Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Enabling the Flow Bypass Feature

    The flow bypass feature prevents the IDP Series device from becoming a point of failure when the network is congested. With flow bypass enabled, when the IDP system packet receive queue reaches a rising threshold that you specify, the IDP engine marks the flow as a bypass flow and passes it through, uninspected. The IDP Series device passes through subsequent flows until the IDP system packet receive queue falls below a reset threshold that you also specify.

    The flow bypass feature is not enabled by default.

    For an overview of the flow bypass feature, see the IDP Series Concepts and Examples Guide.

    To enable the flow bypass feature:

    1. Log into the CLI as admin and enter su - to switch to root.
    2. Enter the following command to enable flow bypass:

      [root@defaulthost admin]# scio const -s s0:flow set sc_flow_bypass_enable 1
      [root@defaulthost admin]#

      By default, the system packet queue size utilization rising threshold is 90%; the reset threshold is 80%.

    3. Optional. Change the rising threshold with the following command syntax:

      scio const –s s0:flow set sc_flow_bypass_threshold_hi percent

      For example:


      [root@defaulthost admin]# scio const -s s0:flow set sc_flow_bypass_threshold_hi 95
      scio: setting sc_flow_bypass_threshold_hi to 0x5f
      [root@defaulthost admin]#
    4. Optional. Change the reset threshold with the following command syntax:

      scio const –s s0:flow set sc_flow_bypass_threshold_low percent

      For example:


      [root@defaulthost admin]# scio const -s s0:flow set sc_flow_bypass_threshold_low 85
      scio: setting sc_flow_bypass_threshold_low to 0x55
      [root@defaulthost admin]#

    Changes you make to kernel constants from the CLI do not persist across restarts. To make your change persistent:

    1. Open the /usr/idp/device/bin/user_funcs file in a text editor, such as vi.
    2. Add the constant below the line user_start_pre_policy (). For example:
      user_start_pre_policy ()
      
      {
      
              # Disable ARP spoofing detection
              # -------------------------------
              # If you are running clusters with virtual MAC addresses, IDP will treat
              # these as spoofed ARP packets since the MAC addresses in the ethernet
              # frame will be different from what is inside the ARP request/response. If
              # you have multiple virtual routers, you need to perform this operation on
              # all defined virtual routers.
              #
              # $SCIO const -v vr0 set sc_arp_spoof_detect 0
              # $SCIO const -s s0 set sc_mpls_decapsulation 1 
             $SCIO const -s s0:flow set sc_flow_bypass_enable 1
       return;
      
      }
      
    3. Save the file.
    4. Restart the IDP engine:

      [root@defaulthost admin]# idp.sh restart

      Restarting the IDP engine can take several moments.


    Published: 2011-02-08