- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
01-Service chain commands | 91.36 KB |
Contents
display service-chain cache ip
display service-chain cache ipv6
display service-chain cache ip fragment
display service-chain statistics
Service chain commands
blade-load-balance-team
Use blade-load-balance-team to specify a load sharing team for a service node in an intra-device service chain.
Use undo blade-load-balance-team to restore the default.
Syntax
blade-load-balance-team team-name
undo blade-load-balance-team
Default
No load sharing team is specified for a service node in an intra-device service chain.
Views
Service node view
Predefined user roles
network-admin
Parameters
team-name: Specifies a load sharing team by its name. Load sharing team names are predefined by the system. The device supports only Blade3fw, Blade4fw, and AFC load sharing teams.
Usage guidelines
Use this command to specify a load sharing team according to the service module type of a service node.
· Blade3fw—Applies to third-generation firewall modules.
· Blade4fw—Applies to fourth-generation firewall modules.
· AFC—Applies to anomaly flow cleaner (AFC) modules.
To specify load sharing teams for multiple service nodes in an intra-device service chain, follow these restrictions and guidelines:
· The load sharing team specified for a service node must be different than the other service nodes in the same intra-device service chain. All load sharing teams must belong to the same security engine group.
· You can specify only one load sharing team for each service node. The AFC load sharing team must be specified on service node 1.
· One load sharing team can be specified only for one service node.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify load sharing team AFC for service node 1.
<Sysname> system-view
[Sysname] service-chain path 1
[Sysname-spath1] service function 1
[Sysname-spath1-func1] blade-load-balance-team AFC
Related commands
blade-controller-team (Virtual Technologies Command Reference)
service function
display service-chain cache ip
Use display service-chain cache ip to display IPv4 fast forwarding entries for intra-device service chains.
Syntax
In standalone mode:
display service-chain cache ip [ ip-address ] [ slot slot-number cpu cpu-number ]
In IRF mode:
display service-chain cache ip [ ip-address ] [ chassis chassis-number slot slot-number cpu cpu-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
ip-address: Specifies an IPv4 address. If you do not specify an IPv4 address, this command displays IPv4 fast forwarding entries for all IPv4 addresses.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv4 fast forwarding entries on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPv4 fast forwarding entries for all cards on all IRF member devices. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
This command is supported only by AFC service modules.
Examples
# Display IPv4 fast forwarding entries for intra-device service chains on a CPU of an AFC module.
<Sysname> display service-chain cache ip chassis 1 slot 2 cpu 1
Total number of service-chain entries: 2
SIP SPort DIP DPort Pro InputIf OutputIf
10.0.1.1 1024 10.0.0.2 1024 6 GE1/7/0/17 Blade1/1/0/2
10.0.0.2 1024 10.0.1.1 1024 6 N/A N/A
Table 1 Command output
Field |
Description |
Total number of service-chain entries |
Number of IPv4 fast forwarding entries for intra-device service chains. |
SIP |
Source IPv4 address. |
SPort |
Source port number. |
DIP |
Destination IPv4 address. |
DPort |
Destination port number. |
Pro |
Protocol number. |
InputIf |
Input interface. If no input interface is involved in fast forwarding, this field displays N/A. If no input interface is available, this field displays a hyphen (-). |
OutputIf |
Output interface. If no output interface is involved in fast forwarding, this field displays N/A. If no output interface is available, this field displays a hyphen (-). The output interface is a Blade aggregate interface instead of a physical interface on an interface module. |
display service-chain cache ipv6
Use display service-chain cache ipv6 to display IPv6 fast forwarding entries for intra-device service chains.
Syntax
In standalone mode:
display service-chain cache ipv6 [ ipv6-address ] [ slot slot-number cpu cpu-number ]
In IRF mode:
display service-chain cache ipv6 [ ipv6-address ] [ chassis chassis-number slot slot-number cpu cpu-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
ipv6-address: Specifies an IPv6 address. If you do not specify an IPv6 address, this command displays IPv6 fast forwarding entries for all IPv6 addresses.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv6 fast forwarding entries on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPv6 fast forwarding entries for all cards on all IRF member devices. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
This command is supported only by AFC service modules.
Examples
# Display IPv6 fast forwarding entries for intra-device service chains on a CPU of an AFC module.
<Sysname> display service-chain cache ipv6 chassis 1 slot 2 cpu 1
Total number of IPv6 fast-forwarding items: 2
Src IP: 10::2 Src Port: 0
Dst IP: 10::1 Dst Port: 32768
Protocol: 58
VPN instance: N/A
Input interface: N/A
Output interface: Blade3/0/2
Src IP: 10::1 Src Port: 0
Dst IP: 10::2 Dst Port: 33024
Protocol: 58
VPN instance: N/A
Input interface: N/A
Output interface: N/A
Table 2 Command output
Field |
Description |
Total number of IPv6 fast-forwarding items |
Number of IPv6 fast forwarding entries for intra-device service chains. |
Src IP |
Source IPv6 address. |
Src Port |
Source port number. |
Dst IP |
Destination IPv6 address. |
Dst Port |
Destination port number. |
Protocol |
Protocol number. |
Input interface |
Input interface. If no input interface is involved in fast forwarding, this field displays N/A. If no input interface is available, this field displays a hyphen (-). |
Output interface |
Output interface. If no output interface is involved in fast forwarding, this field displays N/A. If no output interface is available, this field displays a hyphen (-). The output interface is a Blade aggregate interface instead of a physical interface on an interface module. |
display service-chain cache ip fragment
Use display service-chain cache ip fragment to display fast forwarding entries of fragments for intra-device service chains.
Syntax
In standalone mode:
display service-chain cache ip fragment [ ip-address ] [ slot slot-number cpu cpu-number ]
In IRF mode:
display service-chain cache ip fragment [ ip-address ] [ chassis chassis-number slot slot-number cpu cpu-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
ip-address: Specifies an IPv4 address. If you do not specify an IPv4 address, this command displays fragment fast forwarding entries for all IPv4 addresses.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays fragment fast forwarding entries on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays fragment fast forwarding entries for all cards on all IRF member devices. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
This command is supported only by AFC service modules.
Examples
# Display fast forwarding entries of fragments for intra-device service chains on a CPU of an AFC module.
<Sysname> display service-chain cache ip fragment chassis 1 slot 2 cpu 1
Total number of fragment service-chain entries: 448
SIP SPort DIP DPort Pro InputIf ID
10.0.1.1 1024 10.0.0.2 1024 6 GE1/7/0/17 964
10.0.1.1 1024 10.0.0.2 1024 6 GE1/7/0/17 1166
Table 3 Command output
Field |
Description |
Total number of fragment service-chain entries |
Number of fragment IPv4 fast forwarding entries for intra-device service chains. |
SIP |
Source IPv4 address. |
SPort |
Source port number. |
DIP |
Destination IPv4 address. |
DPort |
Destination port number. |
Pro |
Protocol number. |
InputIf |
Input interface type and number. N/A indicates that the entry does not distinguish data flow based on the input interface. If the entry is used for backward packets of the service chain, this field displays a hyphen (-). |
ID |
Packet ID. |
display service-chain path
Use display service-chain path to display service chain information.
Syntax
display service-chain path { path-id | all }
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
path-id: Specifies a service chain by its path ID in the range of 1 to 8388606.
all: Displays information for all service chains.
Examples
# Display information for all service chains.
<Sysname> display service-chain path all
PathID: 22
Next service node: 4.4.4.4
Previous service node: 5.5.5.5
Function: 1
Service-list: fw
Table 4 Command output
Field |
Description |
PathID |
Path ID of the service chain. |
Next service node |
IP address of the next service node. |
Previous service node |
IP address of the previous service node. |
Function |
ID of the service node. |
Service-list |
Services in the service list. |
display service-chain statistics
Use display service-chain statistics to display service chain statistics.
Syntax
display service-chain statistics
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Examples
# Display all service chain statistics.
<Sysname> display service-chain statistics
Service-chain statistics
Board : all
Total receive : 0 Total send : 0
Service drop : 0 Error drop : 0
Table 5 Command output
Field |
Description |
Board |
ID of a card. This field displays all in the current software version. |
Total receive |
Total number of received packets. |
Total send |
Total number of sent packets. |
Service drop |
Total number of dropped packets. |
Error drop |
Total number of dropped error packets. |
if-match
Use if-match to configure a service chain policy for an intra-device service chain.
Use undo if-match to remove a service chain policy for an intra-device service chain.
Syntax
if-match input-interface interface-type interface-number acl { ipv4-acl-number | name ipv4-acl-name }
undo if-match input-interface interface-type interface-number
Default
No service chain policies are configured for an intra-device service chain.
Views
Service chain view
Predefined user roles
network-admin
Parameters
input-interface interface-type interface-number: Specifies an input interface by its type and number.
acl ipv4-acl-number: Specifies an IPv4 ACL by its number in the range of 2000 to 3999.
acl name ipv4-acl-name: Specifies an IPv4 ACL by its name, a case-insensitive string of 1 to 63 characters. The ACL name must start with a letter and cannot be all.
Usage guidelines
An intra-device service chain policy includes an input interface and an ACL. Only received IP packets that match the ACL can enter the intra-device service chain.
You can specify IP addresses only in ip-address/mask format for the ACL rules. Address object groups are not supported in the rules.
When you configure service chain policies, follow these restrictions and guidelines:
· Make sure the destination IP address of the packets that enter one service chain belongs to a DDoS attack protection object.
· An input interface cannot be specified multiple times in the same service chain.
· An input interface and ACL combination cannot be specified for multiple service chains.
For a service chain policy to take effect, the input interface cannot be an Ethernet subinterface or a VLAN interface, or an interface exclusively assigned to a context. If the input interface is a Reth interface, the member ports of the Reth interface cannot be subinterfaces.
For traffic received by the input interface, its source and destination IP addresses are compared with the source and destination IP addresses in the ACL, respectively.
For traffic received by other interfaces, its destination and source IP addresses are compared with the source and destination IP addresses in the ACL, respectively.
Examples
# Configure a service chain policy by specifying input interface GigabitEthernet 1/7/0/1 and ACL 2000.
<Sysname> system-view
[Sysname] service-chain path 1
[Sysname-spath1] if-match input-interface gigabitethernet 1/7/0/1 acl 2000
Related commands
service-chain path
next-service-node
Use next-service-node to specify the IP address of the next service node in a service chain.
Use undo next-service-node to restore the default.
Syntax
next-service-node ip-address
undo next-service-node
Default
The IP address of the next service node in a service chain is not specified.
Views
Service chain view
Predefined user roles
network-admin
context-admin
Parameters
ip-address: Specifies the IP address of the next service node.
Usage guidelines
If the service node is the end node, you do not need to specify the IP address of the next service node.
Examples
# Specify the IP address of the next service node as 2.2.2.2 for service chain 1.
<Sysname> system-view
[Sysname] service-chain path 1
[Sysname-spath1] next-service-node 2.2.2.2
Related commands
display service-chain path
previous-service-node
Use previous-service-node to specify the IP address of the previous service node in a service chain.
Use undo previous-service-node to restore the default.
Syntax
previous-service-node ip-address
undo previous-service-node
Default
The IP address of the previous service node in a service chain is not specified.
Views
Service chain view
Predefined user roles
network-admin
context-admin
Parameters
ip-address: Specifies the IP address of the previous service node.
Usage guidelines
If the service node is the head node, you do not need to specify the IP address of the previous service node.
Examples
# Specify the IP address of the previous service node as 3.3.3.3 for service chain 1.
<Sysname> system-view
[Sysname] service-chain path 1
[Sysname-spath1] previous-service-node 3.3.3.3
Related commands
display service-chain path
service-chain path
Use service-chain path to create a service chain and enter its view, or enter the view of an existing service chain.
Use undo service-chain path to delete a service chain or all service chains on a device.
Syntax
service-chain path path-id
undo service-chain path { path-id | all }
Default
No service chains exist.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
path-id: Specifies the path ID of a service chain, in the range of 1 to 8388606. A path ID uniquely identifies a service chain.
all: Deletes all service chains on the device.
Examples
# Create service chain 1 and enter its view.
<Sysname> system-view
[Sysname] service-chain path 1
[Sysname-spath1]
Related commands
display service-chain path
service function
Use service function to create a service node and enter its view, or enter the view of an existing service node.
Use undo service function to delete a service node or all service nodes on the service chain.
Syntax
service function function-number
undo service function { function-number | all }
Default
No service nodes exist.
Views
Service chain view
Predefined user roles
network-admin
context-admin
Parameters
function-number: Assigns an ID to the service node. The value range for the function-number argument is 1 to 2.
all: Deletes all service nodes on the service chain.
Usage guidelines
All services on service nodes of a service chain must be different from each other.
Examples
# Create service node 1 and enter its view.
<Sysname> system-view
[Sysname] service-chain path 1
[Sysname-spath1] service function 1
[Sysname-spath1-func1]
Related commands
display service-chain path
service list
Use service list to create a service list.
Use undo service list to restore the default.
Syntax
service list { acg | atk | connect-limit | dpi | fw | ips | ipsec | lb | nat }*
undo service list
Default
No service list exists.
Views
Service node view
Predefined user roles
network-admin
context-admin
Parameters
acg: Specifies the application control gateway (ACG) service.
atk: Specifies the attack detection and prevention service.
connect-limit: Specifies the connection limit service.
dpi: Specifies the deep packet inspection (DPI) service.
fw: Specifies the firewall (FW) service.
ips: Specifies the intelligent protection switching (IPS) service.
ipsec: Specifies the IP security (IPsec) service.
lb: Specifies the load balancing (LB) service.
nat: Specifies the network address translation (NAT) service.
Usage guidelines
You can configure only one service list for each service node. All services in a service chain must be different from each other.
The services in a service list are applied to the traffic in the order they are specified in a service list.
Examples
# Create a service list that contains the FW and LB services for service node 1.
<Sysname> system-view
[Sysname] service-chain path 1
[Sysname-spath1] service function 1
[Sysname-spath1-func1] service list fw lb
Related commands
display service-chain path