Table of Contents

Chapter 1 IP Address Configuration. 1-1

1.1 IP Address Overview. 1-1

1.1.1 IP Address Classes. 1-1

1.2 Configuring IP Addresses. 1-3

1.2.1 Assigning an IP Address to an Interface. 1-4

1.2.2 IP Address Configuration Example. 1-4

1.3 Displaying and Maintaining IP Address Configuration. 1-6

Chapter 2 IP Performance Configuration. 2-1

2.1 IP Performance Overview. 2-1

2.2 Permitting Receiving and Forwarding of Directed Broadcast Packets. 2-1

2.2.1 Enabling Receiving of Directed Broadcasts. 2-1

2.2.2 Enabling Forwarding Directed Broadcasts. 2-1

2.2.3 Receiving and Forwarding of Directed Broadcast Configuration Example. 2-2

2.3 Configuring TCP Attributes. 2-3

2.4 Configuring ICMP to Send Error Packets. 2-4

2.5 Displaying and Maintaining IP Performance. 2-6

 

Chapter 1  IP Address Configuration

1.1  IP Address Overview

1.1.1  IP Address Classes

Each device interface connected to the Internet must be assigned a globally unique IP address. IP addresses are 32-bit in length, generally expressed in dotted decimal notation. That is, an IP address can be expressed as four decimal integers separated by dots, with each integer corresponding to one byte. 10.1.1.1 is an example.

Each IP address breaks down into two parts:

l           net-id, the first several bits of the IP address defining a network, also known as class bits.

l           host-id, identifies a host on a network.

For administration sake, IP addresses are divided into five classes. Which class an IP address belongs to depends on the first one to four bits of the net-id, as shown in Figure 1-1.

Figure 1-1 IP address classes

Table 1-1 describes the address ranges of these five classes. Currently, the first three classes of IP addresses are used in large quantities.

Table 1-1 IP address classes and ranges

Class	Address range	Description
A	0.0.0.0 to 127.255.255.255	Address 0.0.0.0 means this host no this network. This address is used by a host at bootstrap when it does not know its IP address. This address is never a valid destination address. Addresses starting with 127 are reserved for loopback test. Packets destined to these addresses are processed locally as input packets rather than sent to the link.
B	128.0.0.0 to 191.255.255.255	––
C	192.0.0.0 to 223.255.255.255	––
D	224.0.0.0 to 239.255.255.255	Multicast address.
E	240.0.0.0 to 255.255.255.255	Reserved for future use except for the broadcast address 255.255.255.255.

 

As the Internet develops rapidly, available IP addresses are being exhausted. To make full use of available IP addresses, a network can be divided into smaller ones (known as subnets) with subnet masks. A network can be divided into subnets by using some bits of the host-id to create a subnet-id. The length of subnet-id is determined by subnet mask.

A subnet mask is 32-bit in length and comprises a series of consecutive ones and a series of consecutive zeros. In a subnet mask, the part containing consecutive ones identifies the combination of net-id and subnet-id, whereas the part containing consecutive zeros identifies the host-id.

A subnet is significant only within a network. From the perspective of an external network, the network has only one net-id. A gateway performs route selection based on subnet-id and finds the destination host only after incoming packets are received by the network.

Figure 1-2 shows how a Class B address is subnetted.

Figure 1-2 Subnetting a Class B address

Note that subnetting is somewhat a tradeoff between subnets and accommodated hosts. For example, a Class B network can accommodate 65,534 hosts before being subnetted. After you break it down into 64 subnets by using the first 6 bits of the host-id for the subnet, you have only 10 bits for the host-id and thus have only 1,022 (2¹⁰ – 2) (excluding all-one broadcast addresses and all-zero network segment addresses) hosts in each subnet. The maximum number of hosts is thus 64 × 1,022 = 65,408, which is126 less than that before the network is subnetted.

Class A, B, and C networks, before being subnetted, use these default masks (also called natural masks): 255.0.0.0, 255.255.0.0, and 255.255.255.0 respectively.

1.2  Configuring IP Addresses

An interface can obtain an IP address using the following methods:

l           Through manual IP address assignment

l           Through BOOTP

l           Through DHCP

These methods are mutually exclusive. An IP address obtained using a new method overwrites that obtained using an old method. For example, if you manually assign an IP address and then obtain another IP address through BOOTP, the IP address obtained from BOOTP will overwrite the old one manually assigned. In this case, the interface is assigned the IP address through BOOTP.

 

 

1.2.1  Assigning an IP Address to an Interface

Generally, one interface is configured with one IP address. To connect multiple logical subnets on the same physical subnet, you may assign an interface multiple IP addresses, one primary and multiple secondary.

Follow these steps to assign an IP address to an interface:

To do…	Use the command…	Remarks
Enter system view	system-view	––
Enter interface view	interface interface-type interface-number	––
Assign an IP address to the interface	ip address ip-address { mask | mask-length } [ sub ]	Required No IP address is assigned by default.

 

 

1.2.2  IP Address Configuration Example

I. Network requirements

As shown in Figure 1-3, Vlan-interface1 (belonging to VLAN 1) on the switch is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24. The hosts in external network can communicate with the two network segments through the switch and the hosts between the two segments can communicate with each other.

II. Network diagram

Figure 1-3 Network diagram for IP address configuration

III. Configuration procedure

If only one IP address is configured on Vlan-interface1 of the switch, only part of the hosts can be accessed from external network through the switch. To enable the access to all the hosts in the network through the switch, a secondary IP address needs to be configured for Vlan-interface1. To allow the hosts on the two segments to communicate with each other, the switch needs to be set as the gateway on all the hosts on the two segments.

# Assign a primary IP address and a secondary IP address to Vlan-interface1.

<Sysname> system-view

[Sysname] interface Vlan-interface 1

[Sysname-Vlan-interface1] ip address 172.16.1.1 255.255.255.0

[Sysname-Vlan-interface1] ip address 172.16.2.1 255.255.255.0 sub

# Set the gateway address to 172.16.1.1 on the PCs attached to the subnet 172.16.1.0/24, and to 172.16.2.1 on the PCs attached to the subnet 172.16.2.0/24.

# Ping a host on the subnet 172.16.1.0/24 from the switch to verify the configuration.

<Sysname> ping 172.16.1.2

  PING 172.16.1.2: 56  data bytes, press CTRL_C to break

    Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=255 time=25 ms

    Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=255 time=27 ms

    Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=255 time=26 ms

    Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=255 time=26 ms

    Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=255 time=26 ms

 

  --- 172.16.1.2 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 25/26/27 ms

# Ping a host on the subnet 172.16.2.0/24 from the switch to verify the configuration.

<Sysname> ping 172.16.2.2

  PING 172.16.2.2: 56  data bytes, press CTRL_C to break

    Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=255 time=25 ms

    Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=255 time=26 ms

    Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=255 time=26 ms

    Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=255 time=26 ms

    Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=255 time=26 ms

 

  --- 172.16.2.2 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 25/25/26 ms

# Verify that the hosts on the subnets 172.16.1.0/24 and 172.16.2.0/24 can communicate with each other.

1.3  Displaying and Maintaining IP Address Configuration

After the above-mentioned configuration, you can use the display command in any view to display IP address configuration, so as to verify configuration result.

Follow these steps to display and maintain IP address configuration:

To do…	Use the command…
Display information about a specified or all L3 interfaces	display ip interface [ interface-type interface-number ]
Display brief information about a specified or all Layer 3 interfaces	display ip interface brief [ interface-type interface-number ]

 

Chapter 2  IP Performance Configuration

2.1  IP Performance Overview

In some network environments, you need to adjust the IP parameters to achieve best IP performance. IP performance configuration parameters include:

l           Receiving and forwarding of directed broadcasts

l           TCP timers

l           Size of TCP receive/send buffer

l           ICMP error packets sending

2.2  Permitting Receiving and Forwarding of Directed Broadcast Packets

Directed broadcast packets include network directed broadcast packets, individual-subnet directed broadcast packets and all-subnet directed broadcast packets. If a device is permitted to receive and forward directed broadcast packets, hackers can use such packets to attack the network, which brings potential trouble to network security. Therefore, the receiving and forwarding of directed broadcast packets are disabled on S5500-SI series Ethernet switches by default. When necessary, you can use the related command to permit the device to receive and forward directed broadcast packets.

2.2.1  Enabling Receiving of Directed Broadcasts

If the device is permitted to receive directed broadcast packets, the configuration on an interface determines whether these packets can be forwarded. Otherwise, directed broadcast packets are discarded directly.

Follow these steps to enable the receiving of directed broadcasts:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable the device to receive directed broadcasts	ip forward-broadcast	Required By default, an interface is not allowed to receive directed broadcasts

 

2.2.2  Enabling Forwarding Directed Broadcasts

Follow these steps to enable forwarding directed broadcasts:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter interface view	interface interface-type interface-number	—
Enable forwarding directed broadcasts on an interface	ip forward-broadcast [ acl acl-number ]	Required By default, directed broadcasts forwarding is not allowed.

 

 

2.2.3  Receiving and Forwarding of Directed Broadcast Configuration Example

I. Network requirement

As shown in Figure 2-1, the PC interface and Vlan-interface3 of Switch A are in the same network segment (1.1.1.0/24). Vlan-interface2 of Switch A and Vlan-interface2 of Switch B are in another network segment (2.2.2.0/24). The default gateway of the PC is Vlan-interface3 (IP address 1.1.1.2/24) of Switch A. Configure a static route on Switch B for the reachability between PC and Switch B.

II. Network diagram

Figure 2-1 Blocking directed broadcasts

III. Configuration procedure

l           Perform the following configuration on Switch A.

# Configure Switch A to receive directed broadcast packets.

<SwitchA> system-view

[SwitchA] ip forward-broadcast

# Configure IP addresses for Vlan-interface3 and Vlan-interface2.

[SwitchA] interface Vlan-interface 3

[SwitchA-Vlan-interface3] ip address 1.1.1.2 24

[SwitchA-Vlan-interface3] quit

[SwitchA] interface Vlan-interface 2

[SwitchA-Vlan-interface2] ip address 2.2.2.2 24

# Configure Vlan-interface2 to forward directed broadcast packets.

[SwitchA-Vlan-interface2] ip forward-broadcast

l           Perform the following configuration on Switch B

# Configure Switch B to receive directed broadcast packets.

<SwitchB> system-view

[SwitchB] ip forward-broadcast

# Configure a static route from Switch B to the PC.

[SwitchB] ip route-static 1.1.1.1 24 2.2.2.2

# Configure an IP address for Vlan-interface2.

[SwitchB] interface Vlan-interface 2

[SwitchB-Vlan-interface2] ip address 2.2.2.1 24

After the above configurations, if you ping the subnet broadcast address (2.2.2.255) of Vlan-interface 2 of Switch A on the PC, the ping packets can be received by Vlan-interface 2 of Switch B. However, if you cancel the ip forward-broadcast command, the ping packets can not be received by the Vlan-interface 2 of Switch B.

2.3  Configuring TCP Attributes

TCP attributes that can be configured include:

l           synwait timer: Before sending a SYN packet, TCP starts the synwait timer. If no response packets are received before synwait timeout, TCP connection is not successfully created.

l           finwait timer: When the TCP connection is in FIN_WAIT_2 state, finwait timer will be started. If no FIN packets are received before the timer timeouts, the TCP connection will be terminated. If FIN packets are received, the TCP connection state changes to TIME_WAIT. If non-FIN packets are received, and the system recounts the time from receiving the last non-FIN packet until the connection is broken after the timer timeouts.

l           Size of TCP receiving/sending buffer

Follow these steps to configure TCP attributes:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Configure TCP synwait timer’s timeout value	tcp timer syn-timeout time-value	Optional By default, the timeout value is 75 seconds.
Configure TCP finwait timer’s timeout value	tcp timer fin-timeout time-value	Optional By default, the timeout value is 675 seconds.
Configure the size of TCP receiving/sending buffer	tcp window window-size	Optional By default, the buffer is 8k bytes.

 

2.4  Configuring ICMP to Send Error Packets

Sending error packets is a major function of ICMP protocol. In case of network abnormalities, ICMP packets are usually sent by the network or transport layer protocols to notify corresponding devices so as to facilitate control and management.

I. Advantage of sending ICMP error packets

There are three kinds of ICMP error packets: redirection packets, timeout packets and destination unreachable packets. Their sending conditions and functions are as follows.

1)         Sending ICMP redirect packets

A host may have only one route (the default route to the default gateway) in its routing table when starting. The default gateway will send ICMP redirect packets to the source host and notify it to reselect a correct next hop router to send the subsequent packets, if the following conditions are satisfied:

l           The receiving and sending interfaces are the same.

l           The selected route has not been created or modified by ICMP redirect packets.

l           The selected route is not the default route of the device.

l           There is no source route option in the packet.

ICMP redirect packets function simplifies host administration and enables a host to gradually establish a sound routing table to find out the best route

2)         Sending ICMP timeout packets

A device drops the data packet and sends an ICMP timeout packet to the source when there is a timeout error after the device received an IP data packet.

The device will send an ICMP timeout packet under the following conditions:

l           If a device finds the destination of the packet is not local after receiving a data packet whose TTL field is 1, it will send a “TTL timeout” ICMP error message.

l           When the device receives the first fragment IP packets whose destination address is local, it will start the timer. If the timer timeouts before receiving all the fragments, the device will send a “reassembly timeout” ICMP error packets.

3)         Sending ICMP destination unreachable packets

Sending ICMP destination unreachable packet means when there happens a destination timeout error after a device received an IP data packet, the device will drop the data packet and send an ICMP error packet to the source.

The device will send an ICMP destination unreachable packet under the following conditions:

l           When forwarding a packet, if the device finds no corresponding forward route and default route in the routing table, it will send a “network unreachable” ICMP error packet.

l           When receiving a data packet whose destination address is local, if the transfer layer protocol is unavailable for the device, then the device sends a “protocol unreachable” ICMP error packet.

l           When receiving a data packet with the destination address as local and transfer layer as UDP, if the packet’s port number does not match with the running process, the device will send source a “port unreachable” ICMP error packet.

l           When sending packets using “strict source routing", if the intermediate finds that the source point to a device not directly connected to the network, it will send source a “source routing fails” ICMP error packet.

l           When forwarding a packet, if the MTU of the forward interface is smaller than the packet but the packet has been set unfragmentable, the device will send source a “fragmenting is required but unavailable” ICMP error packet.

II. Disadvantage of sending ICMP error packets

Although sending ICMP error packets facilitate control and management, it still has the following disadvantage:

l           Sending a lot of ICMP packets will increase network traffic.

l           If the device receives a lot of malicious packets that sends much ICMP error packets, it will reduce the device's performance.

l           As redirecting increases a host’s routing, it will reduce the host’s performance if there is a great increase in the hosting.

l           As ICMP destination unreachable packets are unreachable to users' process, if there are malicious attacks, end users may be affected.

In order to prevent such phenomena, you can disable the device from sending ICMP error packets to reduce network traffic and avoid malicious attacks.

Follow these steps to disable sending ICMP error packets:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Disable sending ICMP redirect packets	undo ip redirects	Required Sending a device’s ICMP redirection packet is enabled by default
Disable sending ICMP timeout packets	undo ip ttl-expires	Required Sending a device’s ICMP timeout packet is enabled by default.
Disable sending ICMP destination unreachable packets	undo ip unreachables	Required Sending a device’s ICMP destination unreachable packet is enabled by default

 

 

2.5  Displaying and Maintaining IP Performance

After the above-mentioned configuration, you can use the display command in any view to display the IP performance status, so as to verify configuration result.

You can use the reset command in user view to clear the statistics about IP, TCP, and UDP traffic.

Following these steps to display and maintain IP performance:

To do…	Use the command…
Display current TCP connection state	display tcp status
Display statistics of TCP connection	display tcp statistics
Display statistics of UDP flows	display udp statistics
Display statistics of IP packets	display ip statistics
Display statistics of ICMP flows	display icmp statistics
Display current socket information of the system	display ip socket [ socktype sock-type ] [ task-id socket-id ]
Display FIB forward information	display fib [ | { begin | include | exclude } text | acl acl-number | ip-prefix ip-prefix-name ]
Display FIB forward information matching the specified destination IP address	display fib ip-address1 [ { mask1 | mask-length1 } [ ip-address2 { mask2 | mask-length2 } | longer ] | longer ]
Display statistics about the FIB items	display fib statistics
Clear statistics of IP packets	reset ip statistics
Clear statistics of TCP flows	reset tcp statistics
Clear statistics of UDP flows	reset udp statistics