Limitations and Precautions for Hardware Fast Forwarding

Hardware Requirements

In versions earlier than V600R007C20SPC200, all models support hardware fast forwarding. For V600R007C20SPC200 and later versions, device batches are distinguished by BomID Version (which can be checked using the display version command). All models except the USG6680E and USG6712E/6716E whose BomID Version is 003 or later or whose device BOM numbers contain "-001" support hardware fast forwarding.

License Requirements

The hardware fast forwarding function is not license-controlled.

Software Limitations

• When an ACL is used as the filtering condition of fast forwarding, the referenced advanced ACL cannot have more than 32 rules. Otherwise, the filtering condition cannot be delivered.
• When ACL-based filtering conditions are configured for hardware fast forwarding, the ACL created in the virtual system cannot be referenced. However, the ACL-based filtering conditions for fast forwarding take effect for the traffic of the entire device (including the root system and all virtual systems).
• The inbound and outbound traffic on the interface pair that works in the mode of using the same interface to send and receive traffic does not support hardware fast forwarding. When the interface pair works in the mode of using different interfaces to send and receive traffic and if the inbound interface is a tagged interface but the outbound interface is an untagged interface, the inbound and outbound traffic on the interface pair does not support hardware fast forwarding.
• The FW working in bypass detection mode does not support hardware fast forwarding.

Limitations on the Interworking with Other Functions

• The hardware fast forwarding and cluster functions are mutually exclusive. Specifically, when hardware fast forwarding is enabled, the cluster function cannot be enabled; when the cluster function is enabled, hardware fast forwarding cannot be enabled.
• After port mirroring function is enabled, the hardware fast forwarding function does not dramatically improve the forwarding performance of the entire system. Therefore, hardware fast forwarding function is not recommended when port mirroring function is enabled.
• When flows are sorted by source IP address, destination IP address, or application, the FW collects statistics only on flows processed by CPU, not flows that experience hardware fast forwarding. To collect statistics on all flows, disable hardware fast forwarding.
• The packet tracing function applies only to packets forwarded by CPU, not packets that experience hardware fast forwarding.
• When hardware fast forwarding is enabled, dynamic traffic limiting for traffic attack defense may not take effect in some situations.

  The dynamic traffic limiting function is triggered based on traffic statistics on the CPU. If the dynamic traffic limiting function fails to properly take effect, it is possible that the hardware fast forwarding function is enabled, which enables attack traffic to be fast-forwarded without being processed by the CPU. In this case, disable the hardware fast forwarding function or configure hardware fast forwarding filtering conditions to ensure that attack traffic is processed by the CPU instead of being fast-forwarded.

• The number of packets and number of bytes in the periodic session logs are only data processed by the CPU. Statistics on data that is fast-forwarded cannot be collected.
• The service quality statistics (enabled using the display service-quality statistics command) function can be used to collect statistics on packets processed by CPU, not packets that experience hardware fast forwarding. To collect statistics on packets, disable hardware fast forwarding.

Precautions

• In hot standby deployment in active/standby mode, if the active device properly operates, the standby device does not receive service packets. Therefore, the delivery of the fast forwarding table is not triggered. After active/standby switchover, the new active device needs to re-implement the fast forwarding table delivery process, which may occupy additional CPU resources.

  Therefore, in this scenario, if hardware fast forwarding is enabled, you need to run the hrp standby sync fast-forwarding table enable [ asym-next-hop ] command in active device to enable the standby device to automatically deliver the fast forwarding table.

  In a hot standby (active/standby) scenario, if the FWs work at Layer 3 and the next hops of the routes on the active and standby FWs are different, the asym-next-hop parameter must be configured. The outbound interfaces and next-hop addresses of entries recorded in the hardware fast forwarding table backed up will replace the outbound interfaces and next-hop addresses of the routes (excluding PBR routes) on the standby device. If FWs work at Layer 2, the asym-next-hop parameter does not need to be configured.

  In load balancing scenario, the function of automatically delivering hardware fast forwarding table is not recommended on the standby device.

• Considering that certain fast-forwarded traffic may be sent to the CPU during patch installation, you are advised to install the patch during off-peak traffic hours. In addition, do not change the enabling status of hardware fast forwarding during patch installation. Otherwise, patch installation may fail.