Each device interface connected to the
Internet must be assigned a globally unique IP address. IP addresses are 32-bit
in length, generally expressed in dotted decimal notation. That is, an IP
address can be expressed as four decimal integers separated by dots, with each
integer corresponding to one byte. 10.1.1.1 is an example.
Each IP address breaks down into two parts:
l
net-id, the first several bits of the IP address
defining a network, also known as class bits.
l
host-id, identifies a host on a network.
For administration sake, IP addresses are
divided into five classes. Which class an IP address belongs to depends on the
first one to four bits of the net-id, as shown in Figure 1-1.
Figure 1-1 IP address classes
Table 1-1 describes the address ranges of these five classes. Currently, the
first three classes of IP addresses are used in large quantities.
Table 1-1 IP
address classes and ranges
|
Class
|
Address range
|
Description
|
|
A
|
0.0.0.0 to
127.255.255.255
|
Address
0.0.0.0 means this host no this network. This address is used by a host at
bootstrap when it does not know its IP address. This address is never a valid
destination address.
Addresses
starting with 127 are reserved for loopback test. Packets destined to these
addresses are processed locally as input packets rather than sent to the link.
|
|
B
|
128.0.0.0
to 191.255.255.255
|
––
|
|
C
|
192.0.0.0
to 223.255.255.255
|
––
|
|
D
|
224.0.0.0
to 239.255.255.255
|
Multicast
address.
|
|
E
|
240.0.0.0
to 255.255.255.255
|
Reserved
for future use except for the broadcast address 255.255.255.255.
|
As the Internet develops rapidly, available
IP addresses are being exhausted. To make full use of available IP addresses, a
network can be divided into smaller ones (known as subnets) with subnet masks.
A network can be divided into subnets by using some bits of the host-id to
create a subnet-id. The length of subnet-id is determined by subnet mask.
A subnet mask is 32-bit in length and
comprises a series of consecutive ones and a series of consecutive zeros. In a
subnet mask, the part containing consecutive ones identifies the combination of
net-id and subnet-id, whereas the part containing consecutive zeros identifies
the host-id.
A subnet is significant only within a
network. From the perspective of an external network, the network has only one
net-id. A gateway performs route selection based on subnet-id and finds the
destination host only after incoming packets are received by the network.
Figure 1-2 shows how a Class B address is subnetted.
Figure 1-2 Subnetting a Class B address
Note that subnetting is somewhat a
tradeoff between subnets and accommodated hosts. For example, a Class B network
can accommodate 65,534 hosts before being subnetted. After you break it down
into 64 subnets by using the first 6 bits of the host-id for the subnet, you
have only 10 bits for the host-id and thus have only 1,022 (210
– 2) (excluding all-one broadcast addresses and all-zero network segment
addresses) hosts in each subnet. The maximum number of hosts is thus 64 × 1,022
= 65,408, which is126 less than that before the network is subnetted.
Class A, B, and C networks, before being subnetted,
use these default masks (also called natural masks): 255.0.0.0, 255.255.0.0,
and 255.255.255.0 respectively.
An interface can obtain an IP address using
the following methods:
l
Through manual IP address assignment
l
Through BOOTP
l
Through DHCP
These methods are mutually exclusive. An IP
address obtained using a new method overwrites that obtained using an old
method. For example, if you manually assign an IP address and then obtain
another IP address through BOOTP, the IP address obtained from BOOTP will overwrite
the old one manually assigned. In this case, the interface is assigned the IP address
through BOOTP.
This chapter only
covers how to assign an IP address manually. For how to obtain an IP address
using the other two methods, see the related sections in DHCP part of
this manual.
1.2.1 Assigning an IP Address to an
Interface
Generally, one
interface is configured with one IP address. To connect multiple logical
subnets on the same physical subnet, you may assign an interface multiple IP
addresses, one primary and multiple secondary.
Follow these steps to assign an IP address
to an interface:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
––
|
|
Enter interface view
|
interface interface-type interface-number
|
––
|
|
Assign an IP address to the interface
|
ip address
ip-address { mask | mask-length } [ sub ]
|
Required
No IP address is assigned by default.
|
Caution:
l
One interface can be configured with only one
primary IP address. The primary IP address you assigned to the interface can overwrite
the old one if there is any.
l
You cannot assign secondary IP addresses to an
interface using BOOTP or DHCP.
l
The primary and secondary IP addresses you
assign to the interface can be located on the same network segment.
l
With S5500-SI series
Ethernet switches, you can configure IP addresses for VLAN interfaces and Loopback
interfaces. Only 32-bit subnet masks can be configured on Loopback interfaces.
I. Network requirements
As shown in Figure 1-3, Vlan-interface1 (belonging to VLAN 1) on the switch is connected
to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24. The hosts in
external network can communicate with the two network segments through the
switch and the hosts between the two segments can communicate with each other.
II. Network diagram
Figure 1-3 Network diagram for IP address
configuration
III. Configuration procedure
If only one IP address is configured on Vlan-interface1
of the switch, only part of the hosts can be accessed from external network through
the switch. To enable the access to all the hosts in the network through the
switch, a secondary IP address needs to be configured for Vlan-interface1. To
allow the hosts on the two segments to communicate with each other, the switch needs
to be set as the gateway on all the hosts on the two segments.
# Assign a primary IP address and a
secondary IP address to Vlan-interface1.
<Sysname> system-view
[Sysname] interface Vlan-interface 1
[Sysname-Vlan-interface1] ip address
172.16.1.1 255.255.255.0
[Sysname-Vlan-interface1] ip address
172.16.2.1 255.255.255.0 sub
# Set the gateway address to 172.16.1.1 on
the PCs attached to the subnet 172.16.1.0/24, and to 172.16.2.1 on the PCs
attached to the subnet 172.16.2.0/24.
# Ping a host on the subnet 172.16.1.0/24
from the switch to verify the configuration.
<Sysname> ping 172.16.1.2
PING 172.16.1.2: 56 data bytes,
press CTRL_C to break
Reply from 172.16.1.2: bytes=56
Sequence=1 ttl=255 time=25 ms
Reply from 172.16.1.2: bytes=56
Sequence=2 ttl=255 time=27 ms
Reply from 172.16.1.2: bytes=56
Sequence=3 ttl=255 time=26 ms
Reply from 172.16.1.2: bytes=56
Sequence=4 ttl=255 time=26 ms
Reply from 172.16.1.2: bytes=56
Sequence=5 ttl=255 time=26 ms
--- 172.16.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/26/27
ms
# Ping a host on the subnet 172.16.2.0/24
from the switch to verify the configuration.
<Sysname> ping 172.16.2.2
PING 172.16.2.2: 56 data bytes,
press CTRL_C to break
Reply from 172.16.2.2: bytes=56
Sequence=1 ttl=255 time=25 ms
Reply from 172.16.2.2: bytes=56
Sequence=2 ttl=255 time=26 ms
Reply from 172.16.2.2: bytes=56
Sequence=3 ttl=255 time=26 ms
Reply from 172.16.2.2: bytes=56
Sequence=4 ttl=255 time=26 ms
Reply from 172.16.2.2: bytes=56
Sequence=5 ttl=255 time=26 ms
--- 172.16.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 25/25/26
ms
# Verify that the hosts on the subnets
172.16.1.0/24 and 172.16.2.0/24 can communicate with each other.
After the above-mentioned configuration,
you can use the display command in any view to display IP address
configuration, so as to verify configuration result.
Follow these steps to display and maintain
IP address configuration:
|
To do…
|
Use the command…
|
|
Display information about a specified or
all L3 interfaces
|
display ip interface [ interface-type interface-number ]
|
|
Display brief information about a
specified or all Layer 3 interfaces
|
display ip interface brief [ interface-type interface-number ]
|
2.1 IP Performance Overview
In some network environments, you need to
adjust the IP parameters to achieve best IP performance. IP performance
configuration parameters include:
l
Receiving and forwarding of directed broadcasts
l
TCP timers
l
Size of TCP receive/send buffer
l
ICMP error packets sending
2.2 Permitting Receiving and Forwarding of Directed Broadcast Packets
Directed broadcast packets include network
directed broadcast packets, individual-subnet directed broadcast packets and
all-subnet directed broadcast packets. If a device is permitted to receive and
forward directed broadcast packets, hackers can use such packets to attack the network,
which brings potential trouble to network security. Therefore, the receiving
and forwarding of directed broadcast packets are disabled on S5500-SI series
Ethernet switches by default. When necessary, you can use the related command
to permit the device to receive and forward directed broadcast packets.
If the device is permitted to receive
directed broadcast packets, the configuration on an interface determines
whether these packets can be forwarded. Otherwise, directed broadcast packets
are discarded directly.
Follow these steps to enable the receiving of
directed broadcasts:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable the device to receive directed
broadcasts
|
ip forward-broadcast
|
Required
By default, an interface is not allowed
to receive directed broadcasts
|
Follow these steps to enable forwarding
directed broadcasts:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter interface view
|
interface interface-type interface-number
|
—
|
|
Enable forwarding directed broadcasts on
an interface
|
ip forward-broadcast [ acl acl-number ]
|
Required
By default, directed broadcasts forwarding
is not allowed.
|
l
If you have configured ACL when enabling an
interface to forward directed broadcasts, the ACL will discard the directed
broadcast packets that do not meet its rules, but forward only those in
compliance with the rules.
l
If you execute the ip forward-broadcast acl command
on an interface for many times, the last executed command takes the final effect.
As such, if the last command is one without the acl acl-number, the
previous ACL rules will be cancelled.
I. Network requirement
As shown in Figure 2-1, the PC interface and Vlan-interface3 of Switch A are in the same network segment (1.1.1.0/24). Vlan-interface2 of Switch A and Vlan-interface2 of Switch B are in another network segment (2.2.2.0/24). The
default gateway of the PC is Vlan-interface3 (IP address 1.1.1.2/24) of Switch A.
Configure a static route on Switch B for the reachability between PC and Switch
B.
II. Network diagram
Figure 2-1 Blocking directed broadcasts
III. Configuration procedure
l
Perform the following configuration on Switch A.
# Configure Switch A to receive directed
broadcast packets.
<SwitchA> system-view
[SwitchA] ip forward-broadcast
# Configure IP addresses for
Vlan-interface3 and Vlan-interface2.
[SwitchA] interface Vlan-interface 3
[SwitchA-Vlan-interface3] ip address
1.1.1.2 24
[SwitchA-Vlan-interface3] quit
[SwitchA] interface Vlan-interface 2
[SwitchA-Vlan-interface2] ip address
2.2.2.2 24
# Configure Vlan-interface2 to forward
directed broadcast packets.
[SwitchA-Vlan-interface2] ip
forward-broadcast
l
Perform the following configuration on Switch B
# Configure Switch B to receive directed
broadcast packets.
<SwitchB> system-view
[SwitchB] ip forward-broadcast
# Configure a static route from Switch B to
the PC.
[SwitchB] ip route-static 1.1.1.1 24
2.2.2.2
# Configure an IP address for
Vlan-interface2.
[SwitchB] interface Vlan-interface 2
[SwitchB-Vlan-interface2] ip address
2.2.2.1 24
After the above configurations, if you ping
the subnet broadcast address (2.2.2.255) of Vlan-interface 2 of Switch A on the
PC, the ping packets can be received by Vlan-interface 2 of Switch B. However,
if you cancel the ip forward-broadcast command, the ping packets can not
be received by the Vlan-interface 2 of Switch B.
2.3 Configuring TCP Attributes
TCP attributes that can be configured
include:
l
synwait timer: Before sending a SYN packet, TCP
starts the synwait timer. If no response packets are received before synwait
timeout, TCP connection is not successfully created.
l
finwait timer: When the TCP connection is in
FIN_WAIT_2 state, finwait timer will be started. If no FIN packets are received
before the timer timeouts, the TCP connection will be terminated. If FIN
packets are received, the TCP connection state changes to TIME_WAIT. If non-FIN
packets are received, and the system recounts the time from receiving the last
non-FIN packet until the connection is broken after the timer timeouts.
l
Size of TCP receiving/sending buffer
Follow these steps to configure TCP
attributes:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Configure TCP synwait timer’s
timeout value
|
tcp timer syn-timeout time-value
|
Optional
By default, the timeout value is 75
seconds.
|
|
Configure TCP finwait timer’s
timeout value
|
tcp timer fin-timeout time-value
|
Optional
By default, the timeout value is 675
seconds.
|
|
Configure the size of TCP
receiving/sending buffer
|
tcp window window-size
|
Optional
By default, the buffer is 8k bytes.
|
2.4 Configuring ICMP to Send Error Packets
Sending error packets is a major function
of ICMP protocol. In case of network abnormalities, ICMP packets are usually sent
by the network or transport layer protocols to notify corresponding devices so
as to facilitate control and management.
I. Advantage of sending ICMP error
packets
There are three kinds of ICMP error
packets: redirection packets, timeout packets and destination unreachable
packets. Their sending conditions and functions are as follows.
1)
Sending ICMP redirect packets
A host may have only one route (the default
route to the default gateway) in its routing table when starting. The default
gateway will send ICMP redirect packets to the source host and notify it to
reselect a correct next hop router to send the subsequent packets, if the
following conditions are satisfied:
l
The receiving and sending interfaces are the
same.
l
The selected route has not been created or
modified by ICMP redirect packets.
l
The selected route is not the default route of
the device.
l
There is no source route option in the packet.
ICMP redirect packets function simplifies
host administration and enables a host to gradually establish a sound routing
table to find out the best route
2)
Sending ICMP timeout packets
A device drops the data packet and sends an
ICMP timeout packet to the source when there is a timeout error after the device
received an IP data packet.
The device will send an ICMP timeout packet
under the following conditions:
l
If a device finds the destination of the packet
is not local after receiving a data packet whose TTL field is 1, it will send a
“TTL timeout” ICMP error message.
l
When the device receives the first fragment IP
packets whose destination address is local, it will start the timer. If the
timer timeouts before receiving all the fragments, the device will send a
“reassembly timeout” ICMP error packets.
3)
Sending ICMP destination unreachable packets
Sending ICMP destination unreachable packet
means when there happens a destination timeout error after a device received an
IP data packet, the device will drop the data packet and send an ICMP error
packet to the source.
The device will send an ICMP destination
unreachable packet under the following conditions:
l
When forwarding a packet, if the device finds no
corresponding forward route and default route in the routing table, it will
send a “network unreachable” ICMP error packet.
l
When receiving a data packet whose destination
address is local, if the transfer layer protocol is unavailable for the device,
then the device sends a “protocol unreachable” ICMP error packet.
l
When receiving a data packet with the
destination address as local and transfer layer as UDP, if the packet’s
port number does not match with the running process, the device will send
source a “port unreachable” ICMP error packet.
l
When sending packets using “strict source
routing", if the intermediate finds that the source point to a device not
directly connected to the network, it will send source a “source routing
fails” ICMP error packet.
l
When forwarding a packet, if the MTU of the
forward interface is smaller than the packet but the packet has been set unfragmentable,
the device will send source a “fragmenting is required but unavailable”
ICMP error packet.
II. Disadvantage of sending ICMP
error packets
Although sending ICMP error packets
facilitate control and management, it still has the following disadvantage:
l
Sending a lot of ICMP packets will increase
network traffic.
l
If the device receives a lot of malicious
packets that sends much ICMP error packets, it will reduce the device's
performance.
l
As redirecting increases a host’s routing,
it will reduce the host’s performance if there is a great increase in the
hosting.
l
As ICMP destination unreachable packets are
unreachable to users' process, if there are malicious attacks, end users may be
affected.
In order to prevent such phenomena, you can
disable the device from sending ICMP error packets to reduce network traffic and
avoid malicious attacks.
Follow these steps to disable sending ICMP
error packets:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Disable
sending ICMP redirect packets
|
undo ip
redirects
|
Required
Sending a
device’s ICMP redirection packet is enabled by default
|
|
Disable sending ICMP timeout packets
|
undo ip ttl-expires
|
Required
Sending a device’s ICMP timeout
packet is enabled by default.
|
|
Disable sending ICMP destination
unreachable packets
|
undo ip unreachables
|
Required
Sending a device’s ICMP destination
unreachable packet is enabled by default
|
l
The device stops sending “network
unreachable” and “source route unsuccessful” ICMP error
packets after sending ICMP destination unreachable packets is disabled. But
other destination unreachable packets will be sent normally.
l
The device stops sending “TTL
timeout” ICMP error packets after sending ICMP timeout packets is
disabled. But “reassembly timeout” error packets will be sent
normally.
2.5 Displaying and Maintaining IP Performance
After the above-mentioned configuration,
you can use the display command in any view to display the IP performance
status, so as to verify configuration result.
You can use the reset command in
user view to clear the statistics about IP, TCP, and UDP traffic.
Following these steps to display and
maintain IP performance:
|
To do…
|
Use the command…
|
|
Display current TCP connection state
|
display tcp status
|
|
Display statistics of TCP connection
|
display tcp statistics
|
|
Display statistics of UDP flows
|
display udp statistics
|
|
Display statistics of IP packets
|
display ip statistics
|
|
Display statistics of ICMP flows
|
display icmp statistics
|
|
Display current socket information of the
system
|
display ip socket [ socktype sock-type ] [ task-id socket-id
]
|
|
Display FIB forward information
|
display fib
[ | { begin | include | exclude } text | acl
acl-number | ip-prefix ip-prefix-name ]
|
|
Display FIB forward information matching
the specified destination IP address
|
display fib
ip-address1 [ { mask1 | mask-length1 } [ ip-address2
{ mask2 | mask-length2 } | longer ] | longer ]
|
|
Display statistics about the FIB items
|
display fib statistics
|
|
Clear statistics of IP packets
|
reset ip statistics
|
|
Clear statistics of TCP flows
|
reset tcp statistics
|
|
Clear statistics of UDP flows
|
reset udp statistics
|
