Login
- Table of Contents
-
- 03-Security Configuration Guide
- 00-Preface
- 01-Security zone configuration
- 02-Security policy configuration
- 03-Object group configuration
- 04-Object policy configuration
- 05-AAA configuration
- 06-IPoE configuration
- 07-Portal configuration
- 08-User identification configuration
- 09-Password control configuration
- 10-Public key management
- 11-PKI configuration
- 12-SSH configuration
- 13-SSL configuration
- 14-ASPF configuration
- 15-APR configuration
- 16-Session management
- 17-Connection limit configuration
- 18-Attack detection and prevention configuration
- 19-DDoS protection configuration
- 20-uRPF configuration
- 21-ARP attack protection configuration
- 22-ND attack defense configuration
- 23-IP-MAC binding configuration
- 24-Keychain configuration
- 25-Crypto engine configuration
- 26-SMS configuration
- 27-Terminal identification configuration
- 28-Flow manager configuration
- 29-Location identification configuration
- 30-Server connection detection configuration
- 31-Trusted access control configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 28-Flow manager configuration | 40.42 KB |
Configuring the flow manager
About the flow manager
The flow manager allows the device to direct bidirectional packets of the same flow to the same security engine when multiple security engines exist on the device.
Deploying OpenFlow entries
A device with multiple security engines can direct bidirectional packets of the same flow to the same security engine for some services (for example, NAT and IPsec) by deploying OpenFlow entries. Each service module needs to communicate traffic direction conditions (for example, source or destination IP address) and traffic direction conditions (for example, Blade interface or failover group ID) to the flow manager. Then, the flow manager performs rule conversion for all service modules and transfers the results to OpenFlow. Finally, OpenFlow generates and issues OpenFlow entries to the security engine and interface cards. This process saves device resources by centralizing rule conversion operations on the flow manager.
Querying OpenFlow entries
Each service module can call the flow manager to query OpenFlow entries and transparently transmit traffic among security engines. A service module needs to call the flow manager to query OpenFlow entries in the following situations:
· Different services of the same flow need to be processed by different security engines.
· OpenFlow entries cannot be queried through interfaces cards, and bidirectional packets of the same flow cannot be directed to the same security engine. In this case, an interface card can sends the traffic to a security engine. The flow manager queries OpenFlow entries on the security engine and transparently transmit the traffic to the target security engine.
Enabling the flow manager for Layer 2 forwarding
About this task
An interface card cannot obtain packet information of the packets with two VLAN tags (such as QinQ packets), and therefore cannot send the packets to the correct security engine.
This feature can query OpenFlow entries for such packets and transparently transmit them to the correct security engine.
Procedure
1. Enter system view.
system-view
2. Enable the flow manager for Layer 2 forwarding.
flow-manager mac-forwarding enable
By default, the flow manager is disabled for Layer 2 forwarding.
