- Table of Contents
-
- 05-Layer 3 - IP Services Configuration Guide
- 00-Preface
- 01-ARP Configuration
- 02-IP Addressing Configuration
- 03-DHCP Configuration
- 04-DNS Configuration
- 05-NAT Configuration
- 06-IP Performance Optimization Configuration
- 07-Adjacency Table Configuration
- 08-UDP Helper Configuration
- 09-IPv6 Basics Configuration
- 10-DHCPv6 Configuration
- 11-IPv6 DNS Configuration
- 12-NAT-PT Configuration
- 13-Tunneling Configuration
- 14-GRE Configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
06-IP Performance Optimization Configuration | 147.33 KB |
Contents
Configuring IP performance optimization
IP performance optimization overview
Enabling reception and forwarding of directed broadcasts to a directly connected network
Enabling forwarding of directed broadcasts to a directly connected network
Configuring TCP MSS for the interface
Configuring the TCP send/receive buffer size
Configuring ICMP to send error packets
Enabling support for ICMP extensions
Displaying and maintaining IP performance optimization
|
NOTE: In this documentation, SPC cards refer to the interface cards prefixed with SPC, for example, SPC-GT48L. SPE cards refer to the base cards prefixed with SPE, for example, SPE-1020-E-II. |
IP performance optimization overview
You can adjust the IP parameters to achieve best network performance. IP performance optimization includes:
· Enabling the router to receive and forward directed broadcasts
· Configuring the maximum TCP segment size (MSS) of the interface
· Configuring the TCP send/receive buffer size
· Configuring TCP timers
· Enabling the router to send ICMP error packets
· Enabling the router to support ICMP extensions
· Enabling ICMP flow control
Enabling reception and forwarding of directed broadcasts to a directly connected network
Directed broadcast packets are broadcast on a specific network. In the destination IP address of a directed broadcast, the network ID is a network ID identifies the target network, and the host ID is all-one. If a router is allowed to forward directed broadcasts to a directly connected network, hackers may mount attacks to the network. However, you should enable the feature when:
· Using the UDP Helper function to convert broadcasts to unicasts and forward them to a specified server.
· Using the Wake on LAN function to forward directed broadcasts to a host on the remote network.
Enabling forwarding of directed broadcasts to a directly connected network
To enable the router to forward directed broadcasts:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter interface view. |
interface interface-type interface-number |
N/A |
3. Enable the interface to forward directed broadcasts. |
ip forward-broadcast [ acl acl-number ] |
By default, the router is disabled from forwarding directed broadcasts. The system does not support this command when working in the hybrid mode. For more information about the system working modes, see Fundamentals Configuration Guide. |
|
NOTE: The router does not support the acl keyword. |
Configuration example
Network requirements
As shown in Figure 1, the host’s interface and GigabitEthernet 3/1/1 of Router A are on the same network segment (1.1.1.0/24). Interface GigabitEthernet 3/1/2 of Router A and interface GigabitEthernet 3/1/2 of Router B are on another network segment (2.2.2.0/24). The default gateway of the host is GigabitEthernet 3/1/1 (IP address 1.1.1.2/24) of Router A. Configure a static route to the host on Router B.
Configure Router B to receive directed broadcasts from the host to IP address 2.2.2.255.
Configuration procedure
· Configure Router A:
# Configure IP addresses for GigabitEthernet 3/1/1 and GigabitEthernet 3/1/2.
[RouterA] interface GigabitEthernet 3/1/1
[RouterA-GigabitEthernet3/1/1] ip address 1.1.1.2 24
[RouterA-GigabitEthernet3/1/1] quit
[RouterA] interface GigabitEthernet 3/1/2
[RouterA-GigabitEthernet3/1/2] ip address 2.2.2.2 24
# Enable GigabitEthernet 3/1/2 to forward directed broadcasts.
[RouterA-GigabitEthernet3/1/2] ip forward-broadcast
· Configure Router B:
# Configure a static route to the host.
[RouterB] ip route-static 1.1.1.1 24 2.2.2.2
# Configure an IP address for GigabitEthernet 3/1/2.
[RouterB] interface GigabitEthernet 3/1/2
[RouterB-GigabitEthernet3/1/2] ip address 2.2.2.1 24
[RouterB-GigabitEthernet3/1/2] quit
After the above configurations, if you ping the subnet broadcast address (2.2.2.255) of interface GigabitEthernet 3/1/2 of Router A on the host, the ping packets can be received by interface GigabitEthernet 3/1/2 of Router B. However, if you remove the ip forward-broadcast command, the ping packets cannot be received by interface GigabitEthernet 3/1/2 of Router B.
Configuring TCP attributes
Configuring TCP MSS for the interface
The Max Segment Size (MSS) option informs the receiver of the largest segment that the sender is willing to accept. Each end announces the MSS it expects to receive during the TCP connection establishment. The end that receives the MSS value from the other end then limits the size of each TCP segment to be sent. If the size of a TCP segment is smaller than the MSS of the other end, the TCP segment is sent to the other end without being fragmented; otherwise, it will be fragmented according to the MSS before being sent.
If you configure a TCP MSS on an interface, the size of each TCP segment received or sent on the interface cannot exceed the MSS value.
To configure TCP MSS of the interface:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter interface view. |
interface interface-type interface-number |
N/A |
3. Configure TCP MSS of the interface. |
tcp mss value |
Optional 1460 bytes by default |
|
NOTE: · This configuration takes effect only on TCP connections that are established after the configuration rather than the TCP connections that already exist. · This configuration is effective only on IP packets. If MPLS is enabled on the interface, you are not recommended to configure the TCP MSS on the interface. |
Configuring the TCP send/receive buffer size
To configure the TCP send/receive buffer size:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure the size of TCP receive/send buffer. |
tcp window window-size |
Optional 8 KB by default |
Configuring TCP timers
You can configure the following TCP timers:
· synwait timer—When sending a SYN packet, TCP starts the synwait timer. If no response packet is received within the synwait timer interval, the TCP connection cannot be created.
· finwait timer—When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is started. If no FIN packet is received within the timer interval, the TCP connection will be terminated. If a FIN packet is received, the TCP connection state changes to TIME_WAIT. If a non-FIN packet is received, the system restarts the timer upon receiving the last non-FIN packet. The connection is broken after the timer expires.
To configure TCP timers:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure the TCP synwait timer. |
tcp timer syn-timeout time-value |
Optional 75 seconds by default |
3. Configure the TCP finwait timer. |
tcp timer fin-timeout time-value |
Optional 675 seconds by default |
|
CAUTION: The actual length of the finwait timer is determined by the following formula: Actual length of the finwait timer = (Configured length of the finwait timer – 75) + configured length of the synwait timer |
Configuring ICMP to send error packets
Introduction
Sending error packets is a major function of ICMP protocol. In case of network abnormalities, error packets are usually sent by the network or transport layer protocols to notify corresponding routers so as to facilitate control and management.
Advantages of sending ICMP error packets
There are three kinds of ICMP error packets: redirect packets, timeout packets and destination unreachable packets. Their sending conditions and functions are as follows.
1. Sending ICMP redirect packets
A host may have only a default route to the default gateway in its routing table after startup. The default gateway will send ICMP redirect packets to the source host and notify it to reselect a correct next hop to send the subsequent packets, if the following conditions are satisfied:
¡ The receiving and forwarding interfaces are the same.
¡ The selected route has not been created or modified by ICMP redirect packet.
¡ The selected route is not the default route of the router.
¡ There is no source route option in the packet.
ICMP redirect packets function simplifies host administration and enables a host to gradually establish a sound routing table to find out the best route.
2. Sending ICMP timeout packets
If the router received an IP packet with a timeout error, it drops the packet and sends an ICMP timeout packet to the source.
The router will send an ICMP timeout packet under the following conditions:
¡ If the router finds the destination of a packet is not itself and the TTL field of the packet is 1, it will send a “TTL timeout” ICMP error message.
¡ When the router receives the first fragment of an IP datagram whose destination is the router itself, it will start a timer. If the timer times out before all the fragments of the datagram are received, the router will send a “reassembly timeout” ICMP error packet.
3. Sending ICMP destination unreachable packets
If the router receives an IP packet with the destination unreachable, it will drop the packet and send an ICMP destination unreachable error packet to the source.
Conditions for sending this ICMP packet:
¡ If neither a route nor the default route for forwarding a packet is available, the router will send a “network unreachable” ICMP error packet.
¡ If the destination of a packet is local while the transport layer protocol of the packet is not supported by the local router, the router sends a “protocol unreachable” ICMP error packet to the source.
¡ When receiving a packet with the destination being local and transport layer protocol being UDP, if the packet’s port number does not match the running process, the router will send the source a “port unreachable” ICMP error packet.
¡ If the source uses “strict source routing" to send packets, but the intermediate router finds the next hop specified by the source is not directly connected, the router will send the source a “source routing failure” ICMP error packet.
¡ When forwarding a packet, if the MTU of the sending interface is smaller than the packet but the packet has been set “Don’t Fragment”, the router will send the source a “fragmentation needed and Don’t Fragment (DF)-set” ICMP error packet.
Disadvantages of sending ICMP error packets
Although sending ICMP error packets facilitates network control and management, it still has the following disadvantages:
· Sending a lot of ICMP packets will increase network traffic.
· If receiving a lot of malicious packets that cause it to send ICMP error packets, the router’s performance will be reduced.
· As the redirection function increases the routing table size of a host, the host’s performance will be reduced if its routing table becomes very large.
· If a host sends malicious ICMP destination unreachable packets, end users may be affected.
To prevent such problems, you can disable the router from sending ICMP error packets.
To enable sending of ICMP error packets:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable sending of ICMP redirect packets. |
ip redirects enable |
Disabled by default |
3. Enable sending of ICMP timeout packets. |
ip ttl-expires enable |
Disabled by default |
4. Enable sending of ICMP destination unreachable packets. |
ip unreachables enable |
Disabled by default |
|
NOTE: · On SPC cards, you can enable sending of ICMP redirect packets only on VLAN interfaces. · The router stops sending “TTL timeout” ICMP error packets after sending ICMP timeout packets is disabled. However, “reassembly timeout” error packets will be sent normally. |
Enabling support for ICMP extensions
Introduction
Generally, ICMP messages are of a fixed format and cannot carry extension information. With support for ICMP extensions enabled, a router appends an extension information field to the ICMP messages as needed. Currently, the router can append only MPLS label information to ICMP messages.
ICMP extensions for MPLS
In MPLS networks, when a packet's TTL expires, MPLS stripes the MPLS header, encapsulates the remaining datagram into an ICMP time exceeded message, and sends the message to the egress router of the MPLS tunnel. Then the egress router sends the message back to the ingress router of the tunnel. The ICMP message, however, does not contain the label information that is very important to the ingress router. With support for ICMP extensions enabled, the router appends the MPLS label to the ICMP time exceeded message before sending it back to the ingress router of the tunnel.
ICMP extensions are usually used for an enhanced traceroute implementation in MPLS networks, in which MPLS label information of each hop the original datagram arrives at is printed.
Handling ICMP messages
ICMP messages can be classified into three types:
· Common ICMP messages: Without any extension information.
· Extended ICMP messages with a length field: Carry extension information and a length field. The length field indicates the length of the original datagram that is encapsulated within the ICMP header and excludes the ICMP extension length. Such an ICMP message complies with RFC 4884.
· Extended ICMP messages without a length field: Carry extension information but does not contain a length field. Such an ICMP message does not comply with RFC 4884.
Based on how these messages are handled, the router can work in one of these modes: common mode, compliant mode, and non-compliant mode. Table 1 shows how ICMP messages are handled in different working modes.
Table 1 Handling ICMP messages
Device mode |
ICMP messages sent |
ICMP messages received |
Remarks |
Common mode |
Common ICMP messages |
Common ICMP messages |
Extension information in extended ICMP messages will not be processed. |
Compliant mode |
Common ICMP messages Extended ICMP messages with a length field |
Common ICMP messages Extended ICMP messages with a length field |
Extended ICMP messages without a length field are handled as common ICMP messages. |
Non-compliant mode |
Common ICMP messages Extended ICMP messages without a length field |
All three types of ICMP messages |
N/A |
|
NOTE: ICMP/ICMPv6 messages that can carry extension information include only IPv4 redirect messages, IPv4/IPv6 time exceeded messages, and IPv4/IPv6 destination unreachable messages. |
Configuration procedure
To enable support for ICMP extensions:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable support for ICMP extensions in compliant mode. |
ip icmp-extensions compliant |
Optional Disabled by default |
3. Enable support for ICMP extensions in non-compliant mode. |
ip icmp-extensions non-compliant |
Optional Disabled by default |
|
NOTE: After support for ICMP extensions is disabled, no ICMP message sent by the router contains extension information. |
Enabling ICMP flow control
If a large number of ICMP packets are delivered to the CPU for processing, processing of other services is affected. To prevent this, you can enable ICMP flow control.
To enable ICMP flow control:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable ICMP flow control. |
ip icmp flow-control |
Disabled by default |
Displaying and maintaining IP performance optimization
Task |
Command |
Remarks |
Display current TCP connection state. |
display tcp status [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Display TCP connection statistics. |
display tcp statistics [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Display UDP statistics. |
display udp statistics [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Display statistics of IP packets. |
display ip statistics [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Display statistics of ICMP flows. |
display icmp statistics [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Display socket information. |
display ip socket [ socktype sock-type ] [ task-id socket-id ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Display FIB information. |
display fib [ vpn-instance vpn-instance-name ] [ | { begin | exclude | include } string | acl acl-number | ip-prefix ip-prefix-name ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Display FIB forward information matching the specified destination IP address. |
display fib [ vpn-instance vpn-instance-name ] ip-address [ mask | mask-length ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Clear statistics of IP packets For centralized. |
reset ip statistics [ slot slot-number ] |
Available in user view |
Clear statistics of TCP connections. |
reset tcp statistics |
Available in user view |
Clear statistics of UDP flows. |
reset udp statistics |
Available in user view |