Introduction To Acfp; Acfp Architecture - 3Com MSR 50 Series Configuration Manual

125

Introduction to ACFP

ACFP Architecture

ACFP C
ONFIGURATION
When configuring ACFP, go to these sections for information you are interested in:
"Introduction to ACFP" on page 2189
■
"Configuring ACFP" on page 2194
■
"Displaying and Maintaining ACFP" on page 2195
■
"ACFP Configuration Example" on page 2195
■
Basic data communication networks are comprised of routers and switches, which
forward data packets. As data networks develop, more and more services run on
them. In addition, routers and switches are supporting more and more services. It
has become inappropriate to use legacy devices for handling all the services.
Therefore, some products are designed to handle specific services, such as
firewalls, intrusion detection system (IDS), intrusion prevention system (IPS), and
other security, voice, and wireless products.
For better support of these services, more and more service boards (service cards)
are being developed on legacy networking devices (routers and switches in this
document) to specifically handle these services. Some manufacturers of legacy
networking devices provide a set of software/hardware interfaces to allow the
boards (cards) or devices of other manufacturers to be plugged or connected to
these legacy networking devices for cooperating to handle these services. This
gives full play to the advantages of respective manufacturers for better support of
these services while reducing user investments.
The open application architecture (OAA) is an open service architecture developed
with this philosophy. The application control forwarding protocol (ACFP) is
developed based on the OAA architecture. Cooperating IDS cards or IDS devices
act as ACFP clients running software packages developed by other manufacturers
support the IPS/IDS services. A router or switch mirrors or redirects the packets
received from another interface to an ACFP client after matching the ACFP
cooperation rules. The software running on the ACFP client monitors and detects
the packets. The ACFP client then sends back responses to the router or switch
through cooperation MIBs to instruct the router or switch to process the
monitoring and detection results, such as filtering out the specified packets.
Figure 639 ACFP architecture
Interface-connecting
component
Independent
service component
Routing/switching
component