< Home

Configuring Hardware Fast Forwarding Using the CLI

This section describes how to use the CLI to configure hardware fast forwarding.

Context

To reduce the CPU load and improve the service processing capability of the device, the FW supports fast forwarding for some simple heavy-traffic services (such as NAT services). You can enable or disable hardware fast forwarding as required and configure filtering conditions for hardware fast forwarding.

Procedure

  1. Run the system-view command to access the system view.
  2. Run the hardware fast-forwarding enable command to enable the global hardware fast forwarding function so that the traffic of all applicable services can be forwarded fast.

    By default, this function is enabled.

  3. Optional: Run the hardware fast-forwarding ipsec enable command to enable the IPSec hardware fast forwarding function.

    IPSec hardware fast forwarding is enabled by default.

    IPSec hardware fast forwarding takes effect only when the following conditions are met:
    • Global hardware fast forwarding is enabled (hardware fast-forwarding enable).
    • The IPSec tunnel is not encapsulated in transport mode.
    • The IPSec tunnel is not configured in manual mode.
    • Policy-based rate limit is disabled for the SA.
    • IPSec over GRE is not used.
    • IPv6 IPSec is not used.
    • SA encryption and decryption algorithms require the support of hardware engines. Algorithms such as AES-GCM, AES-GMAC and SM4 are not supported.
    • In IPSec NAT traversal scenarios, the port number for NAT traversal must be 500 or 4500. If the port number is changed from 500 or 4500 to another port number, IPSec hardware fast forwarding is not performed, and the IPSec performance deteriorates.

    Only the USG6510E/6510E-POE, USG6530E, USG6515E/6550E/6560E/6580E, and USG6525E/6555E/6565E/6575E-B/6585E/6605E-B support this command.

  4. Optional: In a hot standby scenario, run the hrp standby sync fast-forwarding table enable [ asym-next-hop ] command to enable the standby device to automatically deliver a fast forwarding table.

    Only the USG6510E/6510E-POE/6530E does not support this function.

    In versions earlier than V600R007C20SPC200, USG6680E and USG6712E/6716E support this parameter. For V600R007C20SPC200 and later versions, device batches are distinguished by BomID Version (which can be checked using the display version command). Only the USG6680E and USG6712E/6716E whose BomID Version is earlier than 003 and whose device BOM numbers does not contain "-001" support this parameter.

    By default, the standby device does not automatically deliver the fast forwarding table.

  5. Optional: Run the hardware fast-forwarding session ttl-percent ttl-percent command to set the ratio of the fast forwarding table aging time to the CPU session aging time.

    By default, the ratio of the fast forwarding table aging time to the CPU session aging time is 80%.

  6. Optional: Configure the fast aging of hardware fast forwarding sessions.
    1. Run the hardware fast-forwarding session fast-aging ttl-percent ttl-percent command to set the ratio of the fast aging time to the normal aging time for hardware fast forwarding sessions.

      The default ratio of the fast aging time to the normal aging time for hardware fast forwarding sessions is 50%.

    2. Run the hardware fast-forwarding session fast-aging { lower-threshold lower-threshold | upper-threshold upper-threshold } command to set the threshold for triggering or stopping the fast aging of hardware fast forwarding sessions.

      By default, fast aging is triggered if the usage of fast forwarding sessions reaches 80%. After the usage of fast forwarding sessions falls below 50%, the fast aging time is restored to the normal aging time.

      To save fast forwarding sessions, if the usage of fast forwarding sessions reaches upper-threshold specified in the hardware fast-forwarding session fast-aging upper-threshold upper-threshold command, the FW starts the fast aging of fast forwarding sessions. The aging time of fast forwarding sessions is shortened according to the proportion specified in the hardware fast-forwarding session fast-aging threshold command. If the fast forwarding session usage falls below lower-threshold specified in the hardware fast-forwarding session fast-aging lower-threshold lower-threshold command, the FW stops the fast aging of fast forwarding sessions. The aging time of fast forwarding sessions is restored to the normal aging time.

      Starting or stopping the fast aging of fast forwarding sessions takes effect only on new fast forwarding sessions. The aging time of existing fast forwarding sessions remains unchanged.

      It is recommended that the difference between upper-threshold and lower-threshold be greater than 10. If the difference is too small, the aging and restoration of fast forwarding sessions may be triggered frequently, affecting service processing performance.

  7. Optional: Enable basic or advanced filtering conditions as required.

    If hardware fast forwarding is not performed after traffic matches basic filtering conditions, match against advanced filtering conditions is not performed, and traffic is forwarded along the normal forwarding process. If condition-based hardware fast forwarding is allowed after traffic matches basic filtering conditions, match against advanced filtering conditions is performed.

    • The FW supports configuring whether to perform fast forwarding for traffic that satisfies specified basic filtering conditions. The following table displays available basic filtering conditions. You can choose to enable only one of them.

      Table 1 Basic filtering condition

      Basic Filtering Condition

      Configuration Method

      Description

      ACL-based fast forwarding
      1. Run the hardware fast-forwarding filter basic enable acl command to enable ACL-based fast forwarding.
      2. Run the hardware fast-forwarding filter basic acl acl-number command to reference an advanced ACL in the basic filtering condition.

      Create an advanced ACL. For configuration details, see Creating an Advanced ACL.

      Hardware fast forwarding is implemented for the traffic that matching the ACL rule with the action of permit and is not implemented for the traffic matching the ACL rule with the action of deny. The traffic matching the ACL rule with the action of deny is still sent to the CPU for processing.

      NOTE:

      The ACL created under the virtual system cannot be referenced. However, the ACL-based filtering conditions for fast forwarding take effect for the traffic of the entire device (including the root system and all virtual systems).

      Interface-based fast forwarding
      1. Run the hardware fast-forwarding filter basic enable interface command to enable interface-based fast forwarding.
      2. Run the hardware fast-forwarding filter basic interface { include | exclude } interface-type interface-number command to configure the basic filtering condition for interface-based fast forwarding.

      include indicates that hardware fast forwarding can be performed only for traffic received from a specified interface.

      exclude indicates that hardware fast forwarding cannot be performed only for traffic received from a specified interface.

      When multiple filtering conditions are configured, the filtering conditions of the include type of the filtering conditions of the exclude type cannot take effect simultaneously. Only the filtering conditions of the specific type configured later take effect.

    • If basic filtering conditions cannot meet your needs, you can also configure an advanced filtering condition.

      There are two types of advanced filtering conditions, namely, pre-defined and user-defined. You can enable only one type of the filtering conditions.

      Table 2 Advanced filtering condition

      Advanced Filtering Condition

      Configuration Method

      Description

      Predefined

      Run the hardware fast-forwarding filter advanced enable pre-defined command to enable a predefined advanced filtering condition.

      By default, the FW has a predefined advanced filtering condition that cannot be modified or deleted.

      The condition is that the duration of a session is not less than 20s and the number of one-way session packets is not less than 6. Hardware fast forwarding is implemented only on the traffic that meets the configuration.

      User-defined
      1. Run the hardware fast-forwarding filter advanced enable user-defined command to enable a user-defined advanced filtering condition.
      2. Run the hardware fast-forwarding filter advanced { protocol { tcp | udp | sctp | icmp | gre | protocol-number | default } { average-packet-length average-packet-length | byte byte | existed-time existed-time | packet packet| packet-rate packet-rate } * } &<1-8> command to enable an advanced filtering condition for fast forwarding.

      When a predefined filtering condition is used for fast forwarding, and an alarm on the number of fast forwarding tables is generated, you can configure a user-defined filtering condition for more fine-grained control.

      Properly set filtering parameters based on the actual network traffic model.

      NOTE:

      There is only one filtering condition for a protocol.

      The specified protocol is preferentially matched with. If the specified protocol is not matched, the default protocol is matched with.

      The traffic that does not match any protocol is not subject to the filtering control of hardware fast forwarding.

Follow-up Procedure

Run the display hardware fast-forwarding configurations command to view the fast forwarding configurations.

According to the command output, global hardware fast forwarding is enabled, flow table backup function is disable, the ratio of the fast forwarding table aging time to the CPU session aging time is 80% (which is the default value), the basic filtering condition for fast forwarding is not enabled, and the advanced filtering condition for fast forwarding is enabled.

<sysname> display hardware fast-forwarding configurations
===========================================================================================
                  Hardware Fast-forwarding Information                          
===========================================================================================
 Fast-forwarding Switch      : Enable(default is Enable)                       
 Fast-forwarding Session TTL : 80% of Session TTL(default is 80%)               
---------------------------------------------------------------------           
 Fast-forwarding Basic Filter: Disable                                          
---------------------------------------------------------------------
 Fast-forwarding Advanced Filter: Enable(filter type is user-defined)           
 Advanced filter configuration as follow:                                       
 protocol udp existed-time 120
---------------------------------------------------------------------
 IPSec fast-forwarding enable          : Enable(default is Enable)              
 IPSec Fragmentation Before Encryption : Disable                                
 IPSec DF option                       : COPY                                   
 IPSec Ignore DF-bit                   : Disable                                
 IPSec CAR                             : Enable                                 
============================================================================================
Parent Topic: Hardware Fast Forwarding
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >