NPB Inline Bypass High Availability Technology

In high-performance network security and auditing, traffic processing has shifted from traditional passive mirroring to Inline Monitoring. To achieve real-time traffic cleaning, Deep Packet Inspection (DPI), or malicious blocking, security appliances must be deployed directly within the primary traffic path

However, this architecture introduces “Dual Vulnerability” at both hardware and software levels:

• Physical Layer Failure Risk: Damaged transceivers, cable cuts, or power loss to a single board can cause physical severance of the network backbone
• Logical Layer “Frozen” State Risk: DPI engines may hang due to software issues when processing complex protocols or massive traffic spikes, while the physical link often remains “Up”

In this context, Inline Bypass (High Availability) is no longer an optional feature; it is the core foundation for ensuring ISP link stability

The core of this solution is a precision State Machine Engine that transcends simple Link state monitoring to build a multi-dimensional health assessment model:

• L1 Physical Monitoring: Real-time monitoring of SerDes signals When a member port failure is detected, hardware interrupts trigger rapid convergence
• L2 Protocol Monitoring (Optional): Utilizes LLDP Heartbeats or other proprietary protocols to confirm the logical survival of the DPI’s internal forwarding plane
• LAG-Aware Logic: The system accurately distinguishes between “Partial Link Down” (triggering load redistribution) and “Total Group Down” (triggering bypass), ensuring precise operational response
• T1 Detection Delay (Filtering): Supports 1s–30s configuration A sliding window algorithm smoothes physical fluctuations, preventing transmission anomalies caused by frequent policy flapping during link instability

To achieve a high-efficiency switching experience, this solution pre-sets Shadow Paths within the underlying ASIC:

1. Normal Mode: (Example based on field configuration) ISP Ingress -> Add VLAN Tag -> Distribute to Downlink LAG -> Receive DPI Return Traffic -> Strip VLAN Tag -> Service Egress
2. Bypass Mode: ISP Ingress -> ACL Matching -> Direct Forwarding to Service Egress (preserving original packet format)

When switching conditions are met, the engine instantly enables the pre-cached bypass policy to achieve rapid recovery

The recovery phase (reverting to normal) is often a high-risk period for secondary failures The system introduces a T2 (Revert Delay) mechanism (60s+ recommended) :

• Stability Observation Period: Revert is only triggered if at least one member port in the LAG remains “Up” and stable without jitter for the duration of T2

• Buffer Window: This provides a sufficient buffer for DPI devices to load signature databases and warm up engines, ensuring the DPI is at 100% processing capacity before traffic is redirected back

Through the Management Console, O&M personnel gain comprehensive management support:

•  Status Dashboard: Real-time mapping of device status via three colors: Green (Normal), Red (Bypass), and Blue (Manual Forced)

• Dual Manual/Auto Modes: In Manual mode, traffic bypasses the DPI, allowing for equipment upgrades or manual inspections In Auto mode, the system monitors DPI status; when switching conditions are met, traffic bypasses the DPI via the Inline-Bypass path and recovers quickly once revert conditions are satisfied

• Full Lifecycle Logs: Detailed recording of critical parameters such as “Total Down Trigger Time,” “Remaining Revert Time,” and “Trigger Port Details,” with synchronized Syslog emergency alarms

Inline-Bypass technology achieves a perfect balance between deep security and service continuity by offloading complex fault detection to the hardware forwarding layer This represents more than just a stack of NPB features; it is a profound reshaping of resilience for ultra-large-scale network architectures