When assigning IP addresses to interfaces
on your device, go to these sections for information you are interested in:
l
IP
Addressing Overview
l
Configuring
IP Addresses
l
Displaying
and Maintaining IP Addressing
1.1 IP Addressing Overview
This section covers these topics:
l
IP Address Classes
l
Special Case IP
Addresses
l
Subnetting and Masking
1.1.1 IP
Address Classes
IP addressing uses a 32-bit address to
identify each host on a network. An example is 01010000100000001000000010000000
in binary. To make IP addresses in 32-bit form easier to read, they are written
in dotted decimal notation, each being four octets in length, for example,
10.1.1.1 for the address just mentioned.
Each IP address breaks down into two parts:
l
Net-id: First several bits of the IP address
defining a network, also known as class bits.
l
Host-id: Identifies a host on a network.
For administration sake, IP addresses are
divided into five classes. Which class an IP address belongs to depends on the
first one to four bits of the net-id, as shown in the following figure (in
which the blue parts represent the address class).
Figure 1-1 IP
address classes
Table 1-1 describes the
address ranges of these five classes. Currently, the first three classes of IP
addresses are used in quantity.
Table 1-1 IP address classes and ranges
|
Class
|
Address range
|
Description
|
|
A
|
0.0.0.0 to 127.255.255.255
|
The IP address 0.0.0.0 is used by a host
at bootstrap for temporary communication. This address is never a valid
destination address.
Addresses starting with 127 are reserved for
loopback test. Packets destined to these addresses are processed locally as
input packets rather than sent to the link.
|
|
B
|
128.0.0.0 to 191.255.255.255
|
––
|
|
C
|
192.0.0.0 to 223.255.255.255
|
––
|
|
D
|
224.0.0.0 to 239.255.255.255
|
Multicast address.
|
|
E
|
240.0.0.0 to 255.255.255.255
|
Reserved for future use except for the
broadcast address 255.255.255.255.
|
1.1.2 Special Case IP Addresses
The following IP addresses are for special
use, and they cannot be used as host IP addresses:
l
IP address with an all-zero net ID: Identifies a
host on the local network. For example, IP address 0.0.0.16 indicates the host
with a host ID of 16 on the local network.
l
IP address with an all-zero host ID: Identifies
a network.
l
IP address with an all-one host ID: Identifies a
directed broadcast address. For example, a packet with the destination address
of 192.168.1.255 will be broadcasted to all the hosts on the network
192.168.1.0.
Subnetting was developed to address the
risk of IP address exhaustion resulting from fast expansion of the Internet.
The idea is to break a network down into smaller networks called subnets by
using some bits of the host-id to create a subnet-id. To identify the boundary
between the host-id and the combination of net-id and subnet-id, masking is
used. (When subnetting is not adopted, a mask identifies the boundary between
the host-id and the host-id.)
Each subnet mask comprises 32 bits related
to the corresponding bits in an IP address. In a subnet mask, the part
containing consecutive ones identifies the combination of net-id and subnet-id
whereas the part containing consecutive zeros identifies the host-id.
Figure 1-2 shows how a
Class B network is subnetted.
Figure 1-2 Subnet a Class B network
While allowing you to create multiple
logical networks within a single Class A, B, or C network, subnetting is
transparent to the rest of the Internet. All these networks still appear as
one. As subnetting adds an additional level, subnet-id, to the two-level
hierarchy with IP addressing, IP routing now involves three steps: delivery to
the site, delivery to the subnet, and delivery to the host.
In the absence of subnetting, some special
addresses such as the addresses with the net-id of all zeros and the addresses
with the host-id of all ones, are not assignable to hosts. The same is true of
subnetting. When designing your network, you should note that subnetting is
somewhat a tradeoff between subnets and accommodated hosts. For example, a
Class B network can accommodate 65,534 (216 – 2. Of the two
deducted Class B addresses, one with an all-one host-id is the broadcast
address and the other with an all-zero host-id is the network address) hosts
before being subnetted. After you break it down into 512 (29)
subnets by using the first 9 bits of the host-id for the subnet, you have only
7 bits for the host-id and thus have only 126 (27 – 2) hosts
in each subnet. The maximum number of hosts is thus 64,512 (512 × 126), 1022
less after the network is subnetted.
Class A, B, and C networks, before being
subnetted, use these default masks (also called natural masks): 255.0.0.0,
255.255.0.0, and 255.255.255.0 respectively.
1.2 Configuring IP Addresses
Besides directly assigning an IP address to
an interface, you may configure the interface to obtain one through BOOTP or
DHCP as alternatives. If you change the way an interface obtains an IP address,
from manual assignment to BOOTP for example, the IP address obtained from BOOTP
will overwrite the old one manually assigned.
This chapter only covers how to assign an IP address manually. For
other approaches, refer to DHCP Configuration.
This section includes:
l
Assigning
an IP Address to an Interface
l
IP
Addressing Configuration Example
1.2.1 Assigning an IP Address to an Interface
You may assign an
interface multiple IP addresses, one primary and multiple secondaries, to
connect multiple logical subnets on the same physical subnet.
Follow these steps to assign an IP address
to an interface:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
––
|
|
Enter interface view
|
interface interface-type interface-number
|
––
|
|
Assign an IP address to the interface
|
ip address ip-address { mask | mask-length } [ sub ]
|
Required
No IP address is assigned by default.
|
Caution:
l
The primary IP address you assigned to the
interface can overwrite the old one if there is any.
l
An interface cannot be configured with a
secondary IP address if the interface has been configured to obtain an IP
address through BOOTP or DHCP.
l
The primary and secondary IP addresses you
assign to the interface can be located on the same network segment. However,
this should not violate the rule that different physical interfaces on your
device must reside on different network segments.
1.2.2 IP
Addressing Configuration Example
I. Network requirements
As shown in Figure 1-3, VLAN-interface 1 on Switch is
connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24.
To enable the hosts on the two network
segments to access the external network through the switch, and enable the
hosts on the two network segments to communicate with each other, do the
following:
l
Assign a primary IP address and a secondary IP
address to VLAN-interface 1 on the switch.
l
Set the switch as the gateway on all hosts.
II. Network diagram
Figure 1-3 Network diagram for IP
addressing configuration
III. Configuration procedure
# Assign a primary IP address and a
secondary IP address to VLAN-interface 1.
<Switch> system-view
[Switch] interface vlan-interface 1
[Switch-Vlan-interface1] ip address
172.16.1.1 255.255.255.0
[Switch-Vlan-interface1] ip address
172.16.2.1 255.255.255.0 sub
# Set the gateway address to 172.16.1.1 on
the PCs attached to the subnet 172.16.1.0/24, and to 172.16.2.1 on the PCs
attached to the subnet 172.16.2.0/24.
# Use the ping command to verify the
connectivity between the switch and the hosts on the subnet 172.16.1.0/24.
<Switch> ping 172.16.1.2
PING 172.16.1.2: 56 data bytes,
press CTRL_C to break
Reply from 172.16.1.2: bytes=56
Sequence=1 ttl=255 time=25 ms
Reply from 172.16.1.2: bytes=56
Sequence=2 ttl=255 time=27 ms
Reply from 172.16.1.2: bytes=56
Sequence=3 ttl=255 time=26 ms
Reply from 172.16.1.2: bytes=56
Sequence=4 ttl=255 time=26 ms
Reply from 172.16.1.2: bytes=56
Sequence=5 ttl=255 time=26 ms
--- 172.16.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/26/27
ms
The information shown above indicates the
switch can communicate with the hosts on the subnet 172.16.1.0/24.
# Use the ping command to verify the
connectivity between the switch and the hosts on the subnet 172.16.2.0/24.
<Switch> ping 172.16.2.2
PING 172.16.2.2: 56 data bytes,
press CTRL_C to break
Reply from 172.16.2.2: bytes=56
Sequence=1 ttl=255 time=25 ms
Reply from 172.16.2.2: bytes=56
Sequence=2 ttl=255 time=26 ms
Reply from 172.16.2.2: bytes=56
Sequence=3 ttl=255 time=26 ms
Reply from 172.16.2.2: bytes=56
Sequence=4 ttl=255 time=26 ms
Reply from 172.16.2.2: bytes=56
Sequence=5 ttl=255 time=26 ms
--- 172.16.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/25/26
ms
The information shown above indicates the switch can communicate
with the hosts on the subnet 172.16.2.0/24.
# Use the ping command to verify the
connectivity between hosts on the subnet 172.16.1.0/24 and hosts on subnet
172.16.2.0/24. Ping Host B on Host A to verify that the ping operation is
successful.
1.3 Displaying and Maintaining IP
Addressing
|
To do…
|
Use the command…
|
Remarks
|
|
Display
information about a specified or all Layer 3 interfaces
|
display
ip interface [ interface-type
interface-number ]
|
Available
in any view
|
|
Display
brief information about a specified or all Layer 3 interfaces
|
display
ip interface brief [ interface-type interface-number ]
|
When configuring IP performance, go to
these sections for information you are interested in:
l
IP
Performance Overview
l
Enabling
Reception and Forwarding of Directed Broadcasts to a Directly Connected Network
l
Configuring
TCP Attributes
l
Configuring
ICMP to Send Error Packets
l
Displaying
and Maintaining IP Performance
2.1 IP Performance Overview
In some network environments, you need to
adjust the IP parameters to achieve best network performance. IP performance
configuration includes:
l
Enabling the device to receive and forward
directed broadcasts
l
Configuring the maximum TCP segment size (MSS)
of the interface
l
Configuring TCP timers
l
Configuring the TCP buffer size
l
Enabling ICMP error packets sending
2.2 Enabling Reception and Forwarding of Directed Broadcasts to a Directly
Connected Network
Directed broadcasts refer to broadcast
packets sent to a specific network. In the destination IP address of a directed
broadcast, the network ID is a network-specific number and the host ID is all
ones. Enabling the device to receive and forward directed broadcasts to a
directly connected network will give hackers an opportunity to attack the
network. Therefore, the device is disabled from receiving and forwarding
directed broadcasts by default. You should however enable the feature when:
l
Using the UDP Helper function to convert
broadcasts to unicasts and forward them to a specified server.
l
Using the Wake on LAN function to forward
directed broadcasts to a PC on the remote network.
If a device is enabled to receive directed
broadcasts, the device will determine whether to forward them according to the
configuration on the outgoing interface.
Follow these steps to enable the device to
receive directed broadcasts:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable the device to receive directed
broadcasts
|
ip forward-broadcast
|
Required
By default, the device is disabled from
receiving directed broadcasts.
|
Follow these steps to enable the device to
forward directed broadcasts:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter interface view
|
interface interface-type interface-number
|
—
|
|
Enable the interface to forward directed
broadcasts
|
ip forward-broadcast [ acl acl-number ]
|
Required
By default, the device is disabled from
forwarding directed broadcasts.
|
l
You can reference an ACL to forward only
directed broadcasts permitted by the ACL.
l
If you execute the ip forward-broadcast acl command
on an interface repeatedly, the last execution overwrites the previous one. If
the command executed last time does not include the acl acl-number,
the ACL configured previously will be removed.
2.2.3 Configuration
Example
I. Network requirements
As shown in Figure 2-1, the host’s interface and
VLAN-interface 3 of Switch A are on the same network segment (1.1.1.0/24).
VLAN-interface 2 of Switch A and VLAN-interface 2 of Switch B are on another
network segment (2.2.2.0/24). The default gateway of the host is VLAN-interface
3 (IP address 1.1.1.2/24) of Switch A. Configure a static route on Switch B to
enable the reachability between host and Switch B.
II. Network diagram
Figure 2-1 Network diagram for receiving
and forwarding directed broadcasts
III. Configuration procedure
l
Configure Switch A
# Enable Switch A to receive directed
broadcasts.
<SwitchA> system-view
[SwitchA] ip forward-broadcast
# Configure IP addresses for VLAN-interface
3 and VLAN-interface 2.
[SwitchA] interface vlan-interface 3
[SwitchA-Vlan-interface3] ip address
1.1.1.2 24
[SwitchA-Vlan-interface3] quit
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address
2.2.2.2 24
# Enable VLAN-interface 2 to forward
directed broadcasts.
[SwitchA-Vlan-interface2] ip
forward-broadcast
l
Configure Switch B
# Enable Switch B to receive directed
broadcasts.
<SwitchB> system-view
[SwitchB] ip forward-broadcast
# Configure a static route to the host.
[SwitchB] ip route-static 1.1.1.1 24
2.2.2.2
# Configure an IP address for
VLAN-interface 2.
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ip address
2.2.2.1 24
After the above configurations, if you ping
the subnet broadcast address (2.2.2.255) of VLAN-interface 2 of Switch A on the
host, the ping packets can be received by VLAN-interface 2 of Switch B.
However, if you disable the ip forward-broadcast command, the ping
packets can not be received by the VLAN-interface 2 of Switch B.
2.3 Configuring TCP Attributes
2.3.1 Configuring
TCP Optional Parameters
TCP optional parameters that can be
configured include:
l
synwait timer: When sending a SYN packet, TCP
starts the synwait timer. If no response packets are received within the
synwait timer timeout, the TCP connection is not successfully created.
l
finwait timer: When the TCP connection is in
FIN_WAIT_2 state, finwait timer will be started. If no FIN packets are received
within the timer timeout, the TCP connection will be terminated. If FIN packets
are received, the TCP connection state changes to TIME_WAIT. If non-FIN packets
are received, the system restarts the timer from receiving the last non-FIN
packet. The connection is broken after the timer expires.
l
Size of TCP receive/send buffer
Follow these steps to configure TCP
optional parameters:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Configure TCP synwait timer’s
timeout value
|
tcp timer syn-timeout time-value
|
Optional
By default, the timeout value is 75
seconds.
|
|
Configure TCP finwait timer’s
timeout value
|
tcp timer fin-timeout time-value
|
Optional
By default, the timeout value is 675
seconds.
|
|
Configure the size of TCP receive/send
buffer
|
tcp window window-size
|
Optional
By default, the buffer is 8 kilobytes.
|
Caution:
The actual length
of the finwait timer is determined by the following formula:
Actual length of
the finwait timer = (Configured length of the finwait timer – 75) +
configured length of the synwait timer
2.4 Configuring ICMP to Send Error Packets
Sending error packets is a major function
of ICMP protocol. In case of network abnormalities, ICMP packets are usually
sent by the network or transport layer protocols to notify corresponding
devices so as to facilitate control and management.
I. Advantage of sending ICMP error
packets
There are three kinds of ICMP error
packets: redirect packets, timeout packets and destination unreachable packets.
Their sending conditions and functions are as follows.
1)
Sending ICMP redirect packets
A host may have only a default route to the
default gateway in its routing table after startup. The default gateway will
send ICMP redirect packets to the source host and notify it to reselect a
correct next hop router to send the subsequent packets, if the following
conditions are satisfied:
l
The receiving and forwarding interfaces are the
same.
l
The selected route has not been created or
modified by ICMP redirect packet.
l
The selected route is not the default route of
the device.
l
There is no source route option in the packet.
ICMP redirect packets function simplifies
host administration and enables a host to gradually establish a sound routing
table to find out the best route
2)
Sending ICMP timeout packets
If the device received an IP packet with a
timeout error, it drops the packet and sends an ICMP timeout packet to the
source.
The device will send an ICMP timeout packet
under the following conditions:
l
If the device finds the destination of a packet
is not itself and the TTL field of the packet is 1, it will send a “TTL
timeout” ICMP error message.
l
When the device receives the first fragment of
an IP datagram whose destination is the device itself, it will start a timer.
If the timer times out before all the fragments of the datagram are received,
the device will send a “reassembly timeout” ICMP error packet.
3)
Sending ICMP destination unreachable packets
If the device receives an IP packet with
the destination unreachable, it will drop the packet and send an ICMP
destination unreachable error packet to the source.
Conditions for sending this ICMP packet:
l
If neither a route nor the default route for
forwarding a packet is available, the device will send a “network
unreachable” ICMP error packet.
l
If the destination of a packet is local while
the transport layer protocol of the packet is not supported by the local
device, the device sends a “protocol unreachable” ICMP error packet
to the source.
l
When receiving a packet with the destination
being local and transport layer protocol being UDP, if the packet’s port
number does not match the running process, the device will send the source a
“port unreachable” ICMP error packet.
l
If the source uses “strict source
routing" to send packets, but the intermediate device finds the next hop
specified by the source is not directly connected, the device will send the
source a “source routing failure” ICMP error packet.
l
When forwarding a packet, if the MTU of the
sending interface is smaller than the packet but the packet has been set
“Don’t Fragment”, the device will send the source a
“fragmentation needed and Don’t Fragment (DF)-set” ICMP error
packet.
II. Disadvantage of sending ICMP
error packets
Although sending ICMP error packets
facilitate network control and management, it still has the following
disadvantages:
l
Sending a lot of ICMP packets will increase
network traffic.
l
If receiving a lot of malicious packets that
cause it to send ICMP error packets, the device’s performance will be
reduced.
l
As the redirection function increases the
routing table size of a host, the host’s performance will be reduced if
its routing table becomes very large.
l
If a host sends malicious ICMP destination
unreachable packets, end users may be affected.
To prevent such problems, you can disable
the device from sending ICMP error packets.
Follow these steps to disable sending ICMP
error packets:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Disable sending ICMP redirection packets
|
undo ip redirects
|
Required
Enabled by default.
|
|
Disable sending ICMP timeout packets
|
undo ip ttl-expires
|
Required
Enabled by default.
|
|
Disable sending ICMP destination
unreachable packets
|
undo ip unreachables
|
Required
Enabled by default.
|
l
The device stops sending “network
unreachable” and “source route failure” ICMP error packets
after sending ICMP destination unreachable packets is disabled. However, other
destination unreachable packets can be sent normally.
l
The device stops sending “TTL
timeout” ICMP error packets after sending ICMP timeout packets is
disabled. However, “reassembly timeout” error packets will be sent
normally.
2.5 Displaying and Maintaining IP Performance
|
To do…
|
Use the command…
|
Remarks
|
|
Display current TCP connection state
|
display tcp status
|
Available in any view
|
|
Display TCP connection statistics
|
display tcp statistics
|
|
Display UDP statistics
|
display udp statistics
|
|
Display IP packets statistics
|
display ip statistics
|
|
Display ICMP flows statistics
|
display icmp statistics
|
|
Display socket information
|
display ip socket [ socktype sock-type ] [ task-id socket-id ]
|
|
Display FIB forward information
|
display fib [ | { begin | include | exclude } string |
acl acl-number | ip-prefix ip-prefix-name ]
|
|
Display FIB forward information matching
the specified destination IP address
|
display fib ip-address1 [ { mask1 | mask-length1 } [ ip-address2 { mask2 | mask-length2 } | longer ] | longer ]
|
|
Display statistics about the FIB items
|
display fib statistics
|
|
Clear statistics of IP packets
|
reset ip statistics
|
Available in user view
|
|
Clear statistics of TCP connections
|
reset tcp statistics
|
|
Clear statistics of UDP flows
|
reset udp statistics
|
