Fast-path

The behavior of the fast-path network stack can be customized globally, and per VRF.

If there is no configuration value in a VRF, the global configuration applies. The VRF configuration overrides the system one.

ALG

The ALGs allow to use specific applications through CG-NAT or fp-firewall.

The following configuration activates the DNS ALG, and sets its session timeout to 1000.

vsr running config# / system network-stack fast-path alg dns
vsr running fast-path# / system network-stack fast-path alg dns session-timeout 1000
vsr running fast-path# commit

To display the ALG configuration:

vsr running fast-path# show state / system network-stack fast-path alg
fast-path
 alg dns
     session-timeout 1000
     ..
 ..

The same configuration can be made using this NETCONF XML configuration:

vsr running fast-path# show config xml absolute / system network-stack fast-path alg
<config xmlns="urn:6wind:vrouter">
  <system xmlns="urn:6wind:vrouter/system">
    <network-stack>
      <fast-path xmlns="urn:6wind:vrouter/fast-path-network-stack">
        <alg>
          <name>dns</name>
          <session-timeout>1000</session-timeout>
        </alg>
      </fast-path>
    </network-stack>
  </system>
</config>

Note

In the previous versions, dns-udp was the default value. It is not the case anymore. Therefore, you may need to configure it in its new path: / system network-stack fast-path alg dns.

The configuration can be overridden at the VRF level. The following configuration sets the DNS session-timeout to 500 in the test VRF, while it stays at the 1000 value defined previously in the other vrfs.

vsr running config# / vrf test network-stack fast-path alg session-timout 500

Conntracks

Conntrack timeouts can be set for each protocol. UDP, ICMP and GRE protocols only handle basic conntrack states (new, established, closed), whereas TCP offers more granularity.

The following configuration sets the TCP timeout of established to 100:

vsr running config# / system network-stack fast-path conntrack timeouts tcp established 100
vsr running fast-path# commit

The conntrack tcp-window-check behavior is now disabled:

vsr running config# / system network-stack fast-path conntrack behavior tcp-window-check enabled false
vsr running fast-path# commit

To fragment NAT64 packet according to the MTU of the output interface:

vsr running config# / system network-stack fast-path conntrack nat64 mtu lowest-ipv6 0
vsr running fast-path# commit

The same configuration can be made using this NETCONF XML configuration:

vsr running fast-path# show config xml absolute / system network-stack fast-path conntrack
<config xmlns="urn:6wind:vrouter">
  <system xmlns="urn:6wind:vrouter/system">
    <network-stack>
      <fast-path xmlns="urn:6wind:vrouter/fast-path-network-stack">
        <conntrack>
          <timeouts>
            <tcp>
              <state>established</state>
              <timeout>100</timeout>
            </tcp>
          </timeouts>
          <behavior>
            <tcp-options>tcp-window-check</tcp-options>
            <enabled>false</enabled>
          </behavior>
          <nat64>
            <mtu>
              <option>lowest-ipv6</option>
              <value>0</value>
            </mtu>
          </nat64>
        </conntrack>
      </fast-path>
    </network-stack>
  </system>
</config>

See also

The command reference for details.