Login
- Table of Contents
-
- 11-Layer 3—IP Services Command Reference
- 00-Preface
- 01-ARP commands
- 02-IP addressing commands
- 03-DHCP commands
- 04-DNS commands
- 05-IP forwarding basics commands
- 06-Fast forwarding commands
- 07-Multi-CPU packet distribution commands
- 08-Adjacency table commands
- 09-IP performance optimization commands
- 10-IPv6 basics commands
- 11-DHCPv6 commands
- 12-IPv6 fast forwarding commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 06-Fast forwarding commands | 157.68 KB |
Contents
display ip fast-forwarding aging-time
display ip fast-forwarding cache
display ip fast-forwarding fragcache
hardware fast-forwarding checksum encap incremental
hardware fast-forwarding checksum inspect action
hardware fast-forwarding checksum inspect enable
hardware fast-forwarding enable
hardware fast-forwarding ifsn match enable
hardware fast-forwarding link-aggregation hash-mode crc
hardware fast-forwarding link-aggregation hash-mode crc ip-offset
hardware fast-forwarding malpkt-filter enable
hardware fast-forwarding malpkt-filter sip_dip discard
hardware fast-forwarding session-lock disable
hardware fast-forwarding session-state enable
hardware fast-forwarding standalone
hardware processing-mode attack-resistance
ip fast-forwarding load-sharing
reset ip fast-forwarding cache
Fast forwarding commands
Non-default vSystems do not support some of the fast forwarding commands. For information about vSystem support for a command, see the usage guidelines on that command. For information about vSystem, see Virtual Technologies Configuration Guide.
display ip fast-forwarding aging-time
Use display ip fast-forwarding aging-time to display the aging time of fast forwarding entries.
Syntax
display ip fast-forwarding aging-time
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Examples
# Display the aging time of fast forwarding entries.
<Sysname> display ip fast-forwarding aging-time
Aging time: 30s
Related commands
ip fast-forwarding aging-time
display ip fast-forwarding cache
Use display ip fast-forwarding cache to display fast forwarding entries.
Syntax
In standalone mode:
display ip fast-forwarding cache [ ip-address ] [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display ip fast-forwarding cache [ ip-address ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
ip-address: Specifies an IP address. If you do not specify an IP address, this command displays all fast forwarding entries.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays fast forwarding entries for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card in an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number represents the slot number of the card. If you do not specify a card, this command displays fast forwarding entries for all cards.(In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Examples
# Display all fast forwarding entries.
<Sysname> display ip fast-forwarding cache
Total number of fast-forwarding entries: 1
SIP SPort DIP DPort Pro Input_If Output_If Flg
7.0.0.13 68 8.0.0.1 67 17 GE1/0/3 GE1/0/1 5
Table 1 Command output
|
Field |
Description |
|
SIP |
Source IP address. |
|
SPort |
Source port number. |
|
DIP |
Destination IP address. |
|
DPort |
Destination port number. |
|
Pro |
Protocol number. |
|
Input_If |
Input interface type and number. If no interface is involved in fast forwarding, this field displays N/A. If the input interface does not exist, this field displays a hyphen (-). |
|
Output_If |
Output interface type and number. If no interface is involved in fast forwarding, this field displays N/A. If the output interface does not exist, this field displays a hyphen (-). |
|
Flg |
Internal tag, marking internal operation information, such as fragmentation. |
Related commands
reset ip fast-forwarding cache
display ip fast-forwarding fragcache
Use display ip fast-forwarding fragcache to display fast forwarding entries for fragmented packets.
Syntax
In standalone mode:
display ip fast-forwarding fragcache [ ip-address ] [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display ip fast-forwarding fragcache [ ip-address ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
ip-address: Specifies an IP address. If you do not specify an IP address, this command displays fast forwarding entries for all fragmented packets.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays fast forwarding entries for fragmented packets on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number represents the slot number of the card. If you do not specify a card, this command displays fast forwarding entries for fragmented packets on all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Restrictions and guidelines
The system creates fast forwarding entries for fragments only when virtual fragment reassembly (VFR) is enabled. If VFR is disabled, this command does not display fast forwarding entries for fragments.
Examples
# Display fast forwarding entries about all fragmented packets.
<Sysname> display ip fast-forwarding fragcache
Total number of fragment fast-forwarding entries: 1
SIP SPort DIP DPort Pro Input_If ID Relay_flag
7.0.0.13 68 8.0.0.1 67 17 GE1/0/3 2 1
Table 2 Command output
|
Field |
Description |
|
SIP |
Source IP address. |
|
SPort |
Source port number. |
|
DIP |
Destination IP address. |
|
DPort |
Destination port number. |
|
Pro |
Protocol number. |
|
Input_If |
Input interface type and number. If no interface is involved in fast forwarding, this field displays N/A. If the input interface does not exist, this field displays a hyphen (-). |
|
ID |
Fragment ID. |
|
Relay_flag |
Fragment pass-through flag: · 0—Not pass through. · 1—Pass through. |
Related commands
reset ip fast-forwarding cache
hardware fast-forwarding checksum encap incremental
Use hardware fast-forwarding checksum encap incremental to enable the incremental checksum encapsulation for outgoing packets on hardware fast forwarding chips.
Use undo hardware fast-forwarding checksum encap incremental to restore the default.
Syntax
In standalone mode:
hardware fast-forwarding checksum encap incremental [ slot slot-number cpu cpu-number ]
undo hardware fast-forwarding checksum encap incremental [ slot slot-number cpu cpu-number ]
In IRF mode:
hardware fast-forwarding checksum encap incremental [ chassis chassis-number slot slot-number cpu cpu-number ]
undo hardware fast-forwarding checksum encap incremental [ chassis chassis-number slot slot-number cpu cpu-number ]
Default
The incremental checksum is encapsulated into the outgoing packets on hardware fast forwarding chips.
Views
System view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, the command enables incremental checksum encapsulation for outgoing packets on hardware fast forwarding chips of all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, the command enables incremental checksum encapsulation for outgoing packets on hardware fast forwarding chips of all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
This command takes effect only on service modules that support hardware fast forwarding.
This command is supported only on the default context and is not supported on non-default contexts.
Examples
# Enable the incremental checksum encapsulation for outgoing packets on the hardware fast forwarding chip for CPU 1 on the specified slot.
<Sysname> system-view
[Sysname] hardware fast-forwarding checksum encap incremental chassis 1 slot 1 cpu 1
hardware fast-forwarding checksum inspect action
Use hardware fast-forwarding checksum inspect action { drop-err | log } to specify an action for a packet alteration event.
Use undo hardware fast-forwarding checksum inspect action { drop-err | log } to cancel the specified action.
Syntax
In standalone mode:
hardware fast-forwarding checksum inspect action { drop-err | log } [ slot slot-number cpu cpu-number ]
undo hardware fast-forwarding checksum inspect action { drop-err | log } [ slot slot-number cpu cpu-number ]
In IRF mode:
hardware fast-forwarding checksum inspect action { drop-err | log } [ chassis chassis-number slot slot-number cpu cpu-number ]
undo hardware fast-forwarding checksum inspect action { drop-err | log } [ chassis chassis-number slot slot-number cpu cpu-number ]
Default
When the device detects a packet alteration event, it forwards the altered packet and generates a log message.
Views
System view
Predefined user roles
network-admin
Parameters
drop-err: Drops the altered packets.
log: Generates a log message when the device detects a packet alteration event.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, the command configuration applies to all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, the command configuration applies to all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
This command takes effect only on service modules that support hardware fast forwarding.
This command is supported only on the default context and is not supported on non-default contexts.
If you execute this command multiple times, the specified action in each execution takes effect.
Examples
# Disable logging for packet alteration for CPU 1 on the specified slot.
<Sysname> system-view
[Sysname] undo hardware fast-forwarding checksum inspect action log chassis 1 slot 1 cpu 1
Related commands
hardware fast-forwarding checksum inspect enable
hardware fast-forwarding checksum inspect enable
Use hardware fast-forwarding checksum inspect enable to enable alteration detection for outgoing packets on hardware fast forwarding chips.
Use undo hardware fast-forwarding checksum inspect enable to disable alteration detection for outgoing packets on hardware fast forwarding chips.
Syntax
In standalone mode:
hardware fast-forwarding checksum inspect [ l3 | l4 [ tcp | udp ] ] enable [ slot slot-number cpu cpu-number ]
undo hardware fast-forwarding checksum inspect [ l3 | l4 [ tcp | udp ] ] enable [ slot slot-number cpu cpu-number ]
In IRF mode:
hardware fast-forwarding checksum inspect [ l3 | l4 [ tcp | udp ] ] enable [ chassis chassis-number slot slot-number cpu cpu-number ]
undo hardware fast-forwarding checksum inspect [ l3 | l4 [ tcp | udp ] ] enable [ chassis chassis-number slot slot-number cpu cpu-number ]
Default
Alteration detection is enabled for outgoing packets on hardware fast forwarding chips.
Views
System view
Predefined user roles
network-admin
Parameters
l3: Enables the packet alteration detection on the Layer 3 information.
l4: Enables the packet alteration detection on the Layer 4 information.
tcp: Enables the TCP packet alteration detection.
udp: Enables the UDP packet alteration detection.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, the command enables alteration detection for outgoing packets on hardware fast forwarding chips of all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, the command enables alteration detection for outgoing packets on hardware fast forwarding chips of all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
This command takes effect only on service modules that support hardware fast forwarding.
To enable alteration detection on different types of packets, execute this command multiple times.
To enable TCP or UDP packet alteration detection, specify the l4 keyword before you specify the tcp or udp keyword.
If you do not specify any parameters, the device detects alterations for outgoing packets on both the Layer 3 and Layer 4 information.
If you specify the l4 keyword without specifying the tcp or udp keyword, the device detects alterations for outgoing packets on the Layer 4 information.
This command is supported only on the default context and is not supported on non-default contexts.
Examples
# Disable alteration detection on outgoing TCP packets for CPU 1 on slot 1 chassis 1.
<Sysname> system-view
[Sysname] undo hardware fast-forwarding checksum inspect l4 tcp enable chassis 1 slot 1 cpu 1
hardware fast-forwarding enable
Use hardware fast-forwarding enable to enable hardware fast forwarding.
Use undo hardware fast-forwarding enable to disable hardware fast forwarding.
Syntax
In standalone mode:
hardware fast-forwarding enable [ slot slot-number [ cpu cpu-number ] ]
undo hardware fast-forwarding enable [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
hardware fast-forwarding enable [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
undo hardware fast-forwarding enable [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Default
Hardware fast forwarding is enabled.
Views
System view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by the slot number. If you do not specify a card, this command enables hardware fast forwarding for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number represents the slot number of the card. If you do not specify a card, this command enables hardware fast forwarding for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
Non-default vSystems do not support this command.
Hardware fast forwarding stores session information during fast forwarding to speed up subsequent traffic forwarding by comparing the traffic with session information.
Disable hardware fast forward when you troubleshoot problems on forwarding chips.
Non-default context does not support this command.
Examples
# Disable hardware fast forwarding on slot 1.
<Sysname> system-view
[Sysname] undo hardware fast-forwarding enable slot 1
hardware fast-forwarding ifsn match enable
Use hardware fast-forwarding ifsn match enable to ignore interface sequence numbers during hardware fast forwarding.
Use undo hardware fast-forwarding ifsn match enable to disable ignoring interface sequence numbers during hardware fast forwarding.
Syntax
Standalone mode:
hardware fast-forwarding ifsn match enable [ slot slot-number cpu cpu-number ]
undo hardware fast-forwarding ifsn match enable [ slot slot-number cpu cpu-number ]
IRF mode:
hardware fast-forwarding ifsn match enable [ chassis chassis-number slot slot-number cpu cpu-number ]
undo hardware fast-forwarding ifsn match enable [ chassis chassis-number slot slot-number cpu cpu-number ]
Default
The device does not ignore interface sequence numbers during hardware fast forwarding.
Views
System view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by the slot number. (Standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number represents the slot number of the card. (IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
In a network that has two equal-cost egresses, the device might receive the return packets of a forward flow on different interfaces. By default, the device determines that those return packets are in different traffic flows, because their incoming interfaces are different. As a result, the device cannot implement hardware fast forwarding for the return packets in a different flow.
To resolve this issue, enable the device to ignore interface sequence numbers during hardware fast forwarding. The device can perform hardware fast forwarding for the return packets of a forward flow even if they are received on different interfaces.
If a forwarding error occurs, you can disable this feature for debugging.
In an equivalent dual-gateway network, enabling this function affects device performance. Decide whether to disable this function based on the current network status.
This feature takes effect only after you enable hardware fast forwarding.
Examples
# Ignore interface sequence numbers during hardware fast forwarding.
<Sysname> system-view
[Sysname] hardware fast-forwarding ifsn match enable chassis 1 slot 7 cpu 1
hardware fast-forwarding link-aggregation hash-mode crc
Use hardware fast-forwarding link-aggregation hash-mode crc to use the CRC hash algorithm to select a link aggregation member port as the output interface for outgoing traffic.
Use undo hardware fast-forwarding link-aggregation hash-mode crc to restore the default.
Syntax
hardware fast-forwarding link-aggregation hash-mode crc
undo hardware fast-forwarding link-aggregation hash-mode crc
Default
The Exclusive-OR algorithm is used for aggregation member port selection.
Views
System view
Predefined user roles
network-admin
Examples
# Use the CRC hash algorithm to select a link aggregation member port as the output interface for outgoing traffic on slot 3.
<Sysname> system-view
[Sysname] hardware fast-forwarding link-aggregation hash-mode crc
hardware fast-forwarding link-aggregation hash-mode crc ip-offset
Use hardware fast-forwarding link-aggregation hash-mode crc ip-offset to set the IPv6 address offset for CRC calculation to select an aggregation member port as the output interface for outgoing traffic.
Use undo hardware fast-forwarding link-aggregation hash-mode crc ip-offset to restore the default.
Syntax
hardware fast-forwarding link-aggregation hash-mode crc ip-offset offset-vlaue
undo hardware fast-forwarding link-aggregation hash-mode crc ip-offset [ offset-vlaue ]
Default
The IPv6 address offset used in CRC calculation is 0.
Views
System view
Predefined user roles
network-admin
Parameters
offset-vlaue: Set the IPv6 address offset in bits. The value range for this argument is 0 to 31.
Usage guidelines
If you use the CRC hash algorithm for aggregation member port selection, you can use this command to set a calculation offset for IPv6 addresses to be calculated. CRC takes the bit where the offset-vlaue argument specifies and the following 32 bits for calculation.
Examples
# Set the IPv6 address offset used in CRC calculation to 10.
<Sysname> system-view
[Sysname] hardware fast-forwarding link-aggregation hash-mode crc ip-offset 10
hardware fast-forwarding malpkt-filter enable
Use hardware fast-forwarding malpkt-filter enable to enable logical malformed packet detection.
Use undo hardware fast-forwarding malpkt-filter enable to disable logical malformed packet detection.
Syntax
In standalone mode:
hardware fast-forwarding malpkt-filter enable [ slot slot-number cpu cpu-number ]
undo hardware fast-forwarding malpkt-filter enable [ slot slot-number cpu cpu-number ]
In IRF mode:
hardware fast-forwarding malpkt-filter enable [ chassis chassis-number slot slot-number cpu cpu-number ]
undo hardware fast-forwarding malpkt-filter enable [ chassis chassis-number slot slot-number cpu cpu-number ]
Default
Logical malformed packet detection is enabled.
Views
Probe view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command enables this feature on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command enables this feature on all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Examples
# Enable logical malformed packet detection.
<Sysname> system-view
[Sysname] hardware fast-forwarding malpkt-filter enable
hardware fast-forwarding malpkt-filter sip_dip discard
Use hardware fast-forwarding malpkt-filter sip_dip discard to enable discarding malformed packets with the same SIP and DIP.
Use undo hardware fast-forwarding malpkt-filter sip_dip discard to restore the default.
Syntax
In standalone mode:
hardware fast-forwarding malpkt-filter sip_dip discard [ slot slot-number cpu cpu-number ]
undo hardware fast-forwarding malpkt-filter sip_dip discard [ slot slot-number cpu cpu-number ]
In IRF mode:
hardware fast-forwarding malpkt-filter sip_dip discard [ chassis chassis-number slot slot-number cpu cpu-number ]
undo hardware fast-forwarding malpkt-filter sip_dip discard [ chassis chassis-number slot slot-number cpu cpu-number ]
Default
The hardware forwarding chip does not discard malformed packets with the same SIP and DIP. It directly forwards them to the CPU for processing.
Views
System view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command enables this feature on all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command enables this feature on all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
Operating mechanism
In some attack scenarios, attackers might perform network deception by using packets with the same source IP address (SIP) and destination IP address (DIP). With this feature enabled, the hardware forwarding chip directly discards packets when it detects a malformed packet with SIP=DIP, thereby enhancing network security and robustness.
Before configuring this feature, use the hardware fast-forwarding malpkt-filter enable command to enable logical malformed packet detection.
Restrictions and guidelines
This feature takes effect only on Blade IV security service modules.
Examples
# Enable discarding malformed packets with the same SIP and DIP.
<Sysname> system
[Sysname] hardware fast-forwarding malpkt-filter enable
[Sysname] hardware fast-forwarding malpkt-filter sip_dip discard slot 1 cpu 1
hardware fast-forwarding session-lock disable
Use hardware fast-forwarding session-lock disable to disable the session lock.
Use undo hardware fast-forwarding session-lock disable to enable the session lock.
Syntax
Standalone mode:
hardware fast-forwarding session-lock disable slot slot-number cpu cpu-number
undo hardware fast-forwarding session-lock disable slot slot-number cpu cpu-number
IRF mode:
hardware fast-forwarding session-lock disable chassis chassis-number slot slot-number cpu cpu-number
undo hardware fast-forwarding session-lock disable chassis chassis-number slot slot-number cpu cpu-number
Default
The session lock is enabled.
Views
System view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. (Standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number represents the slot number of the card. (IRF mode.)
cpu cpu-number: Specifies a CPU by its number.
Usage guidelines
This command is supported only for Blade IV security modules, Blade V security modules, and Blade VI security modules.
Examples
# Disable the session lock for a card on an IRF member device.
<Sysname> system-view
[Sysname] hardware fast-forwarding session-lock disable chassis 1 slot 1 cpu 1
hardware fast-forwarding session-state enable
Use hardware fast-forwarding session-state enable to enable statistics collection for the status of hardware-based fast forwarding sessions.
Use undo hardware fast-forwarding session-state enable to disable statistics collection for the status of hardware-based fast forwarding sessions.
Syntax
hardware fast-forwarding session-state enable
undo hardware fast-forwarding session-state enable
Default
Statistics collection is enabled for the status of hardware-based fast forwarding sessions.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
With this feature enabled, you can use the display session table ipv4 verbose/display session table ipv6 command to view the status of hardware-based fast forwarding sessions.
Only the Blade 4 and Blade 5 modules support this feature.
Examples
# Enable statistics collection for the status of hardware-based fast forwarding sessions.
<Sysname> system-view
[Sysname] hardware fast-forwarding session-state enable
Related commands
display session table ipv4 (Security Command Reference)
display session table ipv6 (Security Command Reference)
hardware fast-forwarding standalone
Use hardware fast-forwarding standalone to enable single-chip hardware forwarding for upstream packets.
Use undo hardware fast-forwarding standalone to restore the default.
Syntax
In standalone mode:
hardware fast-forwarding standalone [ slot slot-number [ cpu cpu-number ] ]
undo hardware fast-forwarding standalone [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
hardware fast-forwarding standalone [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
undo hardware fast-forwarding standalone [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Default
Dual-chip hardware forwarding is enabled for upstream packets.
Views
System view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by the slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device or specifies a PEX. The chassis-number argument represents the member ID of the IRF member device or the virtual chassis number of the PEX. The slot-number represents the slot number of the card or PEX. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
This feature applies only to modules that have more than one hardware forwarding chip.
It enables a dual-chip module to forward upstream packets by using only one of the chips. This feature does not apply to downstream packets. The module uses both chips to forward downstream packets.
After you change the hardware forwarding mode for upstream packets, you must restart the module for the change to take effect.
To change the hardware forwarding mode for upstream packets in a security engine group with multiple security engines (multiple modules), perform the following tasks:
1. Execute the hardware fast-forwarding standalone or undo hardware fast-forwarding standalone command on all modules one by one to change their hardware forwarding mode for upstream packets.
2. Restart all modules.
For details about security engine group, see context configuration in Virtual Technologies Configuration Guide.
Examples
# Enable single-chip hardware forwarding for upstream packets on slot 1.
<Sysname> system-view
[Sysname] hardware fast-forwarding standalone slot 1
hardware processing-mode attack-resistance
Use hardware processing-mode attack-resistance to set the packet processing mode to attack-resistance for security modules.
Use undo hardware processing-mode attack-resistance to restore the default.
Syntax
hardware processing-mode attack-resistance
undo hardware processing-mode attack-resistance
Default
The packet processing mode is CPU for security modules.
Views
System view
Predefined user roles
network-admin
Usage guidelines
When a CPU core on the security module processes too many packets in a short time, the performance of other CPU cores might be degraded. To resolve this issue, use this command to enable the security module to process packets in attack-resistance mode. The security module will prefer using FPGA for packet processing.
Examples
# Set the packet processing mode to attack-resistance on security modules.
<Sysname> system-view
[Sysname] hardware processing-mode attack-resistance
ip fast-forwarding aging-time
Use ip fast-forwarding aging-time to configure the aging time for fast forwarding entries.
Use undo ip fast-forwarding aging-time to restore the default.
Syntax
ip fast-forwarding aging-time aging-time
undo ip fast-forwarding aging-time
Default
The aging time is 30 seconds.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
aging-time: Specifies the aging time in the range of 10 to 300 seconds.
Examples
# Set the aging time to 20 seconds for fast forwarding entries.
<Sysname> system-view
[Sysname] ip fast-forwarding aging-time 20
Related commands
display ip fast-forwarding aging-time
ip fast-forwarding dscp
Use ip fast-forwarding dscp to enable DSCP-based fast forwarding for GRE and VXLAN packets.
Use undo ip fast-forwarding dscp to restore the default.
Syntax
ip fast-forwarding dscp
undo ip fast-forwarding dscp
Default
DSCP-based fast forwarding for GRE and VXLAN packets is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
This command is applicable to GRE packets (with IP as the passenger protocol) and VXLAN packets that are processed by software.
This feature uses the DSCP value in the outer header instead of the source port number among the identification criteria to identify GRE and VXLAN traffic flows.
This command is mutually exclusive with NAT and load balancing.
Examples
# Enable DSCP-based GRE and VXLAN packet fast forwarding.
<Sysname> system-view
[Sysname] ip fast-forwarding dscp
ip fast-forwarding load-sharing
Use ip fast-forwarding load-sharing to enable fast forwarding load sharing.
Use undo ip fast-forwarding load-sharing to disable fast forwarding load sharing.
Syntax
ip fast-forwarding load-sharing
undo ip fast-forwarding load-sharing
Default
Fast forwarding load sharing is enabled.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
Fast forwarding load sharing enables the device to load share packets of the same flow. This feature identifies a data flow by using the packet information.
If fast forwarding load sharing is disabled, the device identifies a data flow by the packet information and the input interface. No load sharing is implemented.
Examples
# Enable fast forwarding load sharing.
<Sysname> system-Views
[Sysname] ip fast-forwarding load-sharing
ip fast-forwarding vxlan-port
Use ip fast-forwarding vxlan-port to specify the destination UDP port number for identifying VXLAN packets.
Use undo ip fast-forwarding vxlan-port to restore the default.
Syntax
ip fast-forwarding vxlan-port port-number
undo ip fast-forwarding vxlan-port
Default
The destination UDP port number is 4789.
Views
System view
Predefined use roles
network-admin
context-admin
vsys-admin
Parameters
port-number: Specifies a UDP port number in the range of 1 to 65535.
Usage guidelines
This feature is applicable to only the UDP packets that are processed by software.
In a VXLAN network, configure this command on intermediate devices to identify VXLAN packets.
Examples
# Specify the destination UDP port number to 4900 for identifying VXLAN packets.
<Sysname> system-view
[Sysname] ip fast-forwarding vxlan-port 4900
reset ip fast-forwarding cache
Use reset ip fast-forwarding cache to clear the fast forwarding table.
Syntax
In standalone mode:
reset ip fast-forwarding cache [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
reset ip fast-forwarding cache [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
User view
Predefined use roles
network-admin
context-admin
vsys-admin
Parameters
slot slot-number: Specifies a card by the slot number. If you do not specify a card, this command clears the fast forwarding table for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears the fast forwarding table for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Examples
# Clear the fast forwarding table.
<Sysname> reset ip fast-forwarding cache
Related commands
display ip fast-forwarding cache
display ip fast-forwarding fragcache
