In a multi-chassis configuration, the slave router has the same security configuration as the master. When the slave router receives datapath packets that are entering or leaving a security zone, the data packets are extracted into the same access or network data queues and security control queues that exist on the master. However, the data packets that are extracted must be processed by the master firewall security engine. The slave sends these extracted data packets to the master over the multi-chassis link (MCL).
The access queues, network data queues, and security control queues used on the slave have QoS configurations that control the traffic rate from the slave to the master. These QoS configurations on the slave, specifically security queue QoS policies and the aggregate shaping rate, should be configured identically on the master. For information, see Security Queue QoS Policies and also refer to the 7705 SAR Interface Configuration Guide, ‟Adapter Card Commands” for information on configuring the security-aggregate-rate command.
The extracted data packets that the master receives from the slave are stored in a multi-chassis firewall queue for extraction to the CSM on the master. In order to limit the rate of datapath traffic being extracted and sent to the master CSM, this extraction queue is rate-limited to 80 Mb/s. In addition, this extraction queue, along with the security control queues and the access/network security queues, are rate-limited by the security-aggregate-rate command. These QoS settings and configurations make it possible to control the datapath traffic being extracted on the master and slave for firewall security processing.