Contents

Optimizing IP performance· 1

Configuring TCP attributes· 1

Configuring TCP MSS for the interface· 1

Configuring TCP path MTU discovery· 1

Configuring the TCP send/receive buffer size· 2

Configuring TCP timers· 2

Enabling sending ICMP error messages· 3

Configuring IP virtual fragment reassembly· 4

Configuration guidelines· 4

Configuration procedure· 5

Displaying and maintaining IP performance optimization· 5

 

Optimizing IP performance

This chapter describes multiple features for IP performance optimization.

Configuring TCP attributes

This section provides information about configuring TCP attributes.

Configuring TCP MSS for the interface

The Max Segment Size (MSS) option informs the receiver of the largest segment that the sender is willing to accept. Each end announces the MSS it expects to receive during the TCP connection establishment. The end that receives the MSS value from the other end then limits the size of each TCP segment to be sent.

·     If the size of a TCP segment is smaller than the MSS at the other end, the TCP segment is sent to the other end without being fragmented.

·     If the size of a TCP segment is the same or larger than the MSS at the other end, the TCP segment, is fragmented according to the MSS before being sent.

When you configure TCP MSS of the interface, follow these guidelines:

·     If you configure a TCP MSS on an interface, the size of each TCP segment received or sent on the interface cannot exceed the MSS value.

·     This configuration takes effect only for TCP connections that are established after the configuration rather than the TCP connections that already exist.

·     This configuration is effective only for IP packets.

To configure TCP MSS of the interface:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enter interface view.	interface interface-type interface-number	N/A
3.     Configure the TCP MSS of the interface.	tcp mss value	Optional. The TCP MSS is 1460 bytes by default.

 

Configuring TCP path MTU discovery

	CAUTION: All the devices on the TCP path must be enabled to send ICMP error messages by using the ip unreachables enable command.

 

TCP path MTU discovery (in RFC 1191) discovers the path MTU between the source and destination ends of a TCP connection. It works as follows:

1.     A TCP source device sends a packet with the Don't Fragment (DF) bit set.

2.     A router that fails to forward the packet because it exceeds the MTU on the outgoing interface discards the packet and returns an ICMP error message, which contains the MTU of the outgoing interface.

3.     Upon receiving the ICMP message, the TCP source device calculates the current path MTU of the TCP connection.

4.     The TCP source device sends subsequent TCP segments that each are smaller than the MSS (MSS =path MTU–IP header length–TCP header length).

If the TCP source device still receives ICMP error messages when the MSS is smaller than 32 bytes, the TCP source device fragments packets.

An ICMP error message received from a router that does not support RFC 1191 has the MTU of the outgoing interface set to 0. Upon receiving the ICMP message, the TCP source device selects the path MTU smaller than the current path MTU from the MTU table as described in RFC 1191 to calculate the TCP MSS. The MTU table contains MTUs of 68, 296, 508, 1006, 1280, 1492, 2002, 4352, 8166, 17914, 32000, and 65535 bytes. Because the minimum TCP MSS specified by the system is 32 bytes, the actual minimum MTU is 72 bytes.

After you enable TCP path MTU discovery, all new TCP connections detect the path MTU. The device uses the path MTU to calculate the MSS to avoid IP fragmentation.

The path MTU uses an aging mechanism to make sure the source device can increase the path MTU when the minimum link MTU on the path increases:

·     When the TCP source device receives an ICMP error message, it reduces the path MTU and starts an age timer for the path MTU.

·     After the age timer expires, the source device uses a larger MSS in the MTU table as described in RFC 1191.

·     If no ICMP error message is received within two minutes, the source device increases the MSS again until the MSS is as large as the MSS negotiated during TCP three-way handshake.

To enable TCP path MTU discovery:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enable TCP path MTU discovery.	tcp path-mtu-discovery [ aging minutes | no-aging ]	Disabled by default.

 

Configuring the TCP send/receive buffer size

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Configure the size of TCP receive/send buffer.	tcp window window-size	Optional. 8 KB by default.

 

Configuring TCP timers

You can configure the following TCP timers:

·     synwait timer—When sending a SYN packet, TCP starts the synwait timer. If no response packet is received within the synwait timer interval, the TCP connection cannot be created.

·     finwait timer—When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is started.

¡     If no FIN packet is received within the timer interval, the TCP connection is terminated. If a FIN packet is received, the TCP connection state changes to TIME_WAIT.

¡     If a non-FIN packet is received, the system restarts the timer upon receiving the last non-FIN packet. The connection is broken after the timer expires.

The actual finwait timer is determined by the following formula:

Actual finwait timer = (Configured finwait timer – 75) + configured synwait timer

To configure TCP timers:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Configure TCP timers.	·     Configure the TCP synwait timer: tcp timer syn-timeout time-value ·     Configure the TCP finwait timer: tcp timer fin-timeout time-value	Optional. By default: ·     The synwait timer is 75 seconds. ·     The finwait timer is 675 seconds.

 

Enabling sending ICMP error messages

Perform this task to enable sending ICMP error messages, including redirect, time-exceeded, and destination unreachable messages.

·     ICMP redirect messages

The ICMP redirect messages simplify host management and enable hosts to gradually optimize their routing tables.

A host that has only one default route sends all packets to the default gateway. The default gateway sends ICMP redirect messages to inform the host of a correct next hop by following these rules:

¡     The receiving and sending interfaces are the same.

¡     The selected route is not created or modified by an ICMP redirect message.

¡     The selected route is not the default route of the device.

¡     There is no source route option in the received packet.

·     ICMP time-exceeded messages

A device sends ICMP time-exceeded messages by following these rules:

¡     If a received packet is not destined for the device and the TTL field of the packet is 1, the device sends an ICMP TTL Expired in Transit message to the source.

¡     When the device receives the first fragment of an IP datagram destined for it, it starts a timer. If the timer expires before all the fragments of the datagram are received, the device sends an ICMP Fragment Reassembly Timeout message to the source.

·     ICMP destination unreachable messages

A device sends ICMP destination unreachable messages by following these rules:

¡     If a packet does not match any route and there is no default route in the routing table, the device sends a Network Unreachable ICMP error message to the source.

¡     If a packet is destined for the device but the transport layer protocol of the packet is not supported by the device, the device sends a Protocol Unreachable ICMP error message to the source.

¡     If a UDP packet is destined for the device but the packet's port number does not match the corresponding process, the device sends the source a Port Unreachable ICMP error message.

¡     If the source uses Strict Source Routing to send packets, but the intermediate device finds that the next hop specified by the source is not directly connected, the device sends the source a Source Routing Failure ICMP error message.

¡     If the MTU of the sending interface is smaller than the packet and the packet has DFset, the device sends the source a Fragmentation Needed and DF-set ICMP error message.

To enable sending ICMP error messages:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enable sending ICMP error messages.	·     Enable sending ICMP redirect messages: ip redirects enable ·     Enable sending ICMP time-exceeded messages: ip ttl-expires enable ·     Enable sending ICMP destination unreachable messages: ip unreachables enable	Disabled by default.

 

Sending ICMP error messages facilitates network management, but sending excessive ICMP messages increases network traffic. A device's performance degrades if it receives a lot of malicious packets that cause it to respond with ICMP error messages.

To prevent such problems, you can disable the device from sending ICMP error messages. A device disabled from sending ICMP time-exceeded messages does not send ICMP TTL Expired messages but can still send ICMP Fragment Reassembly Timeout messages.

Configuring IP virtual fragment reassembly

To make sure fragments arrive at a service module in order, the IP virtual fragment reassembly feature virtually reassembles the fragments of a datagram through fragment check, sequencing, and caching. The IP virtual fragment reassembly feature also prevents some service modules (such as IPsec, NAT, and firewall) from processing packet fragments that do not arrive in order.

For security purposes, the IP virtual fragment reassembly feature can detect the following types of fragment attacks, and discard the attack fragments:

·     Tiny fragment attack—If the first fragment of an incoming datagram is very small and the Layer 4 (such as TCP and UDP) header is placed into the second fragment, the datagram is considered a tiny fragment attack.

·     Overlapping fragment attack—If two consecutive incoming fragments are identical or overlap each other, they are considered an overlapping fragment attack.

·     Fragment-flood attack—If the number of concurrent reassemblies or the number of fragments per datagram exceeds the upper limits, the reassemblies or fragments are considered a fragment-flood attack.

Configuration guidelines

When you configure the IP virtual fragment reassembly feature, follow these guidelines:

·     The IP virtual fragment reassembly feature only applies to incoming packets on an interface.

·     The IP virtual fragment reassembly feature does not support load sharing. The fragments of an IP datagram cannot arrive through different interfaces.

·     Enable IP virtual fragment reassembly before you enable NAT on an AC.

Configuration procedure

To configure IP virtual fragment reassembly:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enter interface view.	interface interface-type interface-number	N/A
3.     Enable IP virtual fragment reassembly.	ip virtual-reassembly [ drop-fragments | max-fragments number | max-reassemblies number | timeout seconds ] *	By default, the feature is disabled.

 

Displaying and maintaining IP performance optimization

Task	Command	Remarks
Display TCP connection statistics.	display tcp statistics [ | { begin | exclude | include } regular-expression ]	Available in any view.
Display UDP statistics.	display udp statistics [ | { begin | exclude | include } regular-expression ]	Available in any view.
Display statistics of IP packets.	display ip statistics [ | { begin | exclude | include } regular-expression ]	Available in any view.
Display ICMP statistics.	display icmp statistics [ | { begin | exclude | include } regular-expression ]	Available in any view.
Display the IP virtual fragment reassembly information for interfaces.	display ip virtual-reassembly [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ]	Available in any view.
Display socket information.	display ip socket [ socktype sock-type ] [ task-id socket-id ] [ | { begin | exclude | include } regular-expression ]	Available in any view.
Clear statistics of IP packets.	reset ip statistics	Available in user view.
Clear statistics of TCP connections.	reset tcp statistics	Available in user view.
Clear statistics of UDP traffic.	reset udp statistics	Available in user view.