Login
- Table of Contents
-
- 11-Layer 3—IP Services Configuration Guide
- 00-Preface
- 01-ARP configuration
- 02-IP addressing configuration
- 03-DHCP configuration
- 04-DNS configuration
- 05-IP forwarding basics configuration
- 06-Fast forwarding configuration
- 07-Multi-CPU packet distribution configuration
- 08-Adjacency table configuration
- 09-IP performance optimization configuration
- 10-IPv6 basics configuration
- 11-DHCPv6 configuration
- 12-IPv6 fast forwarding configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 06-Fast forwarding configuration | 122.67 KB |
Contents
Restrictions and guidelines: Fast forwarding configuration
Configuring the aging time for fast forwarding entries
Configuring fast forwarding load sharing
Configuring hardware fast forwarding
Enabling DSCP-based fast forwarding for GRE and VXLAN packets
Enabling the fast forwarding chip to encapsulate the incremental checksum in outgoing packets
Enabling the fast forwarding chip to do packet integrity check
Specifying the action on altered packets
Enabling single-chip hardware forwarding for upstream packets
Configuring packet processing mode for security modeules
Ignoring interface sequence numbers during hardware fast forwarding
Using the CRC hash algorithm for aggregation member port selection
Enabling statistics collection for the status of hardware-based fast forwarding sessions
Enabling logical malformed packet detection
Enabling discarding malformed packets with the same SIP and DIP
Display and maintenance commands for fast forwarding
Configuring fast forwarding
About fast forwarding
Fast forwarding reduces route lookup time and improves packet forwarding efficiency by using a high-speed cache and data-flow-based technology. It identifies a data flow by using the following fields: source IP address, source port number, destination IP address, destination port number, and protocol number. After a flow's first packet is forwarded through the routing table, fast forwarding creates an entry and uses the entry to forward subsequent packets of the flow.
vSystem support for features
Non-default vSystems do not support the following features:
· Hardware fast forwarding.
· Enabling/disabling fast forwarding.
For information about the support of non-default vSystems for the commands, see fast forwarding command reference. For information about vSystem, see Virtual Technologies Configuration Guide.
Restrictions and guidelines: Fast forwarding configuration
Fast forwarding can process fragmented IP packets, but it does not fragment IP packets.
Fast forwarding can be implemented by software or hardware. Unless otherwise noted, fast forwarding in this chapter refers to software fast forwarding.
Configuring the aging time for fast forwarding entries
About this task
The fast forwarding table uses an aging timer for each forwarding entry. If an entry is not updated before the timer expires, the device deletes the entry. If an entry has a hit within the aging time, the aging timer restarts.
Procedure
1. Enter system view.
system-view
2. Configure the aging time for fast forwarding entries.
ip fast-forwarding aging-time aging-time
By default, the aging time is 30 seconds.
Configuring fast forwarding load sharing
About this task
Fast forwarding load sharing enables the device to identify a data flow by using the packet information.
If fast forwarding load sharing is disabled, the device identifies a data flow by the packet information and the input interface.
Procedure
1. Enter system view.
system-view
2. Configure fast forwarding load sharing. Choose one option as needed:
¡ Enable fast forwarding load sharing.
ip fast-forwarding load-sharing
¡ Disable fast forwarding load sharing.
undo ip fast-forwarding load-sharing
By default, fast forwarding load sharing is enabled.
Configuring hardware fast forwarding
About this task
Hardware fast forwarding stores session information during fast forwarding to speed up subsequent traffic forwarding by comparing the traffic with session information.
Disable hardware fast forward when you troubleshoot problems on forwarding chips.
Procedure
1. Enter system view.
system-view
2. Configure hardware fast forwarding.
¡ Enable hardware fast forwarding.
In standalone mode:
hardware fast-forwarding enable [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
hardware fast-forwarding enable [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
¡ Disable hardware fast forwarding.
In standalone mode:
undo hardware fast-forwarding enable [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
undo hardware fast-forwarding enable [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
By default, hardware fast forwarding is enabled.
Enabling DSCP-based fast forwarding for GRE and VXLAN packets
About this task
This feature uses the DSCP value in the outer header instead of the source port number among the identification criteria to identify GRE and VXLAN traffic flows.
Procedure
1. Enter system view.
system-view
2. Enable DSCP-based fast forwarding for GRE and VXLAN packets.
ip fast-forwarding dscp
By default, DSCP-based fast forwarding for GRE and VXLAN packet is disabled.
3. (Optional.) Specify the destination UDP port number for identifying VXLAN packets
ip fast-forwarding vxlan-port port-number
By default, the destination UDP port number is 4789.
Enabling the fast forwarding chip to encapsulate the incremental checksum in outgoing packets
1. Enter system view.
system-view
2. Enable the fast forwarding chip to encapsulate the incremental checksum in outgoing packets.
In standalone mode:
hardware fast-forwarding checksum encap incremental [ slot slot-number cpu cpu-number ]
In IRF mode:
hardware fast-forwarding checksum encap incremental [ chassis chassis-number slot slot-number cpu cpu-number ]
By default, the fast forwarding chip encapsulates the incremental checksum in outgoing packets.
Enabling the fast forwarding chip to do packet integrity check
1. Enter system view.
system-view
2. Enable the fast forwarding chip to check the integrity of outgoing packets.
In standalone mode:
hardware fast-forwarding checksum inspect [ l3 | l4 [ tcp | udp ] ] enable [ slot slot-number cpu cpu-number ]
In IRF mode:
hardware fast-forwarding checksum inspect [ l3 | l4 [ tcp | udp ] ] enable [ chassis chassis-number slot slot-number cpu cpu-number ]
By default, the fast forwarding chip checks the integrity of outgoing packets to prevent packet alteration.
Specifying the action on altered packets
1. Enter system view.
system-view
2. Specify the action to take on altered packets.
In standalone mode:
hardware fast-forwarding checksum inspect action { drop-err | log } [ slot slot-number cpu cpu-number ]
In IRF mode:
hardware fast-forwarding checksum inspect action { drop-err | log } [ chassis chassis-number slot slot-number cpu cpu-number ]
By default, the device forwards the altered packet and generates a log message.
Enabling single-chip hardware forwarding for upstream packets
About this task
This feature enables a dual-chip module to forward upstream packets by using only one of the chips. It does not apply to downstream packets. The module uses both chips to forward downstream packets.
Restrictions and guidelines
This feature applies only to modules that have more than one hardware forwarding chip.
After you change the hardware forwarding mode for upstream packets, you must restart the module for the change to take effect.
To change the hardware forwarding mode for upstream packets in a security engine group with multiple security engines (multiple modules), perform the following tasks:
1. Execute the hardware fast-forwarding standalone or undo hardware fast-forwarding standalone command on all modules one by one to change their hardware forwarding mode for upstream packets.
2. Restart all modules.
For details about security engine group, see context configuration in Virtual Technologies Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable single-chip hardware forwarding for upstream packets.
In standalone mode:
hardware fast-forwarding standalone [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
hardware fast-forwarding standalone [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
By default, dual-chip hardware forwarding is enabled for upstream packets.
Configuring packet processing mode for security modeules
About this task
When a CPU core on the security module processes too many packets in a short time, the performance of other CPU cores might be degraded. To resolve this issue, perform this task to enable the security module to process packets in attack-resistance mode. The security module will prefer using the fast-forwarding chip for packet processing.
Procedure
1. Enter system view.
system-view
2. Set the packet processing mode to attack-resistance for security modules.
hardware processing-mode attack-resistance
By default, the packet processing mode is CPU for security modules.
Ignoring interface sequence numbers during hardware fast forwarding
About this task
On a network that has two equal-cost egresses, the device might receive the return packets of a forward flow on different interfaces. By default, the device determines that those return packets are in different traffic flows, because their incoming interfaces are different. As a result, the device cannot implement hardware fast forwarding for the return packets in a different flow.
To resolve this issue, enable the device to ignore interface sequence numbers during hardware fast forwarding. The device can perform hardware fast forwarding for the return packets of a forward flow even if they are received on different interfaces.
Restrictions and guidelines
This feature takes effect only after you enable hardware fast forwarding.
If a forwarding error occurs, you can disable this feature for debugging.
In an equivalent dual-gateway network, enabling this function affects device performance. Decide whether to disable this function based on the current network status.
Procedure
1. Enter system view.
system-view
2. Ignore interface sequence numbers during hardware fast forwarding.
Standalone mode:
hardware fast-forwarding ifsn match enable [ slot slot-number cpu cpu-number ]
IRF mode:
hardware fast-forwarding ifsn match enable [ chassis chassis-number slot slot-number cpu cpu-number ]
By default, the device does not ignore interface sequence numbers during hardware fast forwarding.
Disabling session lock
Restrictions and guidelines
This task is supported only for Blade IV security modules, Blade V security modules, and Blade VI security modules.
Procedure
1. Enter system view.
system-view
2. Control the session lock state. Choose one option as needed:
¡ Disable the session lock.
Standalone mode:
hardware fast-forwarding session-lock disable slot slot-number cpu cpu-number
IRF mode:
hardware fast-forwarding session-lock disable chassis chassis-number slot slot-number cpu cpu-number
¡ Enable the session lock.
Standalone mode:
undo hardware fast-forwarding session-lock disable slot slot-number cpu cpu-number
IRF mode:
undo hardware fast-forwarding session-lock disable chassis chassis-number slot slot-number cpu cpu-number
By default, the session lock is enabled.
Using the CRC hash algorithm for aggregation member port selection
Procedure
1. Enter system view.
system-view
2. Use the CRC hash algorithm to select a link aggregation member port as the output interface for outgoing traffic.
hardware fast-forwarding link-aggregation hash-mode crc
By default, the Exclusive-OR algorithm is used for aggregation member port selection.
3. (Optional.) Set the IPv6 address offset for CRC calculation to select an aggregation member port as the output interface for outgoing traffic.
hardware fast-forwarding link-aggregation hash-mode crc ip-offset offset-vlaue
By default, the IPv6 address offset used in CRC calculation is 0.
If you use the CRC hash algorithm for aggregation member port selection, you can use this command to set a calculation offset for IPv6 addresses to be calculated. CRC takes the bit where the offset-vlaue argument specifies and the following 32 bits for calculation.
Enabling statistics collection for the status of hardware-based fast forwarding sessions
About this task
With this feature enabled, you can use the display session table ipv4 verbose/display session table ipv6 command to view the status of hardware-based fast forwarding sessions.
Only the Blade 4 and Blade 5 modules support this feature.
Procedure
1. Enter system view.
system-view
2. Enable statistics collection for the status of hardware-based fast forwarding sessions.
hardware fast-forwarding session-state enable
By default, statistics collection is enabled for the status of hardware-based fast forwarding sessions.
Enabling logical malformed packet detection
1. Enter system view.
system-view
2. Enable logical malformed packet detection.
In standalone mode:
hardware fast-forwarding malpkt-filter enable [ slot slot-number cpu cpu-number ]
undo hardware fast-forwarding malpkt-filter enable [ slot slot-number cpu cpu-number ]
In IRF mode:
hardware fast-forwarding malpkt-filter enable [ chassis chassis-number slot slot-number cpu cpu-number ]
undo hardware fast-forwarding malpkt-filter enable [ chassis chassis-number slot slot-number cpu cpu-number ]
By default, logical malformed packet detection is enabled.
Enabling discarding malformed packets with the same SIP and DIP
About this task
In some attack scenarios, attackers might perform network deception by using packets with the same source IP address (SIP) and destination IP address (DIP). With this feature enabled, the hardware forwarding chip directly discards packets when it detects a malformed packet with SIP=DIP, thereby enhancing network security and robustness.
Before configuring this feature, use the hardware fast-forwarding malpkt-filter enable command to enable logical malformed packet detection.
Restrictions and guidelines
This feature takes effect only on Blade IV security service modules.
Procedure
1. Enter system view.
system-view
2. Enable discarding malformed packets with the same SIP and DIP.
In standalone mode:
hardware fast-forwarding malpkt-filter sip_dip discard [ slot slot-number cpu cpu-number ]
In IRF mode:
hardware fast-forwarding malpkt-filter sip_dip discard [ chassis chassis-number slot slot-number cpu cpu-number ]
By default, the hardware forwarding chip does not discard malformed packets with the same SIP and DIP. It directly forwards them to the CPU for processing.
Display and maintenance commands for fast forwarding
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display the aging time of fast forwarding entries. |
display ip fast-forwarding aging-time |
|
Display fast forwarding entries. |
In standalone mode: display ip fast-forwarding cache [ ip-address ] [ slot slot-number [ cpu cpu-number ] ] In IRF mode: display ip fast-forwarding cache [ ip-address ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
|
Display fast forwarding entries about fragmented packets. |
In standalone mode: display ip fast-forwarding fragcache [ ip-address ] [ slot slot-number [ cpu cpu-number ] ] In IRF mode: display ip fast-forwarding fragcache [ ip-address ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
|
Clear the fast forwarding table. |
In standalone mode: reset ip fast-forwarding cache [ slot slot-number [ cpu cpu-number ] ] In IRF mode: reset ip fast-forwarding cache [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
