Login
- Table of Contents
-
- 05-Layer 3 - IP Services Configuration Guide
- 00-Preface
- 01-ARP configuration
- 02-IP addressing configuration
- 03-DHCP configuration
- 04-DNS configuration
- 05-IP forwarding basics configuration
- 06-Adjacency table configuration
- 07-IP performance optimization configuration
- 08-UDP helper configuration
- 09-IPv6 basics configuration
- 10-DHCPv6 configuration
- 11-IPv6 fast forwarding configuration
- 12-Fast forwarding configuration
- 13-Tunnel configuration
- 14-GRE configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 07-IP performance optimization configuration | 129.17 KB |
Contents
Configuring MTU for an interface
Configuring TCP MSS for an interface
Configuring TCP path MTU discovery
Configuring the TCP buffer size
Enabling sending ICMP error packets
Functions of sending ICMP error packets
Disadvantages of sending ICMP error packets
Disabling forwarding ICMP fragments
Displaying and maintaining IP performance optimization
|
|
NOTE: The device operates in IRF or standalone (the default) mode. For information about IRF mode, see IRF Configuration Guide. |
Enabling an interface to receive and forward directed broadcasts destined for the directly connected network
A directed broadcast packet is destined for all hosts on a specific network. In the destination IP address of the directed broadcast, the network ID identifies the target network, and the host ID is made up of all ones.
If an interface is allowed to forward directed broadcasts destined for the directly connected network, hackers can exploit this vulnerability to attack the target network. In some scenarios, however, an interface must receive and send such directed broadcast packets to support UDP helper and Wake on LAN.
This task enables an interface to accept directed broadcast packets that are destined for and received from the directly connected network to support UDP helper, which converts the directed broadcasts to unicasts and forwards them to a specific server.
The task also enables the interface to forward directed broadcast packets that are destined for the directly connected network and are received from another subnet to support Wake on LAN, which sends the directed broadcasts to wake up the hosts on the target network.
Configuration procedure
|
|
CAUTION: The link and link protocol of an interface must be up before the interface forwards directed broadcasts. |
To enable an interface to receive and forward directed broadcasts destined to the directly connected network:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Enable the interface to receive and forward directed broadcasts destined for the directly connected network. |
ip forward-broadcast |
By default, an interface cannot forward directed broadcasts destined for the directly connected network. It can receive directed broadcasts destined for the directly connected network. |
Configuration example
Network requirements
As shown in Figure 1, the default gateway of the host is the IP address 1.1.1.2/24 of VLAN-interface 3 of Switch A.
Switch B can receive directed broadcasts from the host to IP address 2.2.2.255.
Configuration procedure
1. Configure Switch A:
# Configure IP addresses for VLAN-interface 3 and VLAN-interface 2.
<SwitchA> system-view
[SwitchA] interface vlan-interface 3
[SwitchA-Vlan-interface3] ip address 1.1.1.2 24
[SwitchA-Vlan-interface3] quit
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 2.2.2.2 24
# Enable VLAN-interface 2 to forward directed broadcasts directed for the directly connected network.
[SwitchA-Vlan-interface2] ip forward-broadcast
# Configure a static route to the host.
<SwitchB> system-view
[SwitchB] ip route-static 1.1.1.1 24 2.2.2.2
# Configure an IP address for VLAN-interface 2.
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ip address 2.2.2.1 24
# Enable VLAN-interface 2 to receive directed broadcasts destined for the directly connected network.
[SwitchB-Vlan-interface2] ip forward-broadcast
After the configurations, if you ping the subnet-directed broadcast address 2.2.2.255 on the host, VLAN-interface 2 of Switch B can receive the ping packets. If you remove the ip forward-broadcast configuration on any switch, the interface cannot receive the ping packets.
Configuring MTU for an interface
When a packet exceeds the MTU of the output interface, the device processes it in one of the following ways:
· If the packet disallows fragmentation, the device discards it.
· If the packet allows fragmentation, the device fragments it and forwards the fragments.
Fragmentation and reassembling consume system resources, so set an appropriate MTU for an interface based on the network environment to avoid fragmentation.
To configure an MTU for an interface:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure an MTU for the interface. |
ip mtu mtu-size |
By default, no MTU is configured. |
Configuring TCP MSS for an interface
The maximum segment size (MSS) option informs the receiver of the largest segment that the sender can accept. Each end announces its MSS during TCP connection establishment. If the size of a TCP segment is smaller than the MSS of the receiver, TCP sends the TCP segment without fragmentation. If not, it fragments the segment according to the receiver's MSS.
If you configure a TCP MSS on an interface, the size of each TCP segment received or sent on the interface cannot exceed the MSS value.
This configuration takes effect only for TCP connections established after the configuration rather than the TCP connections that already exist.
This configuration is effective only for IP packets. If MPLS is enabled on the interface, do not configure the TCP MSS on the interface.
To configure a TCP MSS of the interface:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure a TCP MSS for the interface. |
tcp mss value |
By default, the TCP MSS is 1460 bytes. |
Configuring TCP path MTU discovery
|
|
IMPORTANT: All the devices on a TCP connection must be enabled to send ICMP error messages by using the ip unreachables enable command. |
TCP path MTU discovery (in RFC 1191) discovers the path MTU between the source and destination ends of a TCP connection. It works as follows:
1. A TCP source device sends a packet with the Don't Fragment (DF) bit set.
2. A router that fails to forward the packet because it exceeds the MTU on the outgoing interface discards the packet and returns an ICMP error message, which contains the MTU of the outgoing interface.
3. Upon receiving the ICMP message, the TCP source device calculates the current path MTU of the TCP connection.
4. The TCP source device sends subsequent TCP segments that each are smaller than the MSS (MSS = path MTU – IP header length – TCP header length).
If the TCP source device still receives ICMP error messages when the MSS is smaller than 32 bytes, the TCP source device will fragment packets.
An ICMP error message received from a router that does not support RFC 1191 has the MTU of the outgoing interface set to 0. Upon receiving the ICMP message, the TCP source device selects the path MTU smaller than the current path MTU from the MTU table as described in RFC 1191 to calculate the TCP MSS. The MTU table contains MTUs of 68, 296, 508, 1006, 1280, 1492, 2002, 4352, 8166, 17914, 32000, and 65535 bytes. Because the minimum TCP MSS specified by the system is 32 bytes, the actual minimum MTU is 72 bytes.
After you enable TCP path MTU discovery, all new TCP connections will detect the path MTU. The device uses the path MTU to calculate the MSS to avoid IP fragmentation.
The path MTU uses the following aging mechanism to make sure that the source device can increase the path MTU when the minimum link MTU on the path increases.
· When the TCP source device receives an ICMP error message, it reduces the path MTU and starts an age timer for the path MTU.
· After the age timer expires, the source device uses a larger MSS in the MTU table as described in RFC 1191.
· If no ICMP error message is received within two minutes, the source device increases the MSS again until the MSS is as large as the MSS negotiated during TCP three-way handshake.
To enable TCP path MTU discovery:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable TCP path MTU discovery. |
tcp path-mtu-discovery [ aging age-time | no-aging ] |
The default setting is disabled. |
Enabling TCP SYN Cookie
A TCP connection is established through a three-way handshake:
1. The sender sends a SYN packet to the server.
2. The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED state, and replies with a SYN ACK packet to the sender.
3. The sender receives the SYN ACK packet and replies with an ACK packet. A TCP connection is established.
An attacker can exploit this mechanism to mount SYN Flood attacks. The attacker sends a large number of SYN packets, but does not respond to the SYN ACK packets from the server. As a result, the server establishes a large number of TCP semi-connections and can no longer handle normal services.
SYN Cookie can protect the server from SYN Flood attacks. When the server receives a SYN packet, it responds with a SYN ACK packet without establishing a TCP semi-connection. The server establishes a TCP connection and enters ESTABLISHED state only when it receives an ACK packet from the client.
To enable TCP SYN Cookie:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable SYN Cookie. |
tcp syn-cookie enable |
The default setting is disabled. |
Configuring the TCP buffer size
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the size of TCP receive/send buffer. |
tcp window window-size |
The default buffer size is 64 KB. |
Configuring TCP timers
You can configure the following TCP timers:
· SYN wait timer—TCP starts the SYN wait timer after sending a SYN packet. If no response packet is received within the SYN wait timer interval, TCP fails to establish the connection.
· FIN wait timer—TCP starts the FIN wait timer when the state changes to FIN_WAIT_2. If no FIN packet is received within the timer interval, TCP terminates the connection. If a FIN packet is received, TCP changes connection state to TIME_WAIT. If a non-FIN packet is received, TCP restarts the timer, and tears down the connection when the timer expires.
To configure TCP timers:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure TCP timers. |
· Configure the TCP SYN wait timer: · Configure the TCP FIN wait timer: |
By default: · The TCP SYN wait timer is 75 seconds. · The TCP FIN wait timer is 675 seconds. |
Enabling sending ICMP error packets
Sending error packets is a major function of ICMP. Error packets are usually sent by the network or transport layer protocols to notify the source device of network failures or errors.
Functions of sending ICMP error packets
ICMP error packets include redirect, time-exceeded, and destination unreachable packets.
· ICMP redirect packets
A host that has only one default route sends all packets to the default gateway. The default gateway sends an ICMP redirect packet to inform the host of a correct next hop by following these rules:
¡ The receiving and sending interfaces are the same.
¡ The selected route is not created or modified by any ICMP redirect packet.
¡ The selected route is not destined for 0.0.0.0.
¡ There is no source route option in the received packet.
ICMP redirect packets simplify host management and enable hosts to gradually optimize their routing table.
· ICMP time-exceeded packets
A device sends ICMP time-exceeded packets by following these rules:
¡ If a received packet is not destined for the device and the TTL field of the packet is 1, the device sends an ICMP TTL Expired in Transit packet to the source.
¡ When the device receives the first fragment of an IP datagram destined for it, it starts a timer. If the timer expires before all the fragments of the datagram are received, the device sends an ICMP Fragment Reassembly Timeout packet to the source.
· ICMP destination unreachable packets
A device sends ICMP destination unreachable packets by following these rules:
¡ If a packet does not match any route and there is no default route in the routing table, the device sends a Network Unreachable ICMP error packet to the source.
¡ If a packet is destined for the device but the transport layer protocol of the packet is not supported by the device, the device sends a Protocol Unreachable ICMP error packet to the source.
¡ If a UDP packet is destined for the device but the packet's port number does not match the corresponding process, the device sends the source a Port Unreachable ICMP error packet.
¡ If the source uses Strict Source Routing to send packets, but the intermediate device finds that the next hop specified by the source is not directly connected, the device sends the source a Source Routing Failure ICMP error packet.
¡ If the MTU of the sending interface is smaller than the packet and the packet has DF set, the device sends the source a Fragmentation Needed and DF-set ICMP error packet.
Disadvantages of sending ICMP error packets
Sending ICMP error packets facilitates network control and management, but it has the following disadvantages:
· Sending a lot of ICMP packets increases network traffic.
· A device's performance degrades if it receives a lot of malicious packets that cause it to respond with ICMP error packets.
· A host's performance degrades if the redirect function adds many routes to its routing table.
· End users are affected if malicious users send many ICMP destination unreachable packets.
To prevent such problems, you can disable the device from sending ICMP error packets.
Configuration procedure
To enable sending ICMP error packets:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable sending ICMP error packets. |
· Enable sending ICMP redirect packets: · Enable sending ICMP time-exceeded packets: · Enable sending ICMP destination unreachable packets: |
The default settings are disabled. |
A device disabled from sending ICMP time-exceeded packets does not send ICMP TTL Expired packets but can still send ICMP Fragment Reassembly Timeout packets.
Disabling forwarding ICMP fragments
Disabling forwarding ICMP fragments can protect your device from ICMP fragments attacks.
To disable forwarding ICMP fragments:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Disable forwarding ICMP fragments. |
ip icmp fragment discarding |
By default, forwarding ICMP fragments is enabled. |
Enabling ICMP flow control
Delivering a large number of ICMP packets to the CPU impacts the processing of other services. To prevent this situation, you can enable ICMP flow control.
To enable ICMP flow control:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable ICMP flow control. |
ip icmp flow-control |
The default setting is disabled. |
Displaying and maintaining IP performance optimization
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display brief information about RawIP connections (in standalone mode). |
display rawip [ slot slot-number ] |
|
Display brief information about RawIP connections (in IRF mode). |
display rawip [ chassis chassis-number slot slot-number ] |
|
Display detailed information about RawIP connections (in standalone mode). |
display rawip verbose [ slot slot-number [ pcb pcb-index ] ] |
|
Display detailed information about RawIP connections (in IRF mode). |
display rawip verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ] |
|
Display brief information about TCP connections (in standalone mode). |
display tcp [ slot slot-number ] |
|
Display brief information about TCP connections (in IRF mode). |
display tcp [ chassis chassis-number slot slot-number ] |
|
Display detailed information about TCP connections (in standalone mode). |
display tcp verbose [ slot slot-number [ pcb pcb-index ] ] |
|
Display detailed information about TCP connections (in IRF mode). |
display tcp verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ] |
|
Display brief information about UDP connections (in standalone mode). |
display udp [ slot slot-number ] |
|
Display brief information about UDP connections (in IRF mode). |
display udp [ chassis chassis-number slot slot-number ] |
|
Display detailed information about UDP connections (in standalone mode). |
display udp verbose [ slot slot-number [ pcb pcb-index ] ] |
|
Display detailed information about UDP connections (in IRF mode). |
display udp verbose [ chassis chassis-number slot slot-number [ pcb pcb-index ] ] |
|
Display IP packet statistics (in standalone mode). |
display ip statistics [ slot slot-number ] |
|
Display IP packet statistics (in IRF mode). |
display ip statistics [ chassis chassis-number slot slot-number ] |
|
Display TCP traffic statistics (in standalone mode). |
display tcp statistics [ slot slot-number ] |
|
Display TCP traffic statistics (in IRF mode). |
display tcp statistics [ chassis chassis-number slot slot-number ] |
|
Display UDP traffic statistics (in standalone mode). |
display udp statistics [ slot slot-number ] |
|
Display UDP traffic statistics (in IRF mode). |
display udp statistics [ chassis chassis-number slot slot-number ] |
|
Display ICMP statistics (in standalone mode). |
display icmp statistics [ slot slot-number ] |
|
Display ICMP statistics (in IRF mode). |
display icmp statistics [ chassis chassis-number slot slot-number ] |
|
Clear IP packet statistics (in standalone mode). |
reset ip statistics [ slot slot-number ] |
|
Clear IP packet statistics (in IRF mode). |
reset ip statistics [ chassis chassis-number slot slot-number ] |
|
Clear TCP traffic statistics. |
reset tcp statistics |
|
Clear UDP traffic statistics. |
reset udp statistics |
