Contents

Configuring fast forwarding· 1

About fast forwarding· 1

vSystem support for features· 1

Restrictions and guidelines: Fast forwarding configuration· 1

Configuring the aging time for fast forwarding entries· 1

Configuring fast forwarding load sharing· 2

Configuring hardware fast forwarding· 2

Enabling DSCP-based fast forwarding for GRE and VXLAN packets· 3

Enabling the fast forwarding chip to encapsulate the incremental checksum in outgoing packets· 3

Enabling the fast forwarding chip to do packet integrity check· 4

Specifying the action on altered packets· 4

Enabling single-chip hardware forwarding for upstream packets· 5

Display and maintenance commands for fast forwarding· 5

 

Configuring fast forwarding

About fast forwarding

Fast forwarding reduces route lookup time and improves packet forwarding efficiency by using a high-speed cache and data-flow-based technology. It identifies a data flow by using the following fields: source IP address, source port number, destination IP address, destination port number, and protocol number. After a flow's first packet is forwarded through the routing table, fast forwarding creates an entry and uses the entry to forward subsequent packets of the flow.

vSystem support for features

Non-default vSystems do not support the following features:

·     Hardware fast forwarding.

·     Enabling/disabling fast forwarding.

For information about the support of non-default vSystems for the commands, see fast forwarding command reference. For information about vSystem, see Virtual Technologies Configuration Guide.

Restrictions and guidelines: Fast forwarding configuration

Fast forwarding can process fragmented IP packets, but it does not fragment IP packets.

Fast forwarding can be implemented by software or hardware. Unless otherwise noted, fast forwarding in this chapter refers to software fast forwarding.

Configuring the aging time for fast forwarding entries

About this task

The fast forwarding table uses an aging timer for each forwarding entry. If an entry is not updated before the timer expires, the device deletes the entry. If an entry has a hit within the aging time, the aging timer restarts.

Procedure

1.     Enter system view.

system-view

2.     Configure the aging time for fast forwarding entries.

ip fast-forwarding aging-time aging-time

By default, the aging time is 30 seconds.

Configuring fast forwarding load sharing

About this task

Fast forwarding load sharing enables the device to identify a data flow by using the packet information.

If fast forwarding load sharing is disabled, the device identifies a data flow by the packet information and the input interface.

 

Procedure

1.     Enter system view.

system-view

2.     Configure fast forwarding load sharing. Choose one option as needed:

¡     Enable fast forwarding load sharing.

ip fast-forwarding load-sharing

¡     Disable fast forwarding load sharing.

undo ip fast-forwarding load-sharing

By default, fast forwarding load sharing is enabled.

Configuring hardware fast forwarding

About this task

Hardware fast forwarding stores session information during fast forwarding to speed up subsequent traffic forwarding by comparing the traffic with session information.

Disable hardware fast forward when you troubleshoot problems on forwarding chips.

The following compatibility matrix shows the support of hardware platforms for this command:

‌

Series	Models	Command compatibility
F5000 series	F5000-AI360, F5000-AI160, F5000-AI120, F5000-CN160	Yes
	F5000-CN-G85, F5000-CN-G65, F5000-CN-G55, F5000-CN60, F5000-CN30, F5000-AI-40, F5000-AI-20, F5000-AI-15	No
F1000 series	F1000-AI-90, F1000-AI-80, F1000-AI-75, F1000-AI-70, F1000-AI-65, F1000-AI-60, F1000-AI-25, F1000-CN-G35	No

 

In a dual-master IRF stacking scenario, packet forwarding passthrough is temporarily not supported:

·     If the device version is EXX90P07 and earlier, you can execute the undo hardware fast-forwarding enable command on the master device to disable hardware fast forwarding after establishing IRF.

·     If the device version is EXX90P07 and later, the device will automatically disable the hardware fast forwarding feature when the IRF is established. After disabling hardware fast forwarding, the device will rely on CPU for software forwarding, leading to a certain decrease in device performance. Use IRF networking cautiously and prioritize using RBM networking. For more information about the RBM networking, see High Reliability Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Configure hardware fast forwarding.

¡     Enable hardware fast forwarding.

¡     Disable hardware fast forwarding.

By default, hardware fast forwarding is enabled.

Enabling DSCP-based fast forwarding for GRE and VXLAN packets

About this task

This feature uses the DSCP value in the outer header instead of the source port number among the identification criteria to identify GRE and VXLAN traffic flows.

Procedure

1.     Enter system view.

system-view

2.     Enable DSCP-based fast forwarding for GRE and VXLAN packets.

ip fast-forwarding dscp

By default, DSCP-based fast forwarding for GRE and VXLAN packet is disabled.

3.     (Optional.) Specify the destination UDP port number for identifying VXLAN packets

ip fast-forwarding vxlan-port port-number

By default, the destination UDP port number is 4789.

Enabling the fast forwarding chip to encapsulate the incremental checksum in outgoing packets

1.     Enter system view.

system-view

2.     Enable the fast forwarding chip to encapsulate the incremental checksum in outgoing packets.

hardware fast-forwarding checksum encap incremental [ slot slot-number cpu cpu-number ]

By default, the fast forwarding chip encapsulates the incremental checksum in outgoing packets.

The following compatibility matrix shows the support of hardware platforms for this command:

‌

Series	Models	Command compatibility
F5000 series	F5000-AI360, F5000-AI160, F5000-AI120, F5000-CN160	Yes
	F5000-CN-G85, F5000-CN-G65, F5000-CN-G55, F5000-CN60, F5000-CN30, F5000-AI-40, F5000-AI-20, F5000-AI-15	No
F1000 series	F1000-CN-G35, F1000-AI-90, F1000-AI-80, F1000-AI-75, F1000-AI-70, F1000-AI-65, F1000-AI-60, F1000-AI-25	No

 

Enabling the fast forwarding chip to do packet integrity check

1.     Enter system view.

system-view

2.     Enable the fast forwarding chip to check the integrity of outgoing packets.

hardware fast-forwarding checksum inspect [ l3 | l4 [ tcp | udp ] ] enable [ slot slot-number cpu cpu-number ]

By default, the fast forwarding chip checks the integrity of outgoing packets to prevent packet alteration.

The following compatibility matrix shows the support of hardware platforms for this command:

 

Series	Models	Command compatibility
F5000 series	F5000-AI360, F5000-AI160, F5000-AI120, F5000-CN160	Yes
	F5000-CN-G85, F5000-CN-G65, F5000-CN-G55, F5000-CN60, F5000-CN30, F5000-AI-40, F5000-AI-20, F5000-AI-15	No
F1000 series	F1000-CN-G35, F1000-AI-90, F1000-AI-80, F1000-AI-75, F1000-AI-70, F1000-AI-65, F1000-AI-60, F1000-AI-25	No

 

Specifying the action on altered packets

1.     Enter system view.

system-view

2.     Specify the action to take on altered packets.

hardware fast-forwarding checksum inspect action { drop-err | log } [ slot slot-number cpu cpu-number ]

By default, the device forwards the altered packet and generates a log message.

The following compatibility matrix shows the support of hardware platforms for this command:

 

Series	Models	Command compatibility
F5000 series	F5000-AI360, F5000-AI160, F5000-AI120, F5000-CN160	Yes
	F5000-CN-G85, F5000-CN-G65, F5000-CN-G55, F5000-CN60, F5000-CN30, F5000-AI-40, F5000-AI-20, F5000-AI-15	No
F1000 series	F1000-CN-G35, F1000-AI-90, F1000-AI-80, F1000-AI-75, F1000-AI-70, F1000-AI-65, F1000-AI-60, F1000-AI-25	No

 

Enabling single-chip hardware forwarding for upstream packets

About this task

This feature enables a dual-chip module to forward upstream packets by using only one of the chips. It does not apply to downstream packets. The module uses both chips to forward downstream packets.

Restrictions and guidelines

This feature applies only to modules that have more than one hardware forwarding chip.

After you change the hardware forwarding mode for upstream packets, you must restart the module for the change to take effect.

To change the hardware forwarding mode for upstream packets in a security engine group with multiple security engines (multiple modules), perform the following tasks:

1.     Execute the hardware fast-forwarding standalone or undo hardware fast-forwarding standalone command on all modules one by one to change their hardware forwarding mode for upstream packets.

2.     Restart all modules.

The following compatibility matrix shows the support of hardware platforms for this command:

‌

Series	Models	Command compatibility
F5000 series	F5000-AI360, F5000-AI160, F5000-AI120, F5000-CN160	Yes
	F5000-CN-G85, F5000-CN-G65, F5000-CN-G55, F5000-CN60, F5000-CN30, F5000-AI-40, F5000-AI-20, F5000-AI-15	No
F1000 series	F1000-CN-G35, F1000-AI-90, F1000-AI-80, F1000-AI-75, F1000-AI-70, F1000-AI-65, F1000-AI-60, F1000-AI-25	No

 

Procedure

1.     Enter system view.

system-view

2.     Enable single-chip hardware forwarding for upstream packets.

hardware fast-forwarding standalone [ slot slot-number ]

By default, dual-chip hardware forwarding is enabled for upstream packets.

Display and maintenance commands for fast forwarding

Execute display commands in any view and reset commands in user view.

 

Task	Command
Display the aging time of fast forwarding entries.	display ip fast-forwarding aging-time
Display fast forwarding entries.	display ip fast-forwarding cache [ ip-address ] [ slot slot-number ]
Display fast forwarding entries about fragmented packets.	display ip fast-forwarding fragcache [ ip-address ] [ slot slot-number ]
Clear the fast forwarding table.	reset ip fast-forwarding cache [ slot slot-number ]