hp security products faq...must the 12ge module or 2×10ge module for hp a-f5000 be installed into a...
TRANSCRIPT
HP Security Products FAQ
Hangzhou H3C Technologies Co., Ltd.
Contents
Hardware FAQ ···························································································································································· 1 What device models does the security product series include?···················································································1 What security modules do HP A series devices support?·····························································································1 What service modules do security devices support?·····································································································1 What security modules does HP A-F5000 support? ·····································································································2 Are the firewall modules for HP A-F5000 hot swappable?··························································································2 Must the 12GE module or 2×10GE module for HP A-F5000 be installed into a specific slot?·······························2 Are the power supplies for HP A-F5000, HP A-F1000-A-EI, and HP A-F1000-S-EI hot swappable? ······················2 Does HP A-F5000 support fan speed adjustment?········································································································3 What are the maximum power consumptions of HP firewall products? ·····································································3 What are the dimensions of HP A-F5000? ····················································································································3 What are the HP firewall devices that provide USB interface? ···················································································3 What services do the interfaces on the panel of the firewall module support? ·························································3
Software FAQ······························································································································································· 1 How to view the software version and running time on security devices? ·································································1 Why do security devices need software upgrade?·······································································································1 How to view the files in the recycle bin on security devices? ······················································································1 How to delete the files in the recycle bin on security devices? ····················································································2 How to restore removed files on security devices?········································································································2 How to add a port to a security zone at the CLI on security devices?········································································2 Why does the HyperTerminal connected to the console port of the security device display abnormally?·············2 Do security devices support hot patching?·····················································································································3 What are the default password and user name used to log in to a security device through telnet or web? ·······3
Service flow FAQ························································································································································· 1 What are the differences between firewall module and firewall device in forwarding flow? ·································1
Service function FAQ··················································································································································· 1 Firewall device FAQ ·························································································································································1
Does the number of security zones in the specifications list apply to the whole device or a virtual device? 1 How do security zones on different virtual devices communicate? ····································································1 Does a port permit access by default?···················································································································2 How to deny user access to the IP address of a local port?················································································2 Is the ALG function of firewall devices enabled? How to disable ALG function? ·············································2 What virtual devices do the ports of a firewall device belong to by default?···················································3 What are the possible reasons that a firewall device does not forwarding packets?······································3 How is adding a Layer-2 bridge port to a security zone different from adding a Layer-3 route port to a security zone? ···························································································································································4 Do the Layer-2 sub-interfaces and physical ports on the firewall module need to be added to the security zone for inter-VLAN Layer-2 forwarding?··············································································································5 Traffic is forwarded between two logical interfaces. Add the logical interfaces to the security zone. Do the physical ports that belong to the logical interfaces need to be added to the security zone? What inter-zone policies take effect?··················································································································································5 Why is a specific flow that should be denied by the firewall permitted? ··························································5 How are sessions identified on firewall devices? ·································································································6 What are the differences between firewall session logs and NAT logs?···························································6 What are the relations between ASPF sessions and NAT sessions? ··································································6 How do long sessions work? What are the restrictions to ACLs used?······························································6
Does the session state transition mechanism change after unidirectional flow detection is enabled?············7 Why cannot I view expected sessions on virtual devices through web?····························································7 Why is a session state incorrect? ···························································································································7 Why doesn’t a changed ACL take effect?·············································································································8 Why cannot the log server receive logs? ··············································································································8 Why cannot I view logs from web? ·······················································································································9 Why cannot I view VPN instance information in session logs? ······································································· 10 How does NAT process ARP packets?················································································································ 11 How can a GRE tunnel interface go up? ············································································································ 11 Why cannot a GRE tunnel interface go up?······································································································· 11 How to set an ACL used in an IPSec policy? ····································································································· 11 What are the features of IPSec policy template? ······························································································· 12 Why cannot the two stateful failover devices enter synchronized state? ························································ 12 What are the SSH versions supported by firewall devices?············································································· 12 Does HP A-F5000 support cross-card link aggregation?·················································································· 12 Must the ports in a link aggregation group be consecutive in number? ························································· 12 Do firewall devices support 802.1X?·················································································································· 12 Do firewall devices support jumbo frames?········································································································ 12 Is HTTPS supported? How to enable it? ·············································································································· 12
Netstream module FAQ················································································································································· 13 How is the Netstream module different from other security modules? ···························································· 13 Why doesn’t the Seccenter show traffic statistics when the Netstream module is used to collect flow logs?················································································································································································ 13 How does the Netstream module differentiate flows in non-aggregation mode? ·········································· 13 How to check whether Netstream module settings take effect? ······································································· 13
Other FAQ···································································································································································· 1 How to handle a faulty card that lights red? ·················································································································1 Do the forced duplex and rate settings need to be configured on the connected fiber and copper ports? ···········1
Hardware FAQ
What device models does the security product series include?
The security product series comprises the following security devices and modules.
1. Security devices:
• HP A-F5000
• HP A-F1000-E
• HP A-F1000-S-EI
• HP A-F1000-A-EI
• HP A-U200-S
• HP A-U200-A
2. Security modules:
• Firewall (FW) module for HP A series
• NetStream (NS) module for HP A series
• Load Balancing (LB) module for HP A series
• SSL VPN module for HP A series
What security modules do HP A series devices support?
The following table shows the HP A series devices and supported security modules.
Security module HP A series devices supporting the module FW module HP A5800/A7500/A9500/A12500/A6600/A8800
LB module HP A7500/A9500/A12500/A8800
NS module HP A7500/A9500/A12500
SSL VPN module HP A7500/A6600/A8800
What service modules do security devices support? The following table shows the security devices and supported service modules.
Device Supported security modules HP A-F5000 • NSQ1GT8C40: 8-port Gig-T / 4-port GbE Combo Module
Device Supported security modules • NSQ1GT8P40: 8-port GbE SFP / 4-port GbE Combo Module
• NSQ1XP20: 2-port 10-GbE XFP Module
HP A-F1000-E
• 8GBE: 8-port Gig-T HIM Module
• 4GBE: 4-port Gig-T HIM Module
• 4GBP: 4-port GbE SFP HIM Module
• 1EXP: 1-port 10-GbE XFP HIM Module
HP A-U200-A • NSQ1GT2UA0: 2-port Gig-T Module
• NSQ1GP4U0: 4-port GbE SFP Module
HP A-U200-S 2GE: 2-port Gig-T Module
HP A-F1000-S-EI/A-EI NSQ1XS2U0: 2-port 10-GbE SFP+ Module
What security modules does HP A-F5000 support? The HP A-F5000 supports the following security modules.
Security module Silkscreen 8-port Gig-T / 4-port GbE Combo Module NSQ1GT8C40
8-port GbE SFP / 4-port GbE Combo Module NSQ1GT8P40
2-port 10-GbE XFP Module NSQ1XP20
Are the firewall modules for HP A-F5000 hot swappable?
No. The firewall modules for HP A-F5000 do not support hot swapping.
Must the 12GE module or 2×10GE module for HP A-F5000 be installed into a specific slot?
No. The 12GE module or the 2×10GE module can be installed into any of the four service slots on the HP A-F5000.
Are the power supplies for HP A-F5000, HP A-F1000-A-EI, and HP A-F1000-S-EI hot swappable?
Yes. The power supplies for HP A-F5000, HP A-F1000-A-EI, and HP A-F1000-S-EI are hot swappable. To hot swap a power supply, make sure the other power supply is working.
Does HP A-F5000 support fan speed adjustment? Yes. HP A-F5000 can automatically adjust fan speed according to the temperature in the chassis. You can use the display fan command to view fan status.
What are the maximum power consumptions of HP firewall products?
• HP A-F5000: 457.6W
• HP A-F1000-A-EI/HP A-F1000-S-EI: 133W
• HP A-F1000-E: 108.42 W
• HP A-U200-A: 45.5W • HP A-U200-S: 26.93 W
What are the dimensions of HP A-F5000? Dimensions of HP A-F5000 (H × W × D): 308 × 436×476 mm (12.13 × 17.17 × 18.74 in.).
What are the HP firewall devices that provide USB interface?
HP firewall devices provide a USB interface but the software does not support the USB interface.
What services do the interfaces on the panel of the firewall module support?
The interfaces on the panel of the firewall module are used for management and they do not provide specific services.
Software FAQ
How to view the software version and running time on security devices?
You can use the display version command to view the system software version, BootWare version, and system running time.<HP>display version
HP Comware Platform Software
Comware Software, Version 5.20, Release 3166P14
//System software version
Copyright (c) 2010-2011 Hewlett-Packard Development Company, L.P.
HP A-F1000-E uptime is 0 week, 0 day, 1 hour, 18 minutes
//System running time
CPU type: RMI XLR732 1000MHz CPU
2048M bytes DDR2 SDRAM Memory
4M bytes Flash Memory
249M bytes CF0 Card
249M bytes CF1 Card
PCB Version:Ver.B
Logic Version: 2.0
Basic BootWare Version: 1.28
//Basic BootWare version
Extend BootWare Version: 1.38
//Extended BootWare version
Why do security devices need software upgrade? To improve performance, stability, and security for security devices, HP will add new features and functions, fix software bugs, and modify existing programs in software releases. You can select an appropriate version for software upgrade.
How to view the files in the recycle bin on security devices?
The delete command moves the specified file to the recycle bin. The delete /unreserved command deletes the specified file permanently.
The dir command does not display the files in the recycle bin. The dir /all command displays the files in the recycle bin, and the names of such files are included in brackets [].
How to delete the files in the recycle bin on security devices?
You can use the reset recycle-bin command to permanently delete the files in the recycle bin to release storage space for the flash or CF card.
How to restore removed files on security devices? Files in the recycle bin can be restored while permanently deleted files cannot be restored.
You can use the undelete filename command in user view to restore a file in the recycle bin.
The filename argument specifies the name of the file to be restored.
How to add a port to a security zone at the CLI on security devices?
A port can be added to a security zone only at the CLI. The following shows how to add port GigabitEthernet 0/0 to the security zone. [HP]_h
Now you enter a hidden command view for developer's testing, some commands may
affect operation by wrong use, please carefully use it with our engineer's
[HP-hidecmd]zone add interface GigabitEthernet 0/0 to management
Why does the HyperTerminal connected to the console port of the security device display abnormally?
If the terminal parameters are set incorrectly, the HyperTerminal may fail to display or display garbled characters. The following describes the solutions to these problems.
No information displayed on the terminal
• Check that the power system works normally. • Check that the security device works normally. • Check that the cable is connected to the console port of the security device.
If all the conditions above are met, the problem may be caused by the following factors. • The console cable is connected to a wrong serial port, which is different from the terminal setting.
• The terminal parameters are incorrect. (Correct settings: bits per send 9600, data bits 8, parity none, stop bits 1, flow control none)
• The console cable itself loses connectivity. • The console cable is connected to a USB interface on the terminal and connected to the serial
port on the security device. The serial-to-USB driver may cause display failure.
Garbled characters displayed on the terminal
Check that the terminal settings are as follows:
• Bits per second—9,600
• Data bits—8
• Parity—None
• Stop bits—1
• Flow control—None
• Emulation—VT100
Figure 1 Port settings
Do security devices support hot patching? Yes. All new security devices support hot patching. For whether the previous devices support hot patching, ask local technical engineers. No hot patches have been released until now.
What are the default password and user name used to log in to a security device through telnet or web?
• User name: admin
• Password: admin
The privilege level is 3 (administrator).
Service flow FAQ
What are the differences between firewall module and firewall device in forwarding flow?
• Service port: The firewall module has only one 10GE service port connected to the switch. Configure logical sub-interfaces or VLAN interfaces on the 10GE port to communicate with the switch.
• Layer-2 forwarding: The firewall module can only perform inter-VLAN forwarding between Layer-2 subinterfaces and it cannot perform forwarding within a VLAN. The firewall device has no such restriction.
• Layer-3 forwarding: The firewall module can perform Layer-3 forwarding only between 10GE subinterfaces or between VLAN interfaces. The firewall device has no such restriction.
Service function FAQ
Firewall device FAQ
Does the number of security zones in the specifications list apply to the whole device or a virtual device?
It refers to the maximum number of security zones that can be created on the whole device.
How do security zones on different virtual devices communicate?
VFW A, VFW B, and VFW Root are virtual devices. The Untrust zone of VFW Root and the DMZ zone of VFW B are shared zones. Traffic from VFW A can pass the Untrust zone of VFW Root but cannot pass the private zone Trust.
The virtual devices access each other through the shared zones. A private zone of a virtual device can communicate with a shared zone of another virtual device, but not vice versa.
Figure 2 Communication between virtual devices
Does a port permit access by default? Yes. A port permits access by default. To configure a port to deny access, configure an inter-zone policy with the destination zone as the local zone.
How to deny user access to the IP address of a local port? The following describes how to deny user access to the IP address 220.100.1.1/24 of the interface GE0/1.
• Add GE0/1 to the Untrust zone.
• Create a host address ge01_address.
Figure 3 Create a host address
• Create an inter-zone policy from Untrust zone to Local zone, with the destination address as ge01_address and action as deny.
Figure 4 Untrust-to-Local inter-zone policy
Is the ALG function of firewall devices enabled? How to disable ALG function?
The ALG function is enabled by default.
To disable all ALG functions, issue the undo alg all command in system view.
To disable one ALG function, SIP for example, issue the undo alg sip command in system view.
To disable ALG function in the web interface, select Firewall->ALG from the navigation tree to enter the following page, select an option in the left box, and click the >> button to disable the selected ALG function.
Figure 5 Disable ALG functions
What virtual devices do the ports of a firewall device belong to by default?
A firewall device has two types of ports, Layer-3 Route port and Layer-2 Bridge port.
• A Layer-3 Route port belongs to the virtual device root by default. To add it to another virtual device, select the security zone for the port in the page Device Management > Virtual Device-> interface.
• The virtual device to which a Layer-2 Bridge port belongs is determined by the port and the bound VLAN. For example, VLAN 100 is bound to virtual device VD1, VLAN 200 is bound to virtual device VD2, and GE0/1 is added both VLAN 100 and VLAN 200. GE0/1+VLAN 100 belongs to virtual device VD1, and GE0/1+VLAN 200 belongs to virtual device VD2.
What are the possible reasons that a firewall device does not forwarding packets?
The following are the possible reasons.
• The port is not added to the security zone.
• No inter-zone policy is configured or the policy gets lost. You can troubleshoot the problem by using the following debugging command in user view.
<HP>debugging firewall packet-filter ?
all Debug information about all the packets
icmp Debug information about ICMP packets
others Debug information about other packets ( except TCP,UDP and ICMP )
tcp Debug information about TCP packets
udp Debug information about UDP packets
• The session state is incorrect and packets are discarded. You can troubleshoot the problem with the following debugging command.
<HP>debugging session session-table all
• Packets are discarded by ASPF. You can troubleshoot the problem with the following debugging command.
<HP>debugging aspf packet
• A black list filters the packets. Check whether a black list exists from the web.
• The routing configuration is incorrect.
• MAC address entries for Layer-2 forwarding are unavailable.
How is adding a Layer-2 bridge port to a security zone different from adding a Layer-3 route port to a security zone?
1. You can add a Layer-2 bridge port to different security zones by adding it to different VLANs. For example, add a trunk port GE0/1 to VLAN 100 and VLAN 200. GE0/1 in VLAN 100 can be added to the Trust zone, and GE0/1 in VLAN 200 can be added to the DMZ zone.
• Add GE0/1 to the Trust zone.
Figure 6 Add GE0/1 to Trust zone
• Add GE0/1 to the DMZ zone.
Figure 7 Add GE0/1 to DMZ zone
On GE0/1, packets tagged with VLAN 100 belong to the Trust zone, and packets tagged with VLAN 200 belong to the DMZ zone.
2. A Layer-3 route port can be added to only one security zone.
Do the Layer-2 sub-interfaces and physical ports on the firewall module need to be added to the security zone for inter-VLAN Layer-2 forwarding?
You need to add the Layer-2 sub-interfaces to the security zone. The physical ports need not be added to the security zone.
Traffic is forwarded between two logical interfaces. Add the logical interfaces to the security zone. Do the physical ports that belong to the logical interfaces need to be added to the security zone? What inter-zone policies take effect?
Only the logical interfaces need to be added to the security zone. The inter-zone policy for the security zone of the logical interfaces takes effect.
Why is a specific flow that should be denied by the firewall permitted?
The following are the possible reasons.
• If no inter-zone policy exists, the flow may travel from a higher-priority security zone to a lower-priority security zone.
• A permit-type inter-zone policy exists.
• Another matching session already exists.
How are sessions identified on firewall devices? A session comprises two flows in opposite directions. Traffic attributes are used to identify each flow. The following describes different sets of attributes used to identify different flows.
• The following 6-tuple identifies a TCP flow: protocol + source IP + source port + destination IP + destination port + VPN instance ID (or VLAN ID);
• The following 6-tuple identifies a UDP flow: protocol + source IP + source port + destination IP + destination port + VPN instance ID (or VLAN ID);
• The following 6-tuple identifies an ICMP flow: protocol + source IP + destination IP + ICMP type + ICMP code + VPN instance ID (VLAN ID);
• The following 4-tuple identifies a RAW IP flow: protocol + source IP + destination IP + VPN instance ID (or VLAN ID)
What are the differences between firewall session logs and NAT logs?
Session logs include NAT logs. You can view address translation information in session logs.
What are the relations between ASPF sessions and NAT sessions?
A firewall device has only one session table, which includes both ASPF and NAT sessions. A NATed ASPF session includes address translation information.
How do long sessions work? What are the restrictions to ACLs used?
You can set specific sessions to have long lifetimes. Such sessions are called long sessions. Long sessions will not have their lifetimes changed due to state changes and will not be deleted when no packets are sent. You can also set them as permanent sessions, which will not be aged out unless the initiator or responder closes the session or the administrator deletes the session.
• Long sessions must be TCP sessions in TCP-EST state.
• ACLs used must be in the range of 2000 to 3999.
• The matching ACLs must be permit type; otherwise, the long sessions do not take effect.
Does the session state transition mechanism change after unidirectional flow detection is enabled?
When unidirectional flow detection is enabled, the state transition mechanisms for TCP/UDP/RAWIP sessions are changed as follows to ensure successful session establishment.
TCP sessions
• When unidirectional flow detection is not enabled, the state machine considers a session is illegal if the first packet is a SYN_ACK. When unidirectional flow detection is enabled, SYN packets may not pass the device, and the first packet may be a SYN_ACK. The SYN_ACK packet will create a session and change the session state to SYN_RECV.
• When unidirectional flow detection is not enabled, the state machine considers an ACK received in SYN_SENT state is illegal. When unidirectional flow detection is enabled, SYN_ACK packets may not pass the device, an ACK packet received in SYN_SENT state is considered legal, and the session state is changed to TCP_ESTABLISHED.
UDP sessions
When unidirectional flow detection is not enabled, the state machine does not change the state upon receiving a request in UDP_OPEN state. When unidirectional flow detection is enabled, the state machine changes the state to UDP_READY upon receiving a request in UDP_OPEN state, that is, two requests received can enable the session to enter UDP_READY state.
RAWIP sessions
When unidirectional flow detection is not enabled, the state machine does not change the session state upon receiving a request in RAWIP_OPEN state. When unidirectional flow detection is enabled, the state machine changes the session state to RAWIP_READY upon receiving a request in RAWIP_OPEN state, that is, two requests received can enable the session to enter RAWIP_READY state.
Why cannot I view expected sessions on virtual devices through web?
The following are the possible reasons.
• The sessions have aged out.
• Sessions established across virtual devices can only be displayed on the source virtual device.
• The existing sessions have reached the maximum number. No new sessions can be established.
Why is a session state incorrect? The following are the possible reasons.
• The unidirectional flow detection function is enabled, and the state machine works differently from normal cases.
• Some other packets have changed the session state.
Issue the debugging session engine event command in user view to view session debug information to find the reason.
Why doesn’t a changed ACL take effect? The following are the possible reasons.
• The original ACL has been enabled with acceleration. After you modify the ACL, you must reconfigure ACL acceleration so the modification can take effect.
To check whether ACL acceleration is enabled, enter the Firewall > ACL page from the navigation tree.
Figure 8 ACL page
The red rectangle part indicates some settings of the ACL are not effective. You must click the Start Accelerating link to validate the settings.
For inter-zone policies, enter the Firewall > Security Policy > Interzone Policy Accelerate page from the navigation tree.
The red rectangle part indicates some settings of the ACL are not effective. You must click the Start Accelerating link to validate the settings.
• ACL settings are incorrect.
Why cannot the log server receive logs? The following are the possible reasons.
• Devices are not incorrectly added to the log server or their states are abnormal.
• The SNMP agent is not enabled on the firewall or the SNMP connection is abnormal.
• Check that the log server address is configured for syslog as follows.
Figure 9 Syslog settings
• Check that the log server address is configured for flow log as follows.
Figure 10 Flow log settings
• Check whether sessions destined for the log server address exist. If yes, logs have been sent. If not, logs have not been sent.
Why cannot I view logs from web? The following are the possible reasons.
• Use the display info-center command to check that the information center has been enabled. [HP]dis info-center
Information Center:enabled
If the information center is not enabled, use the following command to enable it. [HP]info-center enable
Info: Information center is enabled.
• When the information center is enabled, the syslog information cannot be shown if the log buffer is full. Click the Clear Log button on the following page to clear the log buffer.
Figure 11 Clear the log buffer
• When the information center is enabled, the flow log information cannot be shown if the following box is not selected. Select this box to enable outputting flow logs. Enabling the web interface to display flow log information is not recommended. This function is used only for debugging.
Figure 12 Select the box to output flow logs
Why cannot I view VPN instance information in session logs? You must use flow log 3.0 rather than 1.0 to view VPN instance information.
Figure 13 Select flow log 3.0
How does NAT process ARP packets? A packet sourced from the private network is NATed and then sent to the public network. The destination host in the public network does not know the MAC address corresponding to the NATed IP address. Therefore, it sends an ARP request to the NAT device. The NAT device looks up the routing table to find the route entry containing the target IP address. If a match is found, it sends the MAC address of the interface in the entry in an ARP reply to the public network host. If no match is found, it checks whether the target IP address exists in the addresses configured for NAT. If yes, it sends the MAC address of the receiving interface in an ARP reply to the public network host. In addition, when the interface goes up or down, the NAT device sends gratuitous ARP packets for the NATed IP addresses.
How can a GRE tunnel interface go up? The tunnel management module determines that a tunnel interface goes up if all the required parameters have been set.
For a GRE tunnel to go up on the firewall, the tunnel source address must match an InLoopBack 32-bit host route, and the tunnel destination address must be reachable.
Why cannot a GRE tunnel interface go up? The following are the possible reasons.
• The source physical port of the tunnel is not up, or it is up but it has no IP address.
• The source physical port of the tunnel is bound with a VPN instance and the tunnel interface thus cannot go up.
• If multiple tunnel interfaces has the same source port, only the first created tunnel interface can go up.
How to set an ACL used in an IPSec policy? IPSec uses ACLs to identify traffic to be filtered. The permit keyword in an ACL rule means the matching traffic will be protected by IPSec, and the deny keyword in an ACL rule means the matching traffic will not be protected by IPSec. If an ACL rule on one end specifies the source, the counterpart ACL rule on the other end must specify the destination.
What are the features of IPSec policy template? • The IPSec policy template can only act as the IPSec responder. Related command: ipsec policy-
template.
• The template can be used for one-to-multiple mode. If the match mode is name, all the branches must have the same ike local-name settings, and all branches and the center must have remote-name configured.
• If the match mode is IP address, the end using the template does not need the local-address and remote-address settings.
Why cannot the two stateful failover devices enter synchronized state?
Check that:
• The HA interface is up.
• The HA interface is directly connected to the other device rather than connected through a switch.
What are the SSH versions supported by firewall devices? The overseas releases only support SSH2.0 compatible with SSH1.5, and the firewall device can act as the SSH server or client.
Does HP A-F5000 support cross-card link aggregation? No. HP A-F5000 does not support cross-card link aggregation.
Must the ports in a link aggregation group be consecutive in number?
No. They do not need to be consecutive.
Do firewall devices support 802.1X? No.
Do firewall devices support jumbo frames? Firewall modules support jumbo frames, but firewall device do not support jumbo frames.
Is HTTPS supported? How to enable it? Yes. To enable HTTPS, use the following command in system view. [HP]ip https enable
Netstream module FAQ
How is the Netstream module different from other security modules?
• It does not support web-based configuration.
• Its ports need not be added to the security zone.
• It does not support the functions of other security modules.
• Its 10GE port can only receive traffic.
• Its traffic statistics only cover inbound traffic without outbound traffic.
Why doesn’t the Seccenter show traffic statistics when the Netstream module is used to collect flow logs?
Check that:
• Devices are correctly added.
• The log server and the device are time synchronized.
• Traffic entering the 10GE port is forwarded to the black hole Inline group.
• The ip netstream or ipv6 netstream command is correctly configured.
How does the Netstream module differentiate flows in non-aggregation mode?
It uses the following 7-tuple to identify different flows: source IP address, destination IP address, source port number, destination port number, protocol ID, interface information, and TOS. The interface information only contains the 10GE interface and has no specific meaning.
How to check whether Netstream module settings take effect? • Issue the display ip netstream cache command to check whether flow entries exist.
• Issue the debugging ip netstream packet command to check whether flow log packets have been sent.
• Issue the display ip netstream export command to check whether log statistics are available.
• Check whether statistics are available on the log server (if connected).
Other FAQ
How to handle a faulty card that lights red? • The card temperature exceeds the upper threshold. Check that the air filter is clean. If not,
clean it in time. • The temperature of the environment is high. You can use the display environment
command to view current card temperature, and use the temperature-limit command to view the lower and upper temperature thresholds.
• Some fans are faulty.
Do the forced duplex and rate settings need to be configured on the connected fiber and copper ports?
A copper port does not need such settings because it can perform auto-negotiation successfully.
Some fiber ports may fail to perform auto-negotiation. Therefore, a fiber port is generally configured with forced duplex and rate settings, but this mechanism may hide some problems.
A copper port and a fiber port which are connected follow these rules to perform negotiation. • Both sides adopt automatic negotiation unless there is a specific reason. • The two sides must have the same duplex and rate settings.