Enabling checksum verification, Specifying persistent sessions – H3C Technologies H3C SecBlade LB Cards User Manual
Page 211
200
To set session aging times based on application layer protocol type:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Set the aging time for sessions
of an application layer
protocol.
application aging-time { dns | ftp |
msn | qq | sip } time-value
Aging times set in this command
applies to only the sessions in the
READY/ESTABLISH state.
Enabling checksum verification
To make sure session tracking is not affected by packets with checksum errors, you can enable checksum
verification for protocol packets. With checksum verification enabled, the session management feature
processes only packets with correct checksums, and packets with incorrect checksums will be processed
by other services based on the session management.
IMPORTANT:
Checksum verification might degrade the device performance. Enable it with caution.
To enable checksum verification for protocol packets:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable checksum verification. session checksum { all | { icmp |
tcp | udp } * }
Disabled by default.
Specifying persistent sessions
You can set the sessions that match the permit statements in a specific basic or advanced ACL as
persistent sessions, and set longer lifetime or never-age-out persistent sessions. A lifelong session is not
removed until the device receives a connection close request from the initiator or responder, or you
manually clear the session entries.
For more information about the configuration of basic and advance ACLs, see "Configuring ACLs."
To specify persistent sessions:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Specify persistent
sessions.
session persist acl
acl-number [ aging-time
time-value ]
By default, no persistent sessions are specified.
If you configure this command multiple times, the last
configuration takes effect.
Configuring the operating mode for session management
By default, session management operates in bidirectional mode to process only bidirectional sessions.
You can change the operating mode to hybrid mode for processing both bidirectional sessions and
unidirectional sessions. In a unidirectional session, packets in a specific direction can pass the device.
If you configure the hybrid mode, some features cannot work properly and system security is adversely
affected. You must configure the operating mode for session management according to whether