFP server (the routing/switching component in

Figure 3-18

) by implementing the following functions:

z

Mirroring and redirecting the traffic on the ACFP server to the ACFP client

z

Permitting/denying the traffic from the ACFP server

z

Carrying the context ID in a packet to enable the ACFP server and ACFP client to communicate the

packet context with each other. The detailed procedure is as follows: The ACFP server maintains a

context table that can be queried with context ID. Each context ID corresponds with an ACFP

collaboration policy that contains information including inbound interface and outbound interface of

the packet, and collaboration rules. When the packet received by the ACFP server is redirected or

mirrored to the ACFP client after matching a collaboration rule, the packet carries the context ID of

the collaboration policy to which the collaboration rule belongs. When the redirected packet is

returned from the ACFP client, the packet also carries the context ID. With the context ID, the

ACFP server knows that the packet is returned after being redirected and then forwards the packet

normally.

For the ACFP client to better control traffic, a two-level structure of the collaboration policy and

collaboration rules is set in the collaboration to manage the traffic matching the collaboration rule based

on the collaboration policy, implementing flexible traffic management.