Login
- Table of Contents
-
- H3C S9500 Operation Manual-Release2132[V2.03]-02 IP Services Volume
- 00-1Cover
- 01-ARP Configuration
- 02-DHCP Configuration
- 03-DNS Configuration
- 04-IP Addressing Configuration
- 05-IP Performance Configuration
- 06-UDP Helper Configuration
- 07-IPv6 Basics Configuration
- 08-Dual Stack Configuration
- 09-Tunneling Configuration
- 10-Adjacency Table Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-IP Performance Configuration | 86.42 KB |
Table of Contents
Chapter 1 IP Performance Configuration
1.2 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network
1.2.1 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network (in System View)
1.2.2 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network (in Interface View)
1.3 Configuring TCP Attributes
1.4 Configuring TCP MSS for the Interface
1.5 Configuring ICMP Error Packet Sending
1.6 Displaying and Maintaining IP Performance
Chapter 1 IP Performance Configuration
When configuring IP performance, go to these sections for information you are interested in:
l Enabling Forwarding of Directed Broadcasts to a Directly Connected Network
l Configuring TCP MSS for the Interface
l Configuring ICMP Error Packet Sending
l Displaying and Maintaining IP Performance
1.1 IP Performance Overview
l Enabling forwarding of directed broadcasts
l Configuring TCP timers
l Configuring the TCP buffer size
l Configuring TCP MSS for the interface
l Enabling ICMP error packet sending
1.2 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network
Directed broadcasts refer to broadcast packets sent to a specific network. In the destination IP address of a directed broadcast, the network ID is a network-specific number and the host ID is all ones.
Enabling the device to receive and forward directed broadcasts to a directly connected network will give hackers an opportunity to attack the network. Therefore, this feature is disabled by default.
When this feature is required in some network applications, you can configure the device to forward directed broadcasts in system view or interface view. If you disable this feature in system view, the switch discards directed broadcasts directly; otherwise, the system determines whether to discard directed broadcasts according to the interface configuration.
& Note:
S9500 series routing switches can still receive broadcasts from a designated UDP port even if they are disabled from receiving directed broadcasts.
1.2.1 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network (in System View)
Follow these steps to enable the device to forward directed broadcasts:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable the device to forward directed broadcasts |
ip forward-broadcast |
Required By default, the device is disabled from forwarding directed broadcasts. |
1.2.2 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network (in Interface View)
Follow these steps to enable the device to forward directed broadcasts:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter interface view |
interface interface-type interface-number |
— |
|
Enable the interface to forward directed broadcasts |
ip forward-broadcast [ acl acl-number ] |
Required By default, the device is disabled from forwarding directed broadcasts. |
& Note:
l You can reference an ACL to forward only directed broadcasts permitted by the ACL.
l If you execute the ip forward-broadcast acl command on an interface repeatedly, the last execution overwrites the previous one. If the command executed last time does not include the acl acl-number, the ACL configured previously will be removed.
1.2.3 Configuration Example
I. Network requirements
As shown in Figure 1-1, the host’s interface and VLAN-interface 3 of Switch A are on the same network segment (1.1.1.0/24). VLAN-interface 2 of Switch A and VLAN-interface 2 of Switch B are on another network segment (2.2.2.0/24). The default gateway of the host is VLAN-interface 3 (IP address 1.1.1.2/24) of Switch A. Configure a static route on Switch B to enable the reachability between Host and Switch B.
II. Network diagram
Figure 1-1 Network diagram for receiving and forwarding directed broadcasts
III. Configuration procedure
l Configure Switch A
# Enable Switch A to receive directed broadcasts.
<SwitchA> system-view
[SwitchA] ip forward-broadcast
# Configure IP addresses for VLAN-interface 3 and VLAN-interface 2.
[SwitchA] interface vlan-interface 3
[SwitchA-Vlan-interface3] ip address 1.1.1.2 24
[SwitchA-Vlan-interface3] quit
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 2.2.2.2 24
# Enable VLAN-interface 2 to forward directed broadcasts.
[SwitchA-Vlan-interface2] ip forward-broadcast
l Configure Switch B
# Enable Switch B to receive directed broadcasts.
<SwitchB> system-view
[SwitchB] ip forward-broadcast
# Configure a static route to the host.
[SwitchB] ip route-static 1.1.1.1 24 2.2.2.2
# Configure an IP address for VLAN-interface 2.
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ip address 2.2.2.1 24
After the above configurations, if you ping the subnet broadcast address (2.2.2.255) of VLAN-interface 2 of Switch A on the host, the ping packets can be received by VLAN-interface 2 of Switch B. However, if you execute the undo ip forward-broadcast command, the ping packets cannot be received by VLAN-interface 2 of Switch B.
1.3 Configuring TCP Attributes
TCP attributes that can be configured include:
l synwait timer: When sending a SYN packet, TCP starts the synwait timer. If no response packets are received within the synwait timer timeout, the TCP connection is not successfully created.
l finwait timer: When the TCP connection is in FIN_WAIT_2 state, finwait timer will be started. If no FIN packets are received within the timer timeout, the TCP connection will be terminated. If FIN packets are received, the TCP connection state changes to TIME_WAIT. If non-FIN packets are received, the system restarts the timer from receiving the last non-FIN packet. The connection is terminated after the timer expires.
l Size of TCP receive/send buffer
Follow these steps to configure TCP optional parameters:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure TCP synwait timer’s timeout value |
tcp timer syn-timeout time-value |
Optional By default, the timeout value is 75 seconds. |
|
Configure TCP finwait timer’s timeout value |
tcp timer fin-timeout time-value |
Optional By default, the timeout value is 675 seconds. |
|
Configure the size of TCP receive/send buffer |
tcp window window-size |
Optional By default, the buffer is 8 kilobytes. |
Caution:
The actual length of the finwait timer is determined by the following formula:
Actual length of the finwait timer = (Configured length of the finwait timer – 75) + configured length of the synwait timer
1.4 Configuring TCP MSS for the Interface
The TCP maximum segment size (MSS) on an interface determines whether TCP packets need to be fragmented when forwarded. If the size of a packet is smaller than the TCP MSS, the packet is unnecessarily to be fragmented; otherwise, it will be fragmented according to the TCP MSS.
Follow these steps to configure TCP MSS for the interface:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter interface view |
interface interface-type interface-number |
— |
|
Configure TCP MSS for the interface |
tcp mss value |
Required 1,460 bytes by default. |
1.5 Configuring ICMP Error Packet Sending
Sending error packets is a major function of Internet control message protocol (ICMP). In case of network abnormalities, ICMP packets are usually sent by the network or transport layer protocols to notify corresponding devices, thus facilitating control and management.
I. Advantage of sending ICMP error packets
There are three kinds of ICMP error packets: redirect packets, timeout packets and destination unreachable packets. Their sending conditions and functions are as follows.
1) Sending ICMP redirect packets
A host may have only one default route to the default gateway in its routing table after startup. If certain conditions are satisfied, the default gateway will send ICMP redirect packets to the source host and notify it to reselect a correct next hop router to send the subsequent packets.
S9500 series routing switches will send ICMP redirect packets to the source host under the following conditions:
l The receiving and forwarding interfaces are the same
l The selected route has not been created or modified by ICMP redirect packet
l The selected route is not the default route of the switch
l There is no source route option in the packet
& Note:
When performing hardware forwarding, S9500 series routing switches will not forward ICMP redirect packets even if the above conditions are satisfied.
ICMP redirect packets function simplifies host administration and enables a host to gradually establish a sound routing table to find out the best route
2) Sending ICMP timeout packets
If the device received an IP packet with a timeout error, it drops the packet and sends an ICMP timeout packet to the source.
S9500 series routing switches will send ICMP timeout packets under the following conditions:
l If the switch finds the destination of a packet is not itself and the TTL field of the packet is 1, it will send a “TTL timeout” ICMP error message.
l When the switch receives the first fragment of an IP datagram whose destination is the device itself, it will start a timer. If the timer times out before all the fragments of the datagram are received, the switch will send a “reassembly timeout” ICMP error packet.
3) Sending ICMP destination unreachable packets
If the device receives an IP packet with the destination unreachable, it will drop the packet and send an ICMP destination unreachable error packet to the source.
S9500 series switches will send an ICMP destination unreachable error packet under the following conditions:
l If neither a route nor the default route for forwarding a packet is available, the device will send a “network unreachable” ICMP error packet.
l If the destination of a packet is local while the transport layer protocol of the packet is not supported by the local device, the device sends a “protocol unreachable” ICMP error packet to the source.
l When receiving a packet with the destination being local and transport layer protocol being UDP, if the packet’s port number does not match the running process, the device will send the source a “port unreachable” ICMP error packet.
l If the source uses “strict source routing" to send packets, but the intermediate device finds the next hop specified by the source is not directly connected, the device will send the source a “source routing failure” ICMP error packet.
l When forwarding a packet, if the MTU of the sending interface is smaller than the packet but the packet has been set “Don’t Fragment”, the device will send the source a “fragmentation needed and Don’t Fragment (DF)-set” ICMP error packet.
& Note:
When performing hardware forwarding, S9500 series routing switches will not forward ICMP destination unreachable packets even if the above conditions are satisfied.
II. Disadvantage of sending ICMP error packets
Although sending ICMP error packets facilitate control and management, it still has the following disadvantages:
l Sending a lot of ICMP packets will increase network traffic.
l If the switch receives a lot of malicious packets that cause it to send ICMP error packets, the performance will be reduced.
l As the redirection function increases the routing table size of a host, the host’s performance will be reduced if its routing table becomes very large.
l If a host sends malicious ICMP destination unreachable packets, end users may be affected.
To prevent such problems, you can disable the switch from sending ICMP error packets.
Follow these steps to disable sending ICMP error packets:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Disable sending ICMP redirect packets |
undo ip redirects |
Required Enabled by default |
|
Disable sending ICMP timeout packets |
undo ip ttl-expires |
Required Enabled by default. |
|
Disable sending ICMP destination unreachable packets |
undo ip unreachables |
Required Enabled by default |
& Note:
l The switch stops sending “network unreachable” and “source route failure” ICMP error packets after sending ICMP destination unreachable packets is disabled. However, other destination unreachable packets can be sent normally.
l The switch stops sending “TTL timeout” ICMP error packets after sending ICMP timeout packets is disabled. However, “reassembly timeout” error packets will be sent normally.
1.6 Displaying and Maintaining IP Performance
|
To do… |
Use the command… |
Remarks |
|
Display current TCP connection state |
display tcp status |
Available in any view |
|
Display TCP connection statistics |
display tcp statistics |
|
|
Display UDP statistics |
display udp statistics |
|
|
Display statistics of IP packets |
display ip statistics [ slot slot-number ] |
|
|
Display statistics of ICMP flows |
display icmp statistics [ slot slot-number ] |
|
|
Display socket information |
display ip socket [ socktype sock-type ] [ task-id socket-id ] [ slot slot-number ] |
|
|
Display FIB forward information |
display fib [ | { begin | include | exclude } text | acl acl-number | ip-prefix ip-prefix-name ] |
|
|
Display FIB forward information matching the specified destination IP address |
display fib ip-address1 [ { mask1 | mask-length1 } [ ip-address2 { mask2 | mask-length2 } | longer ] | longer ] |
|
|
Display statistics about the FIB items |
display fib statistics |
|
|
Clear statistics of IP packets |
reset ip statistics [ slot slot-number ] |
Available in user view |
|
Clear statistics of TCP connections |
reset tcp statistics |
|
|
Clear statistics of UDP flows |
reset udp statistics |
