Packet matching principles when multiple NAT policies are configured

17

If multiple NAT policies are configured, the firewall matches packets based on the list of policies from top to bottom. If a policy is matched, the firewall stops matching other policies.

Other related questions:
If multiple NAT policies are configured, how does an FW match packets with them
An FW matches packets with NAT policies in the top-down sequence. If the packets match a NAT policy, the FW processes the packets based on the policy and stops matching the packets with other NAT policies.

In what order does an applied traffic policy take effect on S series switches
For S series switches (except the S1700), a traffic policy can be applied in the system view, interface view, and VLAN view simultaneously. When applying a traffic policy in multiple views, configure the traffic policy in the sequence of interface view, VLAN view, and system view. When multiple traffic policies are applied in different views and packets simultaneously match different traffic policies, the traffic policies take effect in the following orders: - If traffic classification rules in the traffic policies are of the same type, that is, the rules are all user-defined ACL rules, Layer 2 rules, or Layer 3 rules, only one traffic policy takes effect. The traffic policy that takes effect depends on the view in which the traffic policy has been applied. The view priority is as follows: interface view > VLAN view > system view. - For cards of modular switches except X series cards and fixed switches S5700HI, S5700EI, S5710EI, S5720EI, S5710HI, S6700EI, S6720EI, and S6720S-EI, if traffic classification rules in the traffic policies are of different types and actions in traffic behaviors do not conflict, traffic policies in all views take effect. If actions in traffic behaviors conflict, only one traffic policy takes effect and the traffic policy that takes effect is relevant to rules. The rule priority is as follows: Layer 2 rule and Layer 3 rule > advanced ACL6 rule > basic ACL6 rule > Layer 3 rule > Layer 2 rule > user-defined ACL rule. - For X series cards of modular switches and E series and S series fixed switches S600-E, S1720GFR, S1720GW-E, S1720GWR-E, S2720, S2750, 5700SI, S5700LI, S5700S-LI, S5720LI, S5720S-LI, S5710-X-LI, S5720SI, S5720S-SI, and S5720HI, if traffic classification rules in the traffic policies are of different types, the traffic policy in only one view takes effect and the traffic policy that takes effect is relevant to the view in which it is applied. The view priority is as follows: interface view > VLAN view > system view. It is recommended that you configure the traffic policy based on the priority. Otherwise, the configured traffic policy may not take effect immediately. Note: MQC cannot be configured on the S2700SI.

Matching order of packets when multiple pairs of traffic classifiers and traffic behaviors are defined in a traffic policy
For S series switches (except the S1700): For X series cards of modular switches, the matching order depends on priorities of traffic classifiers, that is, the value of the precedence precedence-value parameter in the traffic classifier command. A smaller value indicates a higher priority. For cards of modular switches except X series cards: - config: The matching order depends on priorities of traffic classifiers, that is, the value of the precedence precedence-value parameter in the traffic classifier command. A smaller value indicates a higher priority. - auto: The matching order depends on priorities of traffic classifier types predefined on the system. The traffic classifiers based on the following information are in descending order of priority: Layer 2 and Layer 3 information, advanced ACL6 rule, basic ACL6 rule, Layer 2 information, Layer 3 information, and user-defined ACL rule. If actions in traffic behaviors do not conflict, all the matching traffic classifiers and traffic behaviors take effect. If actions in traffic behaviors conflict, the traffic classifier and traffic behavior with the highest priority of traffic classifier type takes effect. For S series fixed switches S600-E, packets match traffic classifiers and traffic behaviors according to the sequence in which the traffic classifiers and traffic behaviors are configured. If the first traffic classifier is not matched, the switch matches packets with the second traffic classifier, and so on. If the packets match a traffic classifier, the switch does not match the packets with subsequent traffic classifiers. Only the first pair of the matching traffic classifier and traffic behavior takes effect. For S series modular switches, you can specify the matching order of rules in the traffic policy when creating a traffic policy. The matching orders are classified into the configuration order (config) and automatic order (auto). For other fixed switches, see "How Does the Switch Match Packets When Multiple Pairs of Traffic Classifiers and Traffic Behaviors Are Defined in a Traffic Policy?" in FAQ-QoS.

Matching principles for file pool policies of OceanStor 9000
Matching principles for file pool policies of OceanStor 9000 include: - A file pool policy can be configured to be a combination of multiple parameters. A file pool policy can be matched only when the file properties match all parameters of the file pool policy. - When multiple policies are matched, the system performs the policy with the highest priority. - If no policy is matched, a file is stored by following the default policy. The default policy has the lowest priority and is used only when the initial file storage location is determined.

Whether the NAT policy is valid to ESP packets
The source NAT and NAT server policies that allow the PAT are invalid to ESP packets. The source NAT and NAT server policies that do not allow the PAT are valid to ESP packets.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top