Working with the Distribution Mode

Background

In ElasticXL Cluster:

The ElasticXL Cluster uses the Distribution Mode to assign incoming traffic to Security Group Members in the ElasticXL Cluster.

By default, the ElasticXL Cluster automatically configures the Distribution Mode.
In Maestro:

The Quantum Maestro Orchestrators use the Distribution Mode to assign incoming traffic to Security Group Members in each Security Group.

By default, the Orchestrators automatically configure the Distribution Mode.
On Scalable Chassis:

The Security Switch Modules (SSMs) use the Distribution Mode to assign incoming traffic to Security Group Members in each Security Group.

By default, the SSMs automatically configure the Distribution Mode.

Supported Distribution Modes

Mode	Instructions
User (Internal)	Packets are assigned to a Security Group Member based only on the packet's Destination IP address. If Layer 4 distribution is enabled, the ElasticXL Cluster / Quantum Maestro Orchestrator / Scalable Chassis SSM assigns packets to a Security Group Member based on the packet's Source Port and the Destination IP address. On Scalable Chassis, this mode applies to one SSM.
Network (External)	Packets are assigned to a Security Group Member based only on the packet's Source IP address. If Layer 4 distribution is enabled, the ElasticXL Cluster / Quantum Maestro Orchestrator / Scalable ChassisSSM assigns packets to a Security Group Member based on the packet's Source IP address and Destination Port. On Scalable Chassis, this mode applies to one SSM.
General	The ElasticXL Cluster / Quantum Maestro Orchestrators / Scalable ChassisSSMs assign packets to a Security Group Member based only on the packet's Source IP address and the Destination IP address. If Layer 4 distribution is enabled, the ElasticXL Cluster / Quantum Maestro Orchestrators / SSMs assign packets to a Security Group Member based on the packet's Source IP address, Source Port, Destination IP address, and Destination Port. On Scalable Chassis, this mode applies to all SSMs in the Scalable Chassis.
Auto-Topology (Per-Port)	Each port for a Security Group Member is configured separately in the User Mode or Network Mode. On Scalable Chassis, this mode applies to the SSM data interface.

Mode

Instructions

User

(Internal)

Packets are assigned to a Security Group Member based only on the packet's Destination IP address.

If Layer 4 distribution is enabled, the ElasticXL Cluster / Quantum Maestro Orchestrator / Scalable Chassis SSM assigns packets to a Security Group Member based on the packet's Source Port and the Destination IP address.

On Scalable Chassis, this mode applies to one SSM.

Network

(External)

Packets are assigned to a Security Group Member based only on the packet's Source IP address.

If Layer 4 distribution is enabled, the ElasticXL Cluster / Quantum Maestro Orchestrator / Scalable ChassisSSM assigns packets to a Security Group Member based on the packet's Source IP address and Destination Port.

On Scalable Chassis, this mode applies to one SSM.

General

The ElasticXL Cluster / Quantum Maestro Orchestrators / Scalable ChassisSSMs assign packets to a Security Group Member based only on the packet's Source IP address and the Destination IP address.

If Layer 4 distribution is enabled, the ElasticXL Cluster / Quantum Maestro Orchestrators / SSMs assign packets to a Security Group Member based on the packet's Source IP address, Source Port, Destination IP address, and Destination Port.

On Scalable Chassis, this mode applies to all SSMs in the Scalable Chassis.

Auto-Topology

(Per-Port)

Each port for a Security Group Member is configured separately in the User Mode or Network Mode.

On Scalable Chassis, this mode applies to the SSM data interface.

Notes:

The default mode is Auto-Topology ((Per-Port)) and the Layer 4 distribution is enabled.
The User ((Internal)) Mode and Network ((External)) Mode can work together.

The supported combinations are:
- User Mode and User Mode
- User Mode and Network Mode
- Network Mode and Network Mode
In many scenarios, it is possible to optimize the combination of the User Mode and Network Mode to pass traffic through same Security Group Member from the two sides.

Related Commands

asg_dxl

Automatic Distribution Configuration (Auto-Topology)

Platform	Default Distribution Mode
ElasticXL Cluster	By default, Security Groups work in the General Mode with Layer 4 distribution enabled.
Maestro	By default, Security Groups work in the General Mode with Layer 4 distribution enabled.
Scalable Chassis	By default, Security Groups work in the Auto-Topology (Per Port) Mode with Layer 4 distribution disabled.

The best Distribution Mode is selected based on the Security Group topology as defined in SmartConsole in the Security Gateway object.

The Distribution Mode is automatically based on these interface types:

Physical interfaces, except for management and synchronization interfaces
VLAN
Bond
VLAN on top of Bond

The examples below show how the Distribution Mode can be configured automatically for each interface.

Example 1 for Scalable Chassis - All ports on each SSM are Internal or External

The Distribution Mode for the two SSMs is automatically configured as the User (Internal) Mode or the Network (External)Mode.

Physical Interface	Topology	SSM	Distribution Mode
`eth1-01`	Internal	1	User (Internal)
`eth1-02`	Internal
`eth2-01`	External	2	Network (External)
`eth2-02`	External

Example 2 for Scalable Chassis - On at least one of the SSMs, some ports are Internal and others are External

The Distribution Mode for the SSMs is automatically configured as Auto-Topology (Per Port).

Interface	Topology	SSM	Port	Distribution Mode
`eth1-01`	Internal	1	1	User (Internal)
`eth1-02`	External	1	2	Network (External)
`eth2-01`	External	2	1	Network (External)
`eth2-02`	External	2	2	Network (External)

Example 3 for Scalable Chassis - Physical and VLAN Interfaces

Three VLANs are defined on one SSM port.

On at least one of the SSMs, some VLANs are Internal and others are External.

Therefore, the SSM Distribution Mode is automatically configured as Auto-Topology (Per Port).

Interface	Topology	SSM	Port	VLAN ID	Distribution Mode
`eth1-01`	External	1	1	NA	Network (External)
`eth1-01.100`	Internal	1	1	100	User (Internal)
`eth1-01.200`	External	1	1	200	Network (External)
`eth1-01.300`	Internal	1	1	300	User (Internal)

Example 4 for Scalable Chassis - Legacy VSX Virtual Systems

A Virtual Switch does not have topology.

Therefore, the Distribution Mode is calculated based on the topologies of the wrp interfaces that belong to Virtual Systems, as shown.

In this example, the Distribution Mode is calculated as Network (External).

Interface	Topology	Distribution Mode
`eth1-01`	External	Not Available
`wrp64`	Internal	Network (External)
`wrp128`	Internal	Network (External)
`wrp192`	Internal	User (Internal)

Example 5 for Scalable Chassis - Bond Interfaces

In this example, the interfaces on each Bond are configured with the same Distribution Mode.

The two Bond interfaces are configured with one port for SSM #1 and one port for SSM #2.

On the two SSMs, one port is Internal and the other is External.

The SSM Distribution Mode is automatically configured as Auto-Topology (Per Port).

Interface	Topology	Slaves	SSM	Port	VLAN ID
`bond1`	Internal	`eth1-01`	1	1	User (Internal)
`eth2-01`	2	1	User
`bond2`	External	`eth1-02`	1	2	Network (External)
`eth2-02`	2	2	Network

Example 6 for Scalable Chassis - VLAN Over Bond Interfaces

The automatic Distribution Mode configuration is based on the VLAN topology.

In this example, the interfaces on each VLAN are configured with the same Distribution Mode.

The two Bond interfaces are configured on port 1 for each SSM.

The SSM Distribution Mode is automatically configured as Auto-Topology (Per Port).

Interface	Topology	Slaves	SSM	Port	VLAN ID	Distribution Mode
`bond1.100`	Internal	`eth1-01`	1	1	100	User (Internal)
`eth2-01`	2	1	100	User
`bond1.200`	External	`eth1-01`	1	1	200	Network (External)
`eth2-01`	2	1	200	Network

Manual Distribution Configuration (Manual-General)

In some deployments, you must manually configure a Distribution Mode to the General.

In other cases, it may be necessary to force the system to work in the General Mode.

When the Distribution Mode is configured manually (the Manual-General Mode), the Distribution Mode of ElasticXL Cluster / each Maestro Orchestrator / Scalable Chassis SSM is General.

In this configuration, the topology of the interfaces is irrelevant.

Best Practice - Do not manually change the Distribution Mode of a Legacy Virtual System. This can cause performance degradation.

Setting and Showing the Distribution Configuration (set distribution configuration)

Use these Gaia gClish commands on a Security Group to set and show the distribution configuration.

Important - If the Security Group runs in the Legacy VSX mode, run the commands in the context of VS0 only. The commands apply immediately across all Virtual Systems.

Syntax to show the Distribution Configuration

show distribution configuration

Syntax to set the Distribution Configuration

set distribution configuration {auto-topology | manual-general} ip-version {ipv4 | ipv6 | all} ip-mask <Mask>

Parameters

Parameter

Description

auto-topology

Configures the distribution mode to Auto-Topology (Per-Port).

manual-general

Configures the distribution mode to Manual General.

ipv4

Configures the distribution mode for IPv4 traffic only.

ipv6

Configures the distribution mode for IPv6 traffic only.

all

Configures the distribution mode for IPv4 and IPv6 traffic.

ip-mask <Mask>

Must be the same as the distribution matrix size.

Must be specified in the Hex format.

Follow these steps:

Examine the distribution matrix size:

show distribution verification verbose

Examine the Matrix Size line.

Example:

...
Matrix Size 512
...

Exit from the Gaia gClish to the Expert mode.

Convert the matrix size from the decimal to the hexadecimal format:

printf '%x\n' <Matrix Size>

Example:

[Expert@HostName-ch0x-0x:0]# printf '%x\n' 512
200
[Expert@HostName-ch0x-0x:0]#

Go to the Gaia gClish:

gclish

Configure the distribution mode with the required mask:

set distribution ... ip-mask <Matrix Size in HEX>

Example:

set distribution ... ip-mask 200

Configuring the Interface Distribution Mode (set distribution interface)

Description

Use these Gaia gClish commands on a Security Group to:

Set the interface Distribution Mode - For an interface when the system is not working in the General Mode
Show the interface Distribution Mode - If it is assigned by Auto-Topology, or is manually configured

Note - In Legacy VSX mode, you must go to the context of the applicable Virtual System before you can change the interface Distribution Mode.

Run the "set virtual-system <VS ID>" command.

Syntax to set the interface Distribution Mode

set distribution interface <Name of Interface> configuration {user | network | policy}

Syntax to show the interface Distribution Mode

show distribution interface <Name of Interface> configuration

Parameters

Parameter	Description
`<Name of Interface>`	Interface name as assigned by the operating system.
`user`	Manually assign the User (Internal) Distribution Mode - based on the Destination IP address.
`network`	Manually assign the Network (External) Distribution Mode - based on the Source IP address.
`policy`	Use Auto-Topology to automatically assign the Distribution Mode according to the policy.

Examples

Showing Distribution Status (show distribution status)

Description

Use this Gaia gClish command on a Security Group to show the status report of the Distribution Mode.

Syntax

show distribution status [verbose]

Examples

Explanation about the output for a Maestro Security Group

Field	Instructions
`L4 Mode`	Shows the Layer 4 distribution status: `on` - enabled `off` - disabled
`Mode`	Shows the currently configured Distribution Mode: `per-port` - Auto-Topology `user` - User (Internal) `network` - Network (External) `general` - General
`Matrix Size`	Shows the size of the Distribution Mode matrix.
`Ports`	Shows the Distribution Mode assignment for each interface.

Explanation about the output for a Scalable Chassis

Field	Instructions
`distribution mode`	Shows the currently configured Distribution Mode: `per-port` - Auto-Topology `user` - User (Internal) `network` - Network (External) `general` - General
`policy mode`	Auto-Topology assignment: `on` - Auto-topology, or Manual override `off` - Manual-General
`ssm 1 mode` `ssm 2 mode`	Distribution Mode assignment for SSM.
`ipv6 mode`	Shows the IPv6 status: `on` - enabled `off` - disabled
`l4_mode`	Shows the Layer 4 distribution status: `on` - enabled `off` - disabled
`40g mode`	Shows the QSFP port speed: `on` - 1 x 40GbE `off` - 4 x 10GbE
`matrix size`	Shows the size of the distribution matrix. The distribution matrix is a table that contains SGM IDs for traffic assignment.
`interface`	Shows the Distribution Mode assignment for each interface.

Running a Verification Test (show distribution verification)

Description

Use this Gaia gClish command on a Security Group to run a verification test of the Distribution Mode configuration.

This test compares the Security Group configuration with the actual results.

You can see a summary or a verbose report of the test results.

Syntax

show distribution verification [verbose]

Examples

Example 3 - Verbose output of successful tests from a Scalable Chassis

[Expert@HostName-ch0x-0x:0]# gclish

[Global] HostName-ch01-01 > show distribution verification verbose

Test:                                               Configuration:                    Verification:                     Result:

chassis 1 blade 1 dxl-general-mode                  off                               off                               Passed

chassis 1 blade 1 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 1 blade 1 dxl-size                          1024                              1024                              Passed

chassis 1 blade 2 dxl-general-mode                  off                               off                               Passed

chassis 1 blade 2 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 1 blade 2 dxl-size                          1024                              1024                              Passed

chassis 1 blade 3 dxl-general-mode                  off                               off                               Passed

chassis 1 blade 3 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 1 blade 3 dxl-size                          1024                              1024                              Passed

chassis 1 blade 4 dxl-general-mode                  off                               off                               Passed

chassis 1 blade 4 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 1 blade 4 dxl-size                          1024                              1024                              Passed

chassis 1 blade 5 dxl-general-mode                  off                               off                               Passed

chassis 1 blade 5 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 1 blade 5 dxl-size                          1024                              1024                              Passed

chassis 1 ssm 1 ipv6-mode                           on                                on                                Passed

chassis 1 ssm 1 l4-mode                             off                               off                               Passed

chassis 1 ssm 1 mask ipv4 general destination       0000001f                          0000001f                          Passed

chassis 1 ssm 1 mask ipv4 general source            0000001f                          0000001f                          Passed

chassis 1 ssm 1 mask ipv4 l4 ip                     000000ff                          000000ff                          Passed

chassis 1 ssm 1 mask ipv4 l4 port                   00000003                          00000003                          Passed

chassis 1 ssm 1 mask ipv4 user-network destination  000003ff                          000003ff                          Passed

chassis 1 ssm 1 mask ipv4 user-network source       000003ff                          000003ff                          Passed

chassis 1 ssm 1 mask ipv6 general destination       0000000000000000000000000000001f  0000000000000000000000000000001f  Passed

chassis 1 ssm 1 mask ipv6 general source            0000000000000000000000000000001f  0000000000000000000000000000001f  Passed

chassis 1 ssm 1 mask ipv6 user-network destination  000000000000000000000000000003ff  000000000000000000000000000003ff  Passed

chassis 1 ssm 1 mask ipv6 user-network source       000000000000000000000000000003ff  000000000000000000000000000003ff  Passed

chassis 1 ssm 1 matrix-max_size                     2k                                2k                                Passed

chassis 1 ssm 1 matrix-size                         1024                              1024                              Passed

chassis 1 ssm 1 mode                                user                              user                              Passed

chassis 1 ssm 1 signature                           d9195da1c6de046ab3581836c911f98f  d9195da1c6de046ab3581836c911f98f  Passed

chassis 1 ssm 2 ipv6-mode                           on                                on                                Passed

chassis 1 ssm 2 l4-mode                             off                               off                               Passed

chassis 1 ssm 2 mask ipv4 general destination       0000001f                          0000001f                          Passed

chassis 1 ssm 2 mask ipv4 general source            0000001f                          0000001f                          Passed

chassis 1 ssm 2 mask ipv4 l4 ip                     000000ff                          000000ff                          Passed

chassis 1 ssm 2 mask ipv4 l4 port                   00000003                          00000003                          Passed

chassis 1 ssm 2 mask ipv4 user-network destination  000003ff                          000003ff                          Passed

chassis 1 ssm 2 mask ipv4 user-network source       000003ff                          000003ff                          Passed

chassis 1 ssm 2 mask ipv6 general destination       0000000000000000000000000000001f  0000000000000000000000000000001f  Passed

chassis 1 ssm 2 mask ipv6 general source            0000000000000000000000000000001f  0000000000000000000000000000001f  Passed

chassis 1 ssm 2 mask ipv6 user-network destination  000000000000000000000000000003ff  000000000000000000000000000003ff  Passed

chassis 1 ssm 2 mask ipv6 user-network source       000000000000000000000000000003ff  000000000000000000000000000003ff  Passed

chassis 1 ssm 2 matrix-max_size                     2k                                2k                                Passed

chassis 1 ssm 2 matrix-size                         1024                              1024                              Passed

chassis 1 ssm 2 mode                                user                              user                              Passed

chassis 1 ssm 2 signature                           d9195da1c6de046ab3581836c911f98f  d9195da1c6de046ab3581836c911f98f  Passed

chassis 2 blade 1 dxl-general-mode                  off                               off                               Passed

chassis 2 blade 1 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 2 blade 1 dxl-size                          1024                              1024                              Passed

chassis 2 blade 2 dxl-general-mode                  off                               off                               Passed

chassis 2 blade 2 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 2 blade 2 dxl-size                          1024                              1024                              Passed

chassis 2 blade 3 dxl-general-mode                  off                               off                               Passed

chassis 2 blade 3 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 2 blade 3 dxl-size                          1024                              1024                              Passed

chassis 2 blade 4 dxl-general-mode                  off                               off                               Passed

chassis 2 blade 4 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 2 blade 4 dxl-size                          1024                              1024                              Passed

chassis 2 blade 5 dxl-general-mode                  off                               off                               Passed

chassis 2 blade 5 dxl-md5sum                        a5a0317b8cc0de2a8518396e61593d2b  a5a0317b8cc0de2a8518396e61593d2b  Passed

chassis 2 blade 5 dxl-size                          1024                              1024                              Passed

chassis 2 ssm 1 ipv6-mode                           on                                on                                Passed

chassis 2 ssm 1 l4-mode                             off                               off                               Passed

chassis 2 ssm 1 mask ipv4 general destination       0000001f                          0000001f                          Passed

chassis 2 ssm 1 mask ipv4 general source            0000001f                          0000001f                          Passed

chassis 2 ssm 1 mask ipv4 l4 ip                     000000ff                          000000ff                          Passed

chassis 2 ssm 1 mask ipv4 l4 port                   00000003                          00000003                          Passed

chassis 2 ssm 1 mask ipv4 user-network destination  000003ff                          000003ff                          Passed

chassis 2 ssm 1 mask ipv4 user-network source       000003ff                          000003ff                          Passed

chassis 2 ssm 1 mask ipv6 general destination       0000000000000000000000000000001f  0000000000000000000000000000001f  Passed

chassis 2 ssm 1 mask ipv6 general source            0000000000000000000000000000001f  0000000000000000000000000000001f  Passed

chassis 2 ssm 1 mask ipv6 user-network destination  000000000000000000000000000003ff  000000000000000000000000000003ff  Passed

chassis 2 ssm 1 mask ipv6 user-network source       000000000000000000000000000003ff  000000000000000000000000000003ff  Passed

chassis 2 ssm 1 matrix-max_size                     2k                                2k                                Passed

chassis 2 ssm 1 matrix-size                         1024                              1024                              Passed

chassis 2 ssm 1 mode                                user                              user                              Passed

chassis 2 ssm 1 signature                           d9195da1c6de046ab3581836c911f98f  d9195da1c6de046ab3581836c911f98f  Passed

chassis 2 ssm 2 ipv6-mode                           on                                on                                Passed

chassis 2 ssm 2 l4-mode                             off                               off                               Passed

chassis 2 ssm 2 mask ipv4 general destination       0000001f                          0000001f                          Passed

chassis 2 ssm 2 mask ipv4 general source            0000001f                          0000001f                          Passed

chassis 2 ssm 2 mask ipv4 l4 ip                     000000ff                          000000ff                          Passed

chassis 2 ssm 2 mask ipv4 l4 port                   00000003                          00000003                          Passed

chassis 2 ssm 2 mask ipv4 user-network destination  000003ff                          000003ff                          Passed

chassis 2 ssm 2 mask ipv4 user-network source       000003ff                          000003ff                          Passed

chassis 2 ssm 2 mask ipv6 general destination       0000000000000000000000000000001f  0000000000000000000000000000001f  Passed

chassis 2 ssm 2 mask ipv6 general source            0000000000000000000000000000001f  0000000000000000000000000000001f  Passed

chassis 2 ssm 2 mask ipv6 user-network destination  000000000000000000000000000003ff  000000000000000000000000000003ff  Passed

chassis 2 ssm 2 mask ipv6 user-network source       000000000000000000000000000003ff  000000000000000000000000000003ff  Passed

chassis 2 ssm 2 matrix-max_size                     2k                                2k                                Passed

chassis 2 ssm 2 matrix-size                         1024                              1024                              Passed

chassis 2 ssm 2 mode                                user                              user                              Passed

chassis 2 ssm 2 signature                           d9195da1c6de046ab3581836c911f98f  d9195da1c6de046ab3581836c911f98f  Passed

Summary:

all active SSMs are configured as: user

all active SSMs are configured as: user

[Global] HostName-ch01-01 >

Configuring the Layer 4 Distribution Mode and Masks (set distribution l4-mode)

Description

Use these commands in Gaia gClish on a Security Group to:

Enable Layer 4 distribution and set new masks for the IP address and the port
Disable Layer 4 distribution
Show Layer 4 Distribution Mode and masks

Syntax

set distribution l4-mode enabled

set distribution l4-mode disabled

show distribution l4-mode

Examples