Chapters Download(38.64 KB)
| Title | Size | Download |
|---|---|---|
| 08-IP Performance Configuration | 38.64 KB |
Table of Contents
Chapter 1 IP Performance Configuration
1.1 Configuring IP Performance
1.1.1 Configuring TCP Attributes
1.1.2 Configuring the Switch Whether to Send a Time Exceeded ICMP Packet
1.2 Displaying and Maintaining IP Performance
1.3 Troubleshooting IP Performance
When configuring IP performance, go to these sections for information you are interested in:
l Displaying and Maintaining IP Performance
l Troubleshooting IP Performance
IP performance configuration includes:
l Configuring the Switch Whether to Send a Time Exceeded ICMP Packet
TCP attributes include:
l synwait timer: When sending the syn packets, TCP starts the synwait timer. If response packets are not received before synwait timeout, the TCP connection is terminated. The timeout of synwait timer ranges from 2 to 600 seconds and it is 75 seconds by default.
l finwait timer: When the TCP connection state turns from FIN_WAIT_1 to FIN_WAIT_2, finwait timer is started. If FIN packets are not received before finwait timer timeout, the TCP connection is terminated. The timeout of finwait timer ranges from 76 to 3600 seconds and it is 675 seconds by default.
l The receiving/sending buffer size of the connection-oriented socket is in the range from 1 to 32 KB and is 8 KB by default.
Perform the following configuration in system view to configure TCP attributes:
|
To do… |
Use the command… |
|
Configure timeout time for the synwait timer in TCP |
tcp timer syn-timeout time-value |
|
Restore the default timeout time of the synwait timer |
undo tcp timer syn-timeout |
|
Configure timeout time for the FIN_WAIT_2 timer in TCP |
tcp timer fin-timeout time-value |
|
Restore the default timeout time of the FIN_WAIT_2 timer |
undo tcp timer fin-timeout |
|
Configure the socket receiving/sending buffer size of TCP |
tcp window window-size |
|
Restore the socket receiving/sending buffer size of TCP to default value |
undo tcp window |
The switch will return a destination unreachable packet to the sender when receiving a packet whose TTL is "1”. But if an attacker continuously sends IP packets whose TTL is “1”, the switch will reply to this attacker with a destination unreachable packet ceaselessly. As a result, the CPU of the switch is attacked.
When the switch receives IP packets whose TTL is “1”, if the switch sends a “time exceeded" ICMP error packet, instead of with a destination unreachable packet to the network management system, such an attack can be avoided.
Follow these steps to configure the switch whether to send a destination unreachable packet:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure the switch to send a “time exceeded” ICMP error packet to the IP packet sender when the switch receives a packet whose TTL is “1” |
ip icmp-time-exceed enable |
By default, the switch sends a "time exceeded” ICMP error packet to the network management system. |
|
Configure the switch to return a destination unreachable packet to the sender when the switch receives a packet whose TTL is “1” |
undo ip icmp-time-exceed enable |
— |
|
To do… |
Use the command… |
Remarks |
|
Display the states of all the TCP connections |
display tcp status |
Available in any view |
|
Display TCP connection statistics data |
display tcp statistics |
|
|
Display UDP statistics information |
display udp statistics |
|
|
Display IP statistics information |
display ip statistics |
|
|
Display ICMP statistics information |
display icmp statistics |
Available in any view |
|
Display the current socket information of the system |
display ip socket [ socktype sock-type ] [ task-id socket-id ] |
|
|
Display the summary of the Forwarding Information Base (FIB) |
display fib [ all ] |
|
|
Display the FIB entries matching the specified destination IP address |
display fib [ all ] [ ip-address [ mask | mask-length ] [ longer ] ] |
|
|
Display the FIB entries matching the specified destination IP address range |
display fib [ all ] ip-address1 { mask1 | mask-length1 } ip-address2 { mask2 | mask-length2 } |
|
|
Display the FIB entries permitted by a specific ACL |
display fib [ all ] acl { number | name } |
|
|
Display the FIB entries in the buffer which begin with, include or exclude the specified character string |
display fib [ all ] | { { begin | include | exclude } text } |
|
|
Display the FIB entries permitted by a specific prefix list |
display fib [ all ] ip-prefix listname |
|
|
Display the total number of the FIB entries |
display fib [ all ] statistics |
|
To do… |
Use the command… |
Remarks |
|
Reset IP statistics information |
reset ip statistics |
Available in user view |
|
Reset TCP statistics information |
reset tcp statistics |
|
|
Reset UDP statistics information |
reset udp statistics |
|
|
Enable the debugging of IP packets |
debugging ip packet [ acl acl-number ] |
Available in user view |
|
Disable the debugging of IP packets |
undo debugging ip packet |
Available in user view |
|
Enable the debugging of ICMP packets |
debugging ip icmp |
|
|
Disable the debugging of ICMP packets |
undo debugging ip icmp |
|
|
Enable the debugging of UDP connections |
debugging udp packet [ task-id socket-id ] |
|
|
Disable the debugging of UDP connections |
undo debugging udp packet [ task-id socket-id ] |
|
|
Enable the debugging of TCP connections |
debugging tcp packet [ task-id socket-id ] |
|
|
Disable the debugging of TCP connections |
undo debugging tcp packet [ task-id socket-id ] |
|
|
Enable the debugging of TCP events |
debugging tcp event [ task-id socket-id ] |
|
|
Disable the debugging of TCP events |
undo debugging tcp event [ task-id socket-id ] |
|
|
Enable the debugging of the MD5 authentication |
debugging tcp md5 |
|
|
Disable the debugging of the MD5 authentication |
undo debugging md5 |
Fault: IP layer protocol works normally but TCP and UDP cannot work normally.
Troubleshoot: In the event of such a fault, you can enable the corresponding debugging information output to view the debugging information.
l Use the display command to view the running information of IP performance and make sure that the PCs used by the user is running normally.
l Use the terminal debugging command to output the debugging information to the console.
l Use the debugging udp packet command to enable the UDP debugging to trace the UDP packet.
The following are the UDP packet formats:
UDP output packet:
Source IP address:202.38.160.1
Source port:1024
Destination IP Address 202.38.160.1
Destination port: 4296
task = ROUT(15)
socketid = 6,
src = 192.168.1.1:520,
dst = 255.255.255.255:520,
datalen = 24
l Use the debugging tcp packet command to enable the TCP debugging to trace the TCP packets.
Operations include:
<H3C> terminal debugging
<H3C> debugging tcp packet
Then the TCP packets received or sent can be checked in real time. Specific packet formats include:
TCP output packet:
Source IP address:202.38.160.1
Source port:1024
Destination IP Address 202.38.160.1
Destination port: 4296
Sequence number :4195089
Ack number: 0
Flag :SYN
Packet length :60
Data offset: 10
task = ROUT(15)
socketid = 5
state = Established
src = 172.16.1.2
Source port:1025
dst = 172.16.1.1
Destination port: 4296
seq = 1921836502
ack = 4192768493
flag = ACK
window = 16079
