Device forwarding FAQ

Q.     What is the procedure for M9000 series devices to process service packets?

A.     The service packets arrive at the interface module, switch fabric module, and service module in sequence. After being processed by the service module, the service packets are sent out by the service module, and then arrive at switch fabric module and interface module in sequence.

Q.     What are the default security zones for the system?

A.     By default, the system has Trust, Untrust, DMZ, Local, and Management zones.

Q.     Comparing V7 with V5, what are the differences for the security zone feature?

A.     Compared with V5, V7 has the following changes:

·     Security zones do not have zone ID.

·     Security zones do not have priority and share attributes.

·     Packets are denied if they are sent from and arrive at the same security zone.

Q.     Is the management interface in a security zone by default?

A.     By default, the management interface is in the Management zone.

Q.     What is the default inter-zone policy?

A.     By default, packets are denied between security zones.

Q.     What are the inter-zone policy types?

A.     Inter-zone policy has the types of security policy, object policy, and packet filtering. You can use the policies as needed.

Q.     Why the system displays unmatched when the time span and address group are matched?

A.     In this case, a VPN instance might exist. If the inbound interface belongs to a VPN instance, to ensure the matching, you must specify the VPN instance.

Q.     Which one takes effect with priority when packet filtering and object policy exist at the same time?

A.     Object policies take effect before packet filtering.

Q.     How many object group hierarchy layers are supported?

A.     The system supports a maximum of five object group hierarchy layers.

Q.     What is the operating order for inter-zone policies and NAT?

A.     The operating order is NAT server translation, inter-zone policy matching, and outbound dynamic NAT in sequence.

Q.     What are the link aggregation load-sharing modes?

A.     Link aggregation load-sharing has the following mode:

·     Per-flow: Distributes traffic by one or more of the following criteria: source/destination MAC address, source/destination service port, inbound port, source/destination IP address, IP protocol, and MPLS label. Packets belonging to the same data flow will go through the same member link.

·     Flexible: Automatically chooses a load sharing mode depending on the packet type. For example, load sharing mode differs for Layer 2, IPv4, IPv6, and MPLS packets.

·     Per-packet: Distributes traffic on a per-packet basis. Traffic is distributed across the selected member ports in proportion to their expected bandwidth.

By default, the system uses the per-flow mode and you can use the link-aggregation global load-sharing mode command to change the link aggregation load-sharing mode.

Q.     What if flows with the same quintuple go back and forth through the device and the forwarding fails?

A.     By default, the packet inbound interface has no influence on the forwarding. The forwarding fails because the system creates the same fast-forwarding table for flows with the same quintuple.

[Device] display ip fast-forwarding cache

Total number of fast-forwarding entries: 1

SIP SPort DIP Dport Pro Input_If Output_If Flg

198.1.1.2 1024 197.1.20.1 2048 Tun2 RAGG3 1

After you configure the undo ip fast-forwarding load-sharing command, the packet inbound interface might impact the forwarding. For flows with the same quintuple, the system creates different fast-forwarding tables if the flows have different inbound interface.

[Device] display ip fast-forwardingcache

Total number of fast-forwarding entries: 2

SIP Sport DIP Dport Pro Input_If Output_If Flg

198.1.1.2 1024 197.1.20.1 2048 1 RAGG4 RAGG2 1

198.1.1.2 1024 197.1.20.1 2048 1 Tun2 RAGG3 1

IPSec

Q.     Why the configured aging time for sessions of application layer protocols does not take effect when I test the application layer traffic?

A.     When you execute the display session aging-time application command, the system displays the aging time for application sessions that are in ESTABLISHED state. If the sessions are not in ESTABLISHED state , the system uses the aging time for sessions of the corresponding Layer 4 protocols.

Q.     What kinds of ICMP error packets can be detected by ASPF ICMP error packet detection?

A.     The output information shows types of ICMP errors that can be detected:

   type                          code

   ICMP_UNREACH(3)               [0, 12]

   ICMP_SOURCEQUENCH(4)          [0, 0]

   ICMP_REDIRECT(5)              [0, 3]

   ICMP_TIMXCEED(11)             [0, 1]

   ICMP_PARAMPROB(12)            [0, 1]

The value in the parentheses represents the ICMP packet type and the value in the brackets represents the ICMP code range.

Q.     Why session statistics collection is incorrect?

A.     To ensure device performance, statistics collection is disabled by default. To collect packet statistics, configure the session statistic enable command in system view.

Q.     Can I establish sessions for both IPv4 and IPv6 packets?

A.     Yes. Both IPv4 and IPv6 packets can be used to establish sessions.

Q.     What address types does IPv4 address object group have?

A.     IPv4 address object group mainly has host address, domain address, subnet address, and address range. An address object group can have multiple address types. Address object groups support hierarchy layers and an address object group can contain another address object group.

Q.     What is the matching order of object policy rules?

A.     If an object policy contains multiple rules, the system matches packets against rules in the order the rules were created. The matching stops once the packets match a rule. The order that the object policy rules are displayed by executing the display this command in the inter-domain instance view is the same as the order in which they are created. You can move the rules to change the matching order.

Q.     What are the types of object policies?

A.     Object policies have two types of IPv4 object policy and IPv6 object policy.

Q.     For object policy configuration, does the vrf keyword specify the inbound or outbound VPN instance?

A.     The vrf keyword specifies the inbound VPN instance.

Q.     What are the signature filters of object policies?

A.     The signature filters include source address group, destination address group, service group, VPN instance, and time span.

The service group indicates the Layer 4 protocol that is identified by the protocol number in the IP header.

Q.     What is the matching order of object policy rules?

A.     The system matches packets against rules in the order from top to end based on the rule position in the list instead of the rule ID. For example, with both rule 0 and rule 1 available, the system matches packets against rule 0 or rule 1 which is at the front.