02-IP Performance Optimization Commands
Chapters Download (90.44 KB)
Table of Contents
1 IP Performance Optimization Configuration Commands
IP Performance Optimization Configuration Commands
ip forward-broadcast (interface view)
ip forward-broadcast (system view)
Syntax
display fib [ | { begin | include | exclude } regular-expression | acl acl-number | ip-prefix ip-prefix-name ]
View
Any view
Default Level
1: Monitor level
Parameters
|: Uses a regular expression to match FIB entries. For detailed information about regular expression, refer to CLI display in Basic System Configuration in the System Volume.
begin: Displays the first entry that matches the specified regular expression and all the FIB entries following it.
exclude: Displays the FIB entries that do not match the specified regular expression.
include: Displays the FIB entries that match the specified regular expression.
regular-expression: A case-sensitive string of 1 to 256 characters, excluding spaces.
acl acl-number: Displays FIB entries matching a specified ACL numbered from 2000 to 2999. If the specified ACL does not exist, all FIB entries are displayed.
ip-prefix ip-prefix-name: Displays FIB entries matching a specified IP prefix list, a string of 1 to 19 characters. If the specified IP prefix list does not exist, all FIB entries are displayed.
Currently, the S5810 series Ethernet switches do not support the ip-prefix keyword. That is, they do not display FIB entries matching a specified IP prefix list.
Description
Use the display fib command to display FIB entries. If no parameters are specified, all FIB entries will be displayed.
Examples
# Display all FIB entries.
<Sysname> display fib
Destination count: 4 FIB entry count: 4
Flag:
U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static
R:Relay
Destination/Mask Nexthop Flag OutInterface InnerLabel Token
10.2.0.0/16 10.2.1.1 U M-GE1/0/0 Null Invalid
10.2.1.1/32 127.0.0.1 UH InLoop0 Null Invalid
127.0.0.0/8 127.0.0.1 U InLoop0 Null Invalid
127.0.0.1/32 127.0.0.1 UH InLoop0 Null Invalid
# Display FIB information passing ACL 2000.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule permit source 10.2.0.0 0.0.255.255
[Sysname-acl-basic-2000] display fib acl 2000
Destination count: 2 FIB entry count: 2
Flag:
U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static
R:Relay
Destination/Mask Nexthop Flag OutInterface InnerLabel Token
10.2.0.0/16 10.2.1.1 U M-GE1/0/0 Null Invalid
10.2.1.1/32 127.0.0.1 UH InLoop0 Null Invalid
# Display all entries that contain the string 127 and start from the first one.
<Sysname> display fib | begin 127
Flag:
U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static
R:Relay
Destination/Mask Nexthop Flag OutInterface InnerLabel Token
10.2.1.1/32 127.0.0.1 UH InLoop0 Null Invalid
127.0.0.0/8 127.0.0.1 U InLoop0 Null Invalid
127.0.0.1/32 127.0.0.1 UH InLoop0 Null Invalid
Table 1-1 display fib command output description
|
Field |
Description |
|
Destination count |
Total number of destination addresses |
|
FIB entry count |
Total number of FIB entries |
|
Destination/Mask |
Destination address/length of mask |
|
Nexthop |
Address of next hop |
|
Flag |
Flags of routes: l “U”—Usable route l “G”—Gateway route l “H”—Host route l “B”—Blackhole route l “D”—Dynamic route l “S”—Static route l “R”—Relay route |
|
OutInterface |
Outbound interface |
|
InnerLabel |
Inner label |
|
Token |
LSP index number |
Syntax
display fib ip-address [ mask | mask-length ]
View
Any view
Default Level
1: Monitor level
Parameters
ip-address: Destination IP address, in dotted decimal notation.
mask: IP address mask.
mask-length: Length of IP address mask.
Description
Use the display fib ip-address command to display FIB entries that match the specified destination IP address.
If no mask or mask length is specified, the FIB entry that matches the destination IP address and has the longest mask will be displayed; if the mask is specified, the FIB entry that exactly matches the specified destination IP address will be displayed.
Examples
# Display the FIB entries that match the destination IP address of 10.2.1.1.
<Sysname> display fib 10.2.1.1
Destination count: 1 FIB entry count: 1
Flag:
U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static
R:Relay
Destination/Mask Nexthop Flag OutInterface InnerLabel Token
10.2.1.1/32 127.0.0.1 UH InLoop0 Null Invalid
For description about the above output, refer to Table 1-1.
Syntax
display icmp statistics
View
Any view
Default Level
1: Monitor level
Parameters
None
Description
Use the display icmp statistics command to display ICMP statistics.
Related commands: display ip interface in IP Addressing Commands of the IP Services Volume; reset ip statistics.
Examples
# Display ICMP statistics.
<Sysname> display icmp statistics
Input: bad formats 0 bad checksum 0
echo 5 destination unreachable 0
source quench 0 redirects 0
echo reply 10 parameter problem 0
timestamp 0 information request 0
mask requests 0 mask replies 0
time exceeded 0
Output:echo 10 destination unreachable 0
source quench 0 redirects 0
echo reply 5 parameter problem 0
timestamp 0 information reply 0
mask requests 0 mask replies 0
time exceeded 0
Table 1-2 display icmp statistics command output description
|
Field |
Description |
|
bad formats |
Number of input wrong format packets |
|
bad checksum |
Number of input wrong checksum packets |
|
echo |
Number of input/output echo packets |
|
destination unreachable |
Number of input/output destination unreachable packets |
|
source quench |
Number of input/output source quench packets |
|
redirects |
Number of input/output redirection packets |
|
echo reply |
Number of input/output replies |
|
parameter problem |
Number of input/output parameter problem packets |
|
timestamp |
Number of input/output time stamp packets |
|
information request |
Number of input information request packets |
|
mask requests |
Number of input/output mask requests |
|
mask replies |
Number of input/output mask replies |
|
information reply |
Number of output information reply packets |
|
time exceeded |
Number of input/output expiration packets |
Syntax
display ip socket [ socktype sock-type ] [ task-id socket-id ]
View
Any view
Default Level
1: Monitor level
Parameters
socktype sock-type: Displays the socket information of this type. The sock type is in the range 1 to 3, corresponding to TCP, UDP and raw IP respectively.
task-id: Displays the socket information of this task. Task ID is in the range 1 to 150.
socket-id: Displays the information of the socket. Socket ID is in the range 0 to 3072.
Description
Use the display ip socket command to display socket information.
Examples
# Display the TCP socket information.
<Sysname> display ip socket
SOCK_STREAM:
Task = VTYD(38), socketid = 1, Proto = 6,
LA = 0.0.0.0:23, FA = 0.0.0.0:0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_KEEPALIVE SO_REUSEPORT SO_SENDVPNID(3073) SO_SETKEEPALIVE,
socket state = SS_PRIV SS_ASYNC
Task = HTTP(36), socketid = 1, Proto = 6,
LA = 0.0.0.0:80, FA = 0.0.0.0:0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_REUSEPORT,
socket state = SS_PRIV SS_NBIO
Task = ROUT(69), socketid = 10, Proto = 6,
LA = 0.0.0.0:179, FA = 192.168.1.45:0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_REUSEADDR SO_REUSEPORT SO_SENDVPNID(0),
socket state = SS_PRIV SS_ASYNC
Task = VTYD(38), socketid = 4, Proto = 6,
LA = 192.168.1.40:23, FA = 192.168.1.52:1917,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 237, rb_cc = 0,
socket option = SO_KEEPALIVE SO_OOBINLINE SO_REUSEPORT SO_SENDVPNID(0) SO_SETKEEPALIVE,
socket state = SS_ISCONNECTED SS_PRIV SS_ASYNC
Task = VTYD(38), socketid = 3, Proto = 6,
LA = 192.168.1.40:23, FA = 192.168.1.84:1503,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_KEEPALIVE SO_OOBINLINE SO_REUSEPORT SO_SENDVPNID(0) SO_SETKEEPALIVE,
socket state = SS_ISCONNECTED SS_PRIV SS_ASYNC
Task = ROUT(69), socketid = 11, Proto = 6,
LA = 192.168.1.40:1025, FA = 192.168.1.45:179,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_REUSEADDR SO_LINGER SO_SENDVPNID(0),
socket state = SS_ISCONNECTED SS_PRIV SS_ASYNC
SOCK_DGRAM:
Task = NTPT(37), socketid = 1, Proto = 17,
LA = 0.0.0.0:123, FA = 0.0.0.0:0,
sndbuf = 9216, rcvbuf = 41600, sb_cc = 0, rb_cc = 0,
socket option = SO_UDPCHECKSUM SO_SENDVPNID(3073),
socket state = SS_PRIV
Task = AGNT(51), socketid = 1, Proto = 17,
LA = 0.0.0.0:161, FA = 0.0.0.0:0,
sndbuf = 9216, rcvbuf = 41600, sb_cc = 0, rb_cc = 0,
socket option = SO_UDPCHECKSUM SO_SENDVPNID(3073),
socket state = SS_PRIV SS_NBIO SS_ASYNC
Task = RDSO(56), socketid = 1, Proto = 17,
LA = 0.0.0.0:1024, FA = 0.0.0.0:0,
sndbuf = 9216, rcvbuf = 41600, sb_cc = 0, rb_cc = 0,
socket option = SO_UDPCHECKSUM,
socket state = SS_PRIV
Task = TRAP(52), socketid = 1, Proto = 17,
LA = 0.0.0.0:1025, FA = 0.0.0.0:0,
sndbuf = 9216, rcvbuf = 0, sb_cc = 0, rb_cc = 0,
socket option = SO_UDPCHECKSUM,
socket state = SS_PRIV
Task = RDSO(56), socketid = 2, Proto = 17,
LA = 0.0.0.0:1812, FA = 0.0.0.0:0,
sndbuf = 9216, rcvbuf = 41600, sb_cc = 0, rb_cc = 0,
socket option = SO_UDPCHECKSUM,
socket state = SS_PRIV
SOCK_RAW:
Task = ROUT(69), socketid = 8, Proto = 89,
LA = 0.0.0.0, FA = 0.0.0.0,
sndbuf = 262144, rcvbuf = 262144, sb_cc = 0, rb_cc = 0,
socket option = SO_SENDVPNID(0) SO_RCVVPNID(0),
socket state = SS_PRIV SS_ASYNC
Task = ROUT(69), socketid = 3, Proto = 2,
LA = 0.0.0.0, FA = 0.0.0.0,
sndbuf = 32767, rcvbuf = 256000, sb_cc = 0, rb_cc = 0,
socket option = SO_SENDVPNID(0) SO_RCVVPNID(0),
socket state = SS_PRIV SS_NBIO SS_ASYNC
Task = ROUT(69), socketid = 2, Proto = 103,
LA = 0.0.0.0, FA = 0.0.0.0,
sndbuf = 65536, rcvbuf = 256000, sb_cc = 0, rb_cc = 0,
socket option = SO_SENDVPNID(0) SO_RCVVPNID(0),
socket state = SS_PRIV SS_NBIO SS_ASYNC
Task = ROUT(69), socketid = 1, Proto = 65,
LA = 0.0.0.0, FA = 0.0.0.0,
sndbuf = 32767, rcvbuf = 256000, sb_cc = 0, rb_cc = 0,
socket option = 0,
socket state = SS_PRIV SS_NBIO SS_ASYNC
Task = RSVP(73), socketid = 1, Proto = 46,
LA = 0.0.0.0, FA = 0.0.0.0,
sndbuf = 4194304, rcvbuf = 4194304, sb_cc = 0, rb_cc = 0,
socket option = 0,
socket state = SS_PRIV SS_NBIO SS_ASYNC
Table 1-3 display ip socket command output description
|
Field |
Description |
|
SOCK_STREAM |
TCP socket |
|
SOCK_DGRAM |
UDP socket |
|
SOCK_RAW |
Raw IP socket |
|
Task |
Task number |
|
socketid |
Socket ID |
|
Proto |
Protocol number of the socket, indicating the protocol type that IP carries |
|
LA |
Local address and local port number |
|
FA |
Remote address and remote port number |
|
sndbuf |
Sending buffer size of the socket, in bytes |
|
rcvbuf |
Receiving buffer size of the socket, in bytes |
|
sb_cc |
Current data size in the sending buffer (It is available only for TCP that can buffer data) |
|
rb_cc |
Data size currently in the receiving buffer |
|
socket option |
Socket option |
|
socket state |
Socket state |
Syntax
display ip statistics
View
Any view
Default Level
1: Monitor level
Parameters
None
Description
Use the display ip statistics command to display statistics of IP packets.
Related commands: display ip interface in IP Addressing Commands of the IP Services Volume; reset ip statistics.
Examples
# Display statistics of IP packets.
<Sysname> display ip statistics
Input: sum 7120 local 112
bad protocol 0 bad format 0
bad checksum 0 bad options 0
Output: forwarding 0 local 27
dropped 0 no route 2
compress fails 0
Fragment:input 0 output 0
dropped 0
fragmented 0 couldn't fragment 0
Reassembling:sum 0 timeouts 0
Table 1-4 display ip statistics command output description
|
Field |
Description |
|
|
Input: |
sum |
Total number of packets received |
|
local |
Total number of packets with destination being local |
|
|
bad protocol |
Total number of unknown protocol packets |
|
|
bad format |
Total number of packets with incorrect format |
|
|
bad checksum |
Total number of packets with incorrect checksum |
|
|
bad options |
Total number of packets with incorrect option |
|
|
Output: |
forwarding |
Total number of packets forwarded |
|
local |
Total number of packets sent from the local |
|
|
dropped |
Total number of packets discarded |
|
|
no route |
Total number of packets for which no route is available |
|
|
compress fails |
Total number of packets failed to be compressed |
|
|
Fragment: |
input |
Total number of fragments received |
|
output |
Total number of fragments sent |
|
|
dropped |
Total number of fragments dropped |
|
|
fragmented |
Total number of packets successfully fragmented |
|
|
couldn't fragment |
Total number of packets that failed to be fragmented |
|
|
Reassembling |
sum |
Total number of packets reassembled |
|
timeouts |
Total number of reassembly timeout fragments |
|
Syntax
display tcp statistics
View
Default Level
1: Monitor level
Parameters
None
Description
Use the display tcp statistics command to display statistics of TCP traffic.
Related commands: display tcp status, reset tcp statistics.
Examples
# Display statistics of TCP traffic.
<Sysname> display tcp statistics
Received packets:
Total: 8457
packets in sequence: 3660 (5272 bytes)
window probe packets: 0, window update packets: 0
checksum error: 0, offset error: 0, short error: 0
duplicate packets: 1 (8 bytes), partially duplicate packets: 0 (0 bytes)
out-of-order packets: 17 (0 bytes)
packets of data after window: 0 (0 bytes)
packets received after close: 0
ACK packets: 4625 (141989 bytes)
duplicate ACK packets: 1702, too much ACK packets: 0
Sent packets:
Total: 6726
urgent packets: 0
control packets: 21 (including 0 RST)
window probe packets: 0, window update packets: 0
data packets: 6484 (141984 bytes) data packets retransmitted: 0 (0 bytes)
ACK-only packets: 221 (177 delayed)
Retransmitted timeout: 0, connections dropped in retransmitted timeout: 0
Keepalive timeout: 1682, keepalive probe: 1682, Keepalive timeout, so connections disconnected : 0
Initiated connections: 0, accepted connections: 22, established connections: 22
Closed connections: 49 (dropped: 0, initiated dropped: 0)
Packets dropped with MD5 authentication: 0
Packets permitted with MD5 authentication: 0
Table 1-5 display tcp statistics command output description
|
Field |
Description |
|
|
Received packets: |
Total |
Total number of packets received |
|
packets in sequence |
Number of packets arriving in sequence |
|
|
window probe packets |
Number of window probe packets received |
|
|
window update packets |
Number of window update packets received |
|
|
checksum error |
Number of checksum error packets received |
|
|
offset error |
Number of offset error packets received |
|
|
short error |
Number of received packets with length being too small |
|
|
duplicate packets |
Number of completely duplicate packets received |
|
|
partially duplicate packets |
Number of partially duplicate packets received |
|
|
out-of-order packets |
Number of out-of-order packets received |
|
|
packets of data after window |
Number of packets outside the receiving window |
|
|
packets received after close |
Number of packets that arrived after connection is closed |
|
|
ACK packets |
Number of ACK packets received |
|
|
duplicate ACK packets |
Number of duplicate ACK packets received |
|
|
too much ACK packets |
Number of ACK packets for data unsent |
|
|
Sent packets: |
Total |
Total number of packets sent |
|
urgent packets |
Number of urgent packets sent |
|
|
control packets |
Number of control packets sent |
|
|
window probe packets |
Number of window probe packets sent; in the brackets are resent packets |
|
|
window update packets |
Number of window update packets sent |
|
|
data packets |
Number of data packets sent |
|
|
data packets retransmitted |
Number of data packets retransmitted |
|
|
ACK-only packets |
Number of ACK packets sent; in brackets are delayed ACK packets |
|
|
Retransmitted timeout |
Number of retransmission timer timeouts |
|
|
connections dropped in retransmitted timeout |
Number of connections broken due to retransmission timeouts |
|
|
Keepalive timeout |
Number of keepalive timer timeouts |
|
|
keepalive probe |
Number of keepalive probe packets sent |
|
|
Keepalive timeout, so connections disconnected |
Number of connections broken due to timeout of the keepalive timer |
|
|
Initiated connections |
Number of connections initiated |
|
|
accepted connections |
Number of connections accepted |
|
|
established connections |
Number of connections established |
|
|
Closed connections |
Number of connections closed; in brackets are connections closed accidentally (before receiving SYN from the peer) and connections closed initiatively (after receiving SYN from the peer) |
|
|
Packets dropped with MD5 authentication |
Number of packets dropped by MD5 authentication |
|
|
Packets permitted with MD5 authentication |
Number of packets permitted by MD5 authentication |
|
Syntax
display tcp status
View
Any view
Default Level
1: Monitor level
Parameters
None
Description
Use the display tcp status command to display status of all TCP connections for monitoring TCP connections.
Examples
# Display status of all TCP connections.
<Sysname> display tcp status
*: TCP MD5 Connection
TCPCB Local Add:port Foreign Add:port State
03e37dc4 0.0.0.0:4001 0.0.0.0:0 Listening
04217174 100.0.0.204:23 100.0.0.253:65508 Established
Table 1-6 display tcp status command output description
|
Field |
Description |
|
* |
If the status information of a TCP connection contains *, the TCP adopts the MD5 algorithm for authentication. |
|
TCPCB |
TCP control block |
|
Local Add:port |
Local IP address and port number |
|
Foreign Add:port |
Remote IP address and port number |
|
State |
State of the TCP connection |
Syntax
display udp statistics
View
Any view
Default Level
1: Monitor level
Parameters
None
Description
Use the display udp statistics command to display statistics of UDP packets.
Related commands: reset udp statistics.
Examples
# Display statistics of UDP packets.
<Sysname> display udp statistics
Received packets:
Total: 0
checksum error: 0
shorter than header: 0, data length larger than packet: 0
unicast(no socket on port): 0
broadcast/multicast(no socket on port): 0
not delivered, input socket full: 0
input packets missing pcb cache: 0
Sent packets:
Total: 0
Table 1-7 display udp statistics command output description
|
Field |
Description |
|
|
Received packets: |
Total |
Total number of UDP packets received |
|
checksum error |
Total number of packets with incorrect checksum |
|
|
shorter than header |
Number of packets with data shorter than head |
|
|
data length larger than packet |
Number of packets with data longer than packet |
|
|
unicast(no socket on port) |
Number of unicast packets with no socket on port |
|
|
broadcast/multicast(no socket on port) |
Number of broadcast/multicast packets without socket on port |
|
|
not delivered, input socket full |
Number of packets not delivered to an upper layer due to a full socket cache |
|
|
input packets missing pcb cache |
Number of packets without matching protocol control block (PCB) cache |
|
|
Sent packets: |
Total |
Total number of UDP packets sent |
Syntax
ip forward-broadcast [ acl acl-number ]
undo ip forward-broadcast
View
Interface view
Default Level
2: System level
Parameters
acl acl-number: Access control list number, in the range 2000 to 3999. From 2000 to 2999 are numbers for basic ACLs, and from 3000 to 3999 are numbers for advanced ACLs. Only directed broadcasts permitted by the ACL can be forwarded.
Description
Use the ip forward-broadcast command to enable the interface to forward directed broadcasts to a directly-connected network.
Use the undo ip forward-broadcast command to disable the interface from forwarding directed broadcasts to a directly-connected network.
By default, an interface is disabled from forwarding directed broadcasts to a directly-connected network.
Examples
# Enable VLAN-interface 2 to forward the directed broadcasts to a directly-connected network matching ACL 2001.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] ip forward-broadcast acl 2001
Syntax
ip forward-broadcast
undo ip forward-broadcast
View
System view
Default Level
2: System level
Parameters
None
Description
Use the ip forward-broadcast command to enable the device to receive directed broadcasts.
Use the undo ip forward-broadcast command to disable the device from receiving directed broadcasts.
By default, the device is enabled from receiving directed broadcasts.
Currently, this command is ineffective on the S5810 series Ethernet switches. That is, the switches cannot be disabled from receiving directed broadcasts.
Examples
# Enable the device to receive directed broadcasts.
<Sysname> system-view
[Sysname] ip forward-broadcast
Syntax
ip redirects enable
undo ip redirects
View
System view
Default Level
2: System level
Parameters
None
Description
Use the ip redirects enable command to enable sending of ICMP redirection packets.
Use the undo ip redirects command to disable sending of ICMP redirection packets.
This feature is disabled by default.
Examples
# Enable sending of ICMP redirect packets.
<Sysname> system-view
[Sysname] ip redirects enable
Syntax
ip ttl-expires enable
undo ip ttl-expires
View
System view
Default Level
2: System level
Parameters
None
Description
Use the ip ttl-expires enable command to enable sending of ICMP timeout packets.
Use the undo ip ttl-expires command to disable sending of ICMP timeout packets.
Sending ICMP timeout packets is disabled by default.
If the feature is disabled, the device will not send TTL timeout ICMP packets, but still send “reassembly timeout” ICMP packets.
Examples
# Enable sending of ICMP timeout packets.
<Sysname> system-view
[Sysname] ip ttl-expires enable
Syntax
ip unreachables enable
undo ip unreachables
View
System view
Default Level
2: System level
Parameters
None
Description
Use the ip unreachables enable command to enable sending of ICMP destination unreachable packets.
Use the undo ip unreachables command to disable sending of ICMP destination unreachable packets.
Sending ICMP destination unreachable packets is disabled by default.
Examples
# Enable sending of ICMP destination unreachable packets.
<Sysname> system-view
[Sysname] ip unreachables enable
Syntax
reset ip statistics
View
User view
Default Level
2: System level
Parameters
None
Description
Use the reset ip statistics command to clear statistics of IP packets.
Related commands: display ip interface in IP Addressing Commands of the IP Services Volume; display ip statistics.
Examples
# Clear statistics of IP packets.
<Sysname> reset ip statistics
Syntax
reset tcp statistics
View
User view
Default Level
2: System level
Parameters
None
Description
Use the reset tcp statistics command to clear statistics of TCP traffic.
Related commands: display tcp statistics.
Examples
# Display statistics of TCP traffic.
<Sysname> reset tcp statistics
Syntax
reset udp statistics
View
User view
Default Level
2: System level
Parameters
None
Description
Use the reset udp statistics command to clear statistics of UDP traffic.
Examples
# Display statistics of UDP traffic.
<Sysname> reset udp statistics
Syntax
tcp anti-naptha enable
undo tcp anti-naptha enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the tcp anti-naptha enable command to enable the protection against Naptha attack.
Use the undo tcp anti-naptha enable command to disable the protection against Naptha attack.
By default, the protection against Naptha attack is disabled.
Note that the configurations made by using the tcp state and tcp timer check-state commands will be removed after the protection against Naptha attack is disabled.
Examples
# Enable the protection against Naptha attack.
<Sysname> system-view
[Sysname] tcp anti-naptha enable
Syntax
tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack | syn-received } connection-number number
undo tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack | syn-received } connection-number
View
System view
Default Level
2: System level
Parameters
closing: CLOSING state of a TCP connection.
established: ESTABLISHED state of a TCP connection.
fin-wait-1: FIN_WAIT_1 state of a TCP connection.
fin-wait-2: FIN_WAIT_2 state of a TCP connection.
last-ack: LAST_ACK state of a TCP connection.
syn-received: SYN_RECEIVED state of a TCP connection.
connected-number number: Maximum number of TCP connections in a certain state. The argument number is in the range of 0 to 500.
Description
Use the tcp state command to configure the maximum number of TCP connections in a state. When this number is exceeded, the aging of TCP connections in this state will be accelerated.
Use the undo tcp state command to restore the default.
By default, the maximum number of TCP connections in each state is 5.
Note the following points:
l You need to enable the protection against Naptha attack before executing this command. Otherwise, an error will be prompted.
l You can respectively configure the maximum number of TCP connections in each state.
l If the maximum number of TCP connections in a state is 0, the aging of TCP connections in this state will not be accelerated.
Related commands: tcp anti-naptha enable.
Examples
# Set the maximum number of TCP connections in the ESTABLISHED state to 100.
<Sysname> system-view
[Sysname] tcp anti-naptha enable
[Sysname] tcp state established connection-number 100
Syntax
tcp syn-cookie enable
undo tcp syn-cookie enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the tcp syn-cookie enable command to enable the SYN Cookie feature to protect the device against SYN Flood attacks.
Use the undo tcp syn-cookie enable command to disable the SYN Cookie feature.
By default, the SYN Cookie feature is disabled.
Examples
# Enable the SYN Cookie feature.
<Sysname> system-view
[Sysname] tcp syn-cookie enable
Syntax
tcp timer check-state time-value
undo tcp timer check-state
View
System view
Default Level
2: System level
Parameters
time-value: TCP connection state check interval in seconds, in the range of 1 to 60.
Description
Use the tcp timer check-state command to configure the TCP connection state check interval.
Use the undo tcp timer check-state command to restore the default.
By default, the TCP connection state check interval is 30 seconds.
The device periodically checks the number of TCP connections in each state. If it detects that the number of TCP connections in a state exceeds the maximum number, it will accelerate the aging of TCP connections in such a state.
Note that you need to enable the protection against Naptha attack before executing this command. Otherwise, an error will be prompted.
Related commands: tcp anti-naptha enable.
Example
# Set the TCP connection state check interval to 40 seconds.
<Sysname> system-view
[Sysname] tcp anti-naptha enable
[Sysname] tcp timer check-state 40
Syntax
tcp timer fin-timeout time-value
undo tcp timer fin-timeout
View
System view
Default Level
2: System level
Parameters
time-value: Length of the TCP finwait timer in seconds, in the range 76 to 3,600.
Description
Use the tcp timer fin-timeout command to configure the length of the TCP finwait timer.
Use the undo tcp timer fin-timeout command to restore the default.
By default, the length of the TCP finwait timer is 675 seconds.
Note that the actual length of the finwait timer is determined by the following formula:
Actual length of the finwait timer = (Configured length of the finwait timer – 75) + configured length of the synwait timer
Related commands: tcp timer syn-timeout, tcp window.
Examples
# Set the length of the TCP finwait timer to 800 seconds.
<Sysname> system-view
[Sysname] tcp timer fin-timeout 800
Syntax
tcp timer syn-timeout time-value
undo tcp timer syn-timeout
View
System view
Default Level
2: System level
Parameters
time-value: TCP finwait timer in seconds, in the range 2 to 600.
Description
Use the tcp timer syn-timeout command to configure the length of the TCP synwait timer.
Use the undo tcp timer syn-timeout command to restore the default.
By default, the value of the TCP synwait timer is 75 seconds.
Related commands: tcp timer fin-timeout, tcp window.
Examples
# Set the length of the TCP synwait timer to 80 seconds.
<Sysname> system-view
[Sysname] tcp timer syn-timeout 80
Syntax
tcp window window-size
undo tcp window
View
System view
Default Level
2: System level
Parameters
window-size: Size of the send/receive buffer in KB, in the range 1 to 32.
Description
Use the tcp window command to configure the size of the TCP send/receive buffer.
Use the undo tcp window command to restore the default.
The size of the TCP send/receive buffer is 8 KB by default.
Related commands: tcp timer fin-timeout, tcp timer syn-timeout.
Examples
# Configure the size of the TCP send/receive buffer as 3 KB.
<Sysname> system-view
[Sysname] tcp window 3
