05-Layer 3 - IP Services Configuration Guide

HomeSupportResource CenterRoutersH3C SR8800 Router SeriesH3C SR8800 Router SeriesTechnical DocumentsConfigure & DeployConfiguration GuidesH3C SR8800 Configuration Guide-Release3347-6W10305-Layer 3 - IP Services Configuration Guide
06-IP Performance Optimization Configuration
Title Size Download
06-IP Performance Optimization Configuration 147.33 KB

 

 

NOTE:

In this documentation, SPC cards refer to the interface cards prefixed with SPC, for example, SPC-GT48L. SPE cards refer to the base cards prefixed with SPE, for example, SPE-1020-E-II.

 

IP performance optimization overview

You can adjust the IP parameters to achieve best network performance. IP performance optimization includes:

·           Enabling the router to receive and forward directed broadcasts

·           Configuring the maximum TCP segment size (MSS) of the interface

·           Configuring the TCP send/receive buffer size

·           Configuring TCP timers

·           Enabling the router to send ICMP error packets

·           Enabling the router to support ICMP extensions

·           Enabling ICMP flow control

Enabling reception and forwarding of directed broadcasts to a directly connected network

Directed broadcast packets are broadcast on a specific network. In the destination IP address of a directed broadcast, the network ID is a network ID identifies the target network, and the host ID is all-one. If a router is allowed to forward directed broadcasts to a directly connected network, hackers may mount attacks to the network. However, you should enable the feature when:

·           Using the UDP Helper function to convert broadcasts to unicasts and forward them to a specified server.

·           Using the Wake on LAN function to forward directed broadcasts to a host on the remote network.

Enabling forwarding of directed broadcasts to a directly connected network

To enable the router to forward directed broadcasts:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view.

interface interface-type interface-number

N/A

3.     Enable the interface to forward directed broadcasts.

ip forward-broadcast [ acl acl-number ]

By default, the router is disabled from forwarding directed broadcasts. The system does not support this command when working in the hybrid mode. For more information about the system working modes, see Fundamentals Configuration Guide.

 

 

NOTE:

The router does not support the acl keyword.

 

Configuration example

Network requirements

As shown in Figure 1, the host’s interface and GigabitEthernet 3/1/1 of Router A are on the same network segment (1.1.1.0/24). Interface GigabitEthernet 3/1/2 of Router A and interface GigabitEthernet 3/1/2 of Router B are on another network segment (2.2.2.0/24). The default gateway of the host is GigabitEthernet 3/1/1 (IP address 1.1.1.2/24) of Router A. Configure a static route to the host on Router B.

Configure Router B to receive directed broadcasts from the host to IP address 2.2.2.255.

Figure 1 Network diagram

 

Configuration procedure

·           Configure Router A:

# Configure IP addresses for GigabitEthernet 3/1/1 and GigabitEthernet 3/1/2.

[RouterA] interface GigabitEthernet 3/1/1

[RouterA-GigabitEthernet3/1/1] ip address 1.1.1.2 24

[RouterA-GigabitEthernet3/1/1] quit

[RouterA] interface GigabitEthernet 3/1/2

[RouterA-GigabitEthernet3/1/2] ip address 2.2.2.2 24

# Enable GigabitEthernet 3/1/2 to forward directed broadcasts.

[RouterA-GigabitEthernet3/1/2] ip forward-broadcast

·           Configure Router B:

# Configure a static route to the host.

[RouterB] ip route-static 1.1.1.1 24 2.2.2.2

# Configure an IP address for GigabitEthernet 3/1/2.

[RouterB] interface GigabitEthernet 3/1/2

[RouterB-GigabitEthernet3/1/2] ip address 2.2.2.1 24

[RouterB-GigabitEthernet3/1/2] quit

After the above configurations, if you ping the subnet broadcast address (2.2.2.255) of interface GigabitEthernet 3/1/2 of Router A on the host, the ping packets can be received by interface GigabitEthernet 3/1/2 of Router B. However, if you remove the ip forward-broadcast command, the ping packets cannot be received by interface GigabitEthernet 3/1/2 of Router B.

Configuring TCP attributes

Configuring TCP MSS for the interface

The Max Segment Size (MSS) option informs the receiver of the largest segment that the sender is willing to accept. Each end announces the MSS it expects to receive during the TCP connection establishment. The end that receives the MSS value from the other end then limits the size of each TCP segment to be sent. If the size of a TCP segment is smaller than the MSS of the other end, the TCP segment is sent to the other end without being fragmented; otherwise, it will be fragmented according to the MSS before being sent.

If you configure a TCP MSS on an interface, the size of each TCP segment received or sent on the interface cannot exceed the MSS value.

To configure TCP MSS of the interface:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view.

interface interface-type interface-number

N/A

3.     Configure TCP MSS of the interface.

tcp mss value

Optional

1460 bytes by default

 

 

NOTE:

·       This configuration takes effect only on TCP connections that are established after the configuration rather than the TCP connections that already exist.

·       This configuration is effective only on IP packets. If MPLS is enabled on the interface, you are not recommended to configure the TCP MSS on the interface.

 

Configuring the TCP send/receive buffer size

To configure the TCP send/receive buffer size:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Configure the size of TCP receive/send buffer.

tcp window window-size

Optional

8 KB by default

 

Configuring TCP timers

You can configure the following TCP timers:

·           synwait timerWhen sending a SYN packet, TCP starts the synwait timer. If no response packet is received within the synwait timer interval, the TCP connection cannot be created.

·           finwait timerWhen a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is started. If no FIN packet is received within the timer interval, the TCP connection will be terminated. If a FIN packet is received, the TCP connection state changes to TIME_WAIT. If a non-FIN packet is received, the system restarts the timer upon receiving the last non-FIN packet. The connection is broken after the timer expires.

To configure TCP timers:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Configure the TCP synwait timer.

tcp timer syn-timeout time-value

Optional

75 seconds by default

3.     Configure the TCP finwait timer.

tcp timer fin-timeout time-value

Optional

675 seconds by default

 

CAUTION

CAUTION:

The actual length of the finwait timer is determined by the following formula:

Actual length of the finwait timer = (Configured length of the finwait timer – 75) + configured length of the synwait timer

 

Configuring ICMP to send error packets

Introduction

Sending error packets is a major function of ICMP protocol. In case of network abnormalities, error packets are usually sent by the network or transport layer protocols to notify corresponding routers so as to facilitate control and management.

Advantages of sending ICMP error packets

There are three kinds of ICMP error packets: redirect packets, timeout packets and destination unreachable packets. Their sending conditions and functions are as follows.

1.      Sending ICMP redirect packets

A host may have only a default route to the default gateway in its routing table after startup. The default gateway will send ICMP redirect packets to the source host and notify it to reselect a correct next hop to send the subsequent packets, if the following conditions are satisfied:

¡  The receiving and forwarding interfaces are the same.

¡  The selected route has not been created or modified by ICMP redirect packet.

¡  The selected route is not the default route of the router.

¡  There is no source route option in the packet.

ICMP redirect packets function simplifies host administration and enables a host to gradually establish a sound routing table to find out the best route.

2.      Sending ICMP timeout packets

If the router received an IP packet with a timeout error, it drops the packet and sends an ICMP timeout packet to the source.

The router will send an ICMP timeout packet under the following conditions:

¡  If the router finds the destination of a packet is not itself and the TTL field of the packet is 1, it will send a “TTL timeout” ICMP error message.

¡  When the router receives the first fragment of an IP datagram whose destination is the router itself, it will start a timer. If the timer times out before all the fragments of the datagram are received, the router will send a “reassembly timeout” ICMP error packet.

3.      Sending ICMP destination unreachable packets

If the router receives an IP packet with the destination unreachable, it will drop the packet and send an ICMP destination unreachable error packet to the source.

Conditions for sending this ICMP packet:

¡  If neither a route nor the default route for forwarding a packet is available, the router will send a “network unreachable” ICMP error packet.

¡  If the destination of a packet is local while the transport layer protocol of the packet is not supported by the local router, the router sends a “protocol unreachable” ICMP error packet to the source.

¡  When receiving a packet with the destination being local and transport layer protocol being UDP, if the packet’s port number does not match the running process, the router will send the source a “port unreachable” ICMP error packet.

¡  If the source uses “strict source routing" to send packets, but the intermediate router finds the next hop specified by the source is not directly connected, the router will send the source a “source routing failure” ICMP error packet.

¡  When forwarding a packet, if the MTU of the sending interface is smaller than the packet but the packet has been set “Don’t Fragment”, the router will send the source a “fragmentation needed and Don’t Fragment (DF)-set” ICMP error packet.

Disadvantages of sending ICMP error packets

Although sending ICMP error packets facilitates network control and management, it still has the following disadvantages:

·           Sending a lot of ICMP packets will increase network traffic.

·           If receiving a lot of malicious packets that cause it to send ICMP error packets, the router’s performance will be reduced.

·           As the redirection function increases the routing table size of a host, the host’s performance will be reduced if its routing table becomes very large.

·           If a host sends malicious ICMP destination unreachable packets, end users may be affected.

To prevent such problems, you can disable the router from sending ICMP error packets.

To enable sending of ICMP error packets:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable sending of ICMP redirect packets.

ip redirects enable

Disabled by default

3.     Enable sending of ICMP timeout packets.

ip ttl-expires enable

Disabled by default

4.     Enable sending of ICMP destination unreachable packets.

ip unreachables enable

Disabled by default

 

 

NOTE:

·       On SPC cards, you can enable sending of ICMP redirect packets only on VLAN interfaces.

·       The router stops sending “TTL timeout” ICMP error packets after sending ICMP timeout packets is disabled. However, “reassembly timeout” error packets will be sent normally.

 

Enabling support for ICMP extensions

Introduction

Generally, ICMP messages are of a fixed format and cannot carry extension information. With support for ICMP extensions enabled, a router appends an extension information field to the ICMP messages as needed. Currently, the router can append only MPLS label information to ICMP messages.

ICMP extensions for MPLS

In MPLS networks, when a packet's TTL expires, MPLS stripes the MPLS header, encapsulates the remaining datagram into an ICMP time exceeded message, and sends the message to the egress router of the MPLS tunnel. Then the egress router sends the message back to the ingress router of the tunnel. The ICMP message, however, does not contain the label information that is very important to the ingress router. With support for ICMP extensions enabled, the router appends the MPLS label to the ICMP time exceeded message before sending it back to the ingress router of the tunnel.

ICMP extensions are usually used for an enhanced traceroute implementation in MPLS networks, in which MPLS label information of each hop the original datagram arrives at is printed.

Handling ICMP messages

ICMP messages can be classified into three types:

·           Common ICMP messages: Without any extension information.

·           Extended ICMP messages with a length field: Carry extension information and a length field. The length field indicates the length of the original datagram that is encapsulated within the ICMP header and excludes the ICMP extension length. Such an ICMP message complies with RFC 4884.

·           Extended ICMP messages without a length field: Carry extension information but does not contain a length field. Such an ICMP message does not comply with RFC 4884.

Based on how these messages are handled, the router can work in one of these modes: common mode, compliant mode, and non-compliant mode. Table 1 shows how ICMP messages are handled in different working modes.

Table 1 Handling ICMP messages

Device mode

ICMP messages sent

ICMP messages received

Remarks

Common mode

Common ICMP messages

Common ICMP messages

Extension information in extended ICMP messages will not be processed.

Compliant mode

Common ICMP messages

Extended ICMP messages with a length field

Common ICMP messages

Extended ICMP messages with a length field

Extended ICMP messages without a length field are handled as common ICMP messages.

Non-compliant mode

Common ICMP messages

Extended ICMP messages without a length field

All three types of ICMP messages

N/A

 

 

NOTE:

ICMP/ICMPv6 messages that can carry extension information include only IPv4 redirect messages, IPv4/IPv6 time exceeded messages, and IPv4/IPv6 destination unreachable messages.

 

Configuration procedure

To enable support for ICMP extensions:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable support for ICMP extensions in compliant mode.

ip icmp-extensions compliant

Optional

Disabled by default

3.     Enable support for ICMP extensions in non-compliant mode.

ip icmp-extensions non-compliant

Optional

Disabled by default

 

 

NOTE:

After support for ICMP extensions is disabled, no ICMP message sent by the router contains extension information.

 

Enabling ICMP flow control

If a large number of ICMP packets are delivered to the CPU for processing, processing of other services is affected. To prevent this, you can enable ICMP flow control.

To enable ICMP flow control:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable ICMP flow control.

ip icmp flow-control

Disabled by default

 

Displaying and maintaining IP performance optimization

 

Task

Command

Remarks

Display current TCP connection state.

display tcp status [ | { begin | exclude | include } regular-expression ]

Available in any view

Display TCP connection statistics.

display tcp statistics [ | { begin | exclude | include } regular-expression ]

Available in any view

Display UDP statistics.

display udp statistics [ | { begin | exclude | include } regular-expression ]

Available in any view

Display statistics of IP packets.

display ip statistics [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Display statistics of ICMP flows.

display icmp statistics [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Display socket information.

display ip socket [ socktype sock-type ] [ task-id socket-id ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Display FIB information.

display fib [ vpn-instance vpn-instance-name ] [ | { begin | exclude | include } string | acl acl-number | ip-prefix ip-prefix-name ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Display FIB forward information matching the specified destination IP address.

display fib [ vpn-instance vpn-instance-name ] ip-address [ mask | mask-length ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Clear statistics of IP packets

For centralized.

reset ip statistics [ slot slot-number ]

Available in user view

Clear statistics of TCP connections.

reset tcp statistics

Available in user view

Clear statistics of UDP flows.

reset udp statistics

Available in user view