Hash-based CPU Selection
Context
Only the USG6635E/6655E, USG6680E and USG6712E/6716E support this function.
The USG6635E/6655E, USG6680Eand USG6712E/6716E have a master CPU and a slave CPU.
For the USG6635E/6655E, USG6680E and USG6712E/6716E, when receiving a service packet that need to be sent to CPU, the FW uses the hash algorithm to obtain the index ID based on the source IP address or source and destination IP addresses of packets. Then the FW selects a CPU from the board number table based on the index ID and sends the packet to the CPU for processing. The board number table shows mappings between CPUs and index IDs. All CPUs are arranged according to certain rules in the board number table, and the IDs are assigned in sequence.
Currently, the FW supports the following hash based modes:
Hash-based mode that is oriented to the source IP address
The source IP address of a packet determines the CPU on the FW that processes the packet.
Hash-based mode that is oriented to the source and destination IP addresses
The source and destination IP addresses of a packet determine the CPU on the FW that processes the packet.
- After you disable the distributed bandwidth adjustment using the undo traffic-policy per-ip distributed adjust enable command and use the per-IP traffic limiting function, you must set the hash-based mode to the source address hash mode so that the traffic from the same IP address is assigned to the same CPU for processing, which ensures the bandwidth control accuracy.
- 3-tuple NAT
- CAR-NAT
- Port pre-allocation in NAT444
- Port quantity limit in DS-Lite
- Static Mapping
According to the result of hash-based computation, different types of traffic may be sent to the same CPU on the FW due to certain features of the hash algorithm. As a result, the CPU cannot process other services. To avoid the preceding issue, the FW can adjust the hash gene to evenly send different types of traffic to the CPUs on the FW.
In dual-device hot backup scenarios, if hash gene are configured to take effect immediately, services are interrupted for a short period of time.When the hash mode (hash gene) takes effect after the device restarts, the hash mode (hash gene) of the active and standby devices are different during the active/standby switchover. As a result, sessions cannot be correctly backed up, and services are interrupted for a short time.
When the hash mode (hash gene) change takes effect, NAT, IPSec, and forwarding services are interrupted for a short period of time. After the sessions of these services are re-established, the services are restored.
Procedure
- Access the system view.
- Configure the hash-based mode to select a CPU that processes service packets.
firewall hash-mode { source-and-destination | source-only }
By default, the hash-based mode is oriented to the source and destination IP addresses.
The configuration takes effect after you restart the device.
- Specify a hash gene.
firewall hash-gene hash-gene
By default, the hash gene is 0.
The hash gene is a numerical value for the hash algorithm used to select CPU. If the source and destination addresses of packets are random, using the default value is recommended.
The modification of the hash factor takes effect immediately. As a result, different packets of the same connection may be sent to different CPUs for processing, affecting services. Therefore, modify the hash factor during off-peak hours.