This command displays IP statistics that includes information about received and sent packets, fragments, and reassembly. The command output in standard forwarding mode is different from that in high performance forwarding mode. For more information about high performance forwarding, see IP forwarding basics configuration in Layer 3—IP Services Configuration Guide.

Examples

# Display IP packet statistics (Standard forwarding mode).

<Sysname> display ip statistics

Input: sum 7120 local 112

bad protocol 0 bad format 0

bad checksum 0 bad options 0

Output: forwarding 0 local 27

dropped 0 no route 2

compress fails 0

Reassembling: fragments 0 reassembled 0

dropped 0 timeouts 0

Fragment: fragmented 0 couldn't fragment 0

output frags 0

Forwarded Frags: sum 0

# Display IP packet statistics (High performance forwarding mode).

<Sysname> display ip statistics

Input:

sum 7120 local 112

bad protocol 0 bad format 0

bad checksum 0 bad options 0

bad version 0 bad header length 0

bad length 0 ttl exceeded 0

too short 0 cant forward 0

discarded 0

Output:

forwarding 0 local 27

dropped 0 no route 2

compress fails 0 cant forward 0

ttl exceeded 0 redirect 0

broadcast drop 0

Reassembling:

fragments 0 reassembled 0

dropped 0 timeouts 0

too many fragments 0 handoff congest 0

duplicate 0 limit reached 0

malformed 0 internal error 0

attack 0

Fragment:

fragmented 0 couldn't fragment 0

output frags 0 small packet 0

cant frag header 0 malformed 0

no buffer 0 offset one 0

Forwarded Frags: sum 0

VFR Reassembling:

too many fragments 0 handoff congest 0

malformed 0 limit reached 0

attack 0 reassembled 0

Table 2 Command output

Field	Description
Input	Statistics about received packets: · sum—Total number of packets received. · local—Total number of packets destined for the device. · bad protocol—Total number of unknown protocol packets. · bad format—Total number of packets with incorrect format. · bad checksum—Total number of packets with incorrect checksum. · bad options—Total number of packets with incorrect option. · bad version—Total number of packets with incorrect IP protocol version. · bad header length—Total number of packets with incorrect IP header length. · bad length—Total number of packets with incorrect length. · ttl exceeded—Total number of TTL-exceeded packets. · too short—Total number of packets with too short length. · cant forward—Total number of packets that cannot be forwarded. · discarded—Total number of discarded packets.
Output	Statistics about sent packets: · forwarding—Total number of packets forwarded. · local—Total number of packets locally sent. · dropped—Total number of packets discarded. · no route—Total number of packets for which no route is available. · compress fails—Total number of packets that failed to be compressed. · cant forward—Total number of packets that cannot be forwarded. · ttl exceeded—Total number of TTL-exceeded packets. · redirect—Total number of redirected packets. · broadcast drop—Total number of dropped broadcast packets.
Reassembling	Statistics about reassembling: · fragments—Total number of fragments that need reassembling. · reassembled—Total number of packets reassembled. · dropped—Total number of dropped fragments that failed the reassembling. · timeouts—Total number of reassembly timeouts. · too many fragments—Total number of fragments exceeding the fragment count limit. · handoff congest—Total number of fragments that were dropped because of handoff congest. · duplicate—Total number of duplicate fragments. · limit reached—Total number of fragments exceeding the fragment count limit of each thread. · malformed—Total number of malformed fragments. · internal error—Total number of fragments with internal errors. · attack—Total number of attack fragments.
Fragment	Statistics about fragments: · fragmented—Total number of packets successfully fragmented. · couldn't fragment—Total number of packets that failed to be fragmented. · output frags—Total number of fragments sent. · cant frag header—Total number of packets whose header length was larger than the MTU. · malformed—Total number of malformed packets. · no buffer—Total number of packets that failed to be fragmented because of insufficient memory. · offset one—Total number of packets whose offset value was one.
Forwarded Frags	Statistics about forwarded fragments. The sum field displays the total number of fragments that are directly forwarded.
VFR Reassembling	Statistics about VFR reassembling: · too many fragments—Total number of fragments exceeding the fragment count limit. · handoff congest—Total number of fragments that were dropped because of handoff congest. · malformed—Total number of malformed fragments. · limit reached—Total number of fragments exceeding the fragment count limit of each thread. · attack—Total number of attacked fragments. · reassembled—Total number of packets that were reassembled successfully.

‌

Related commands

display ip interface (Layer 3—IP Services Command Reference)

reset ip statistics

display rawip

Use display rawip to display brief information about RawIP connections.

Syntax

display rawip [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays brief information about RawIP connections for all cards.

Usage guidelines

Brief RawIP connection information includes local and peer addresses, protocol, and PCB.

Examples

# Display brief information about RawIP connections.

<Sysname> display rawip

#: Kernel RawIP connection

Local Addr Foreign Addr Protocol Slot Cpu PCB

0.0.0.0 0.0.0.0 1 1 0 0x0000000000000009

0.0.0.0 0.0.0.0 1 1 0 0x0000000000000008

0.0.0.0 0.0.0.0 1 5 0 0x0000000000000002

#0.0.0.0 0.0.0.0 1 0 0 N/A

Table 3 Command output

Field	Description
#	The pound sign (#) indicates a Comware kernel connection.
Local Addr	Local IP address.
Foreign Addr	Peer IP address.
Protocol	Protocol number.
PCB	Protocol control block.

‌

display rawip verbose

Use display rawip verbose to display detailed information about RawIP connections.

Syntax

display rawip verbose [ slot slot-number [ pcb pcb-index ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pcb pcb-index: Displays detailed RawIP connection information for the specified PCB. The pcb-index argument specifies the index of the PCB. The index is a hexadecimal string in the range of 1 to ffffffffffffffff.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays detailed information about RawIP connections for all cards.

Usage guidelines

The detailed information includes socket creator, state, option, type, protocol number, and the source and destination IP addresses of RawIP connections.

Examples

# Display detailed information about RawIP connections.

<Sysname> display rawip verbose

Total RawIP socket number: 1

Connection info: src = 0.0.0.0, dst = 0.0.0.0

Location: slot 6

Creator: ping[320]

State: N/A

Options: N/A

Error: 0

Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 9216 / 1 / 0 / CANTREDUCESIZE

Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A

Type: 3

Protocol: 1

Inpcb flags: N/A

Inpcb extflag: INP_EXTRCVICMPERR INP_EXTFILTER

Inpcb vflag: INP_IPV4

TTL: 255(minimum TTL: 0)

Sending VRF: 0x0

Receiving VRF: 0x0

Table 4 Command output

Field	Description
Total RawIP socket number	Total number of RawIP sockets.
Connection info	Connection information, including source IP address and destination IP address.
Location	Socket location.
Creator	Name of the operation that created the socket. The number in brackets is the process number of the creator.
State	Socket state: · NOFDREF—The user has closed the connection. · ISCONNECTED—The connection has been established. · ISCONNECTING—The connection is being established. · ISDISCONNECTING—The connection is being interrupted. · ISDISCONNECTED—The connection has been terminated. · ISPCBSYNCING—Internet protocol control blocks are being synchronized. · ISSMOOTHING—Synchronization is in progress. · N/A—None of above state.
Options	Socket options: · SO_DEBUG—Records socket debugging information. · SO_ACCEPTCONN—Enables the server to listen connection requests. · SO_REUSEADDR—Allows the local address reuse. · SO_KEEPALIVE—Requires the protocol to test whether the connection is still alive. · SO_DONTROUTE—Bypasses the routing table query for outgoing packets because the destination is in a directly connected network. · SO_BROADCAST—Supports broadcast packets. · SO_LINGER—Closes the socket. The system can still send remaining data in the socket send buffer. · SO_OOBINLINE—Stores the out-of-band data in the input queue. · SO_REUSEPORT—Allows the local port reuse. · SO_TIMESTAMP—Records the timestamps of the input packets, accurate to milliseconds. This option is applicable to protocols that are not connection orientated. · SO_FILTER—Supports setting the packet filter criterion. This option takes effect on received packets. · SO_TIMESTAMPNS—Has a similar function with the timestamp, accurate to nanoseconds. · N/A—No options are set.
Error	Error code.
Receiving buffer (cc/hiwat/lowat/drop/state)	Displays receive buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · drop—Number of dropped packets. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ CANTREDUCESIZE—Unable to shorten the receiving buffer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states.
Sending buffer (cc/hiwat/lowat/state)	Displays send buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer.. ¡ N/A—None of the above states.
Type	Socket type: · 1—SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams. · 2—SOCK_DGRAM. This socket uses UDP to provide datagram transmission. · 3—SOCK_RAW. This socket allows an application to change the next upper-layer protocol header. · N/A—None of the above types.
Protocol	Number of the protocol using the socket.
Inpcb flags	Flags in the Internet PCB: · INP_RECVOPTS—Receives IP options. · INP_RECVRETOPTS—Receives replied IP options. · INP_RECVDSTADDR—Receives destination IP address. · INP_HDRINCL—Provides the entire IP header. · INP_REUSEADDR—Reuses the IP address. · INP_REUSEPORT—Reuses the port number. · INP_ANONPORT—Port number not specified. · INP_RECVIF—Records the input interface of the packet. · INP_RECVTTL—Receives TTL of the packet. Only UDP and RawIP support this flag. · INP_DONTFRAG—Sets the Don't Fragment flag. · INP_ROUTER_ALERT—Receives packets with the router alert option. Only RawIP supports this flag. · INP_PROTOCOL_PACKET—Identifies a protocol packet. · INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag. · INP_RCVMACADDR—Receives the MAC address of the frame. · INP_RECVTOS—Receives TOS of the packet. Only UDP and RawIP support this flag. · INP_USEICMPSRC—Uses the specified IP address as the source IP address for outgoing ICMP packets. · N/A—None of the above flags.
Inpcb extflag	Extension flags in the Internet PCB: · INP_EXTRCVPVCIDX—Records the PVC index of the received packet. · INP_RCVPWID—Records the PW ID of the received packet. · INP_EXTRCVICMPERR—Receives an ICMP error packet. · INP_EXTFILTER—Filters the contents in the received packet. · N/A—None of the above flags.
Inpcb vflag	IP version flags in the Internet PCB: · INP_IPV4—IPv4 protocol. · N/A—Not the above flag.
TTL	TTL value in the Internet PCB.
Sending VRF	VRF from which packets are sent.
Receiving VRF	VRF from which packets are received.

‌

display tcp

Use display tcp to display brief information about TCP connections.

Syntax

display tcp [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays brief information about TCP connections for all cards.

Usage guidelines

Brief TCP connection information includes local IP address, local port number, peer IP address, peer port number, and TCP connection state.

Examples

# Display brief information about TCP connections.

<Sysname> display tcp

*: TCP connection with authentication

#: Kernel TCP connection

Local Addr:port Foreign Addr:port State Slot Cpu PCB

*0.0.0.0:21 0.0.0.0:0 LISTEN 1 0 0x000000000000c387

#1.0.0.1:179 1.0.0.2:29376 ESTABLISHED 0 0 N/A

192.168.20.200:23 192.168.20.14:1284 ESTABLISHED 1 0 0x0000000000000009

192.168.20.200:23 192.168.20.14:1283 ESTABLISHED 1 0 0x0000000000000002

Table 5 Command output

Field	Description
*	Indicates that the TCP connection uses authentication.
#	The pound sign (#) indicates a Comware kernel connection.
Local Addr:port	Local IP address and port number.
Foreign Addr:port	Peer IP address and port number.
State	TCP connection state: · CLOSED—The server receives a disconnection request's reply from the client. · LISTEN—The server is waiting for connection requests. · SYN_SENT—The client is waiting for the server to reply to the connection request. · SYN_RCVD—The server receives a connection request. · ESTABLISHED—The server and client have established connections and can transmit data bidirectionally. · CLOSE_WAIT—The server receives a disconnection request from the client. · FIN_WAIT_1—The client is waiting for the server to reply to a disconnection request. · CLOSING—The server and client are waiting for peer's disconnection reply when receiving disconnection requests from each other. · LAST_ACK—The server is waiting for the client to reply to a disconnection request. · FIN_WAIT_2—The client receives a disconnection reply from the server. · TIME_WAIT—The client receives a disconnection request from the server.
PCB	PCB index.

‌

display tcp verbose

Use display tcp verbose to display detailed information about TCP connections.

Syntax

display tcp verbose [ slot slot-number [ pcb pcb-index ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pcb pcb-index: Displays detailed TCP connection information for the specified PCB. The index is a hexadecimal string in the range of 1 to ffffffffffffffff.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays detailed information about TCP connections for all cards.

Usage guidelines

The detailed TCP connection information includes socket creator, state, option, type, protocol number, source IP address and port number, destination IP address and port number, and connection state.

Examples

# Display detailed information about TCP connections.

<Sysname> display tcp verbose

TCP inpcb number: 1(tcpcb number: 1)

Connection info: src = 192.168.20.200:179 , dst = 192.168.20.14:4181

Location: slot 6

NSR standby: N/A

Creator: bgpd[199]

State: ISCONNECTED

Options: N/A

Error: 0

Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 65700 / 1 / 0 / CANTREDUCESIZE

Sending buffer(cc/hiwat/lowat/state): 0 / 65700 / 512 / N/A

Type: 1

Protocol: 6

Inpcb flags: N/A

Inpcb extflag: N/A

Inpcb vflag: INP_IPV4

TTL: 255(minimum TTL: 0)

Connection state: ESTABLISHED

TCP options: TF_REQ_SCALE TF_REQ_TSTMP TF_SACK_PERMIT TF_NSR

NSR state: READY(M)

Sending VRF: 0x0

Receiving VRF: 0x0

Table 6 Command output

Field	Description
TCP inpcb number	Number of TCP IP PCBs.
tcpcb number	Number of TCP PCBs. This field is not displayed if the connection is in TIME_WAIT state.
Connection info	Connection information, including source IP address, source port number, destination IP address and destination port number.
Location	Socket location.
Creator	Name of the operation that created the socket. The number in brackets is the process number of the creator.
State	Socket state: · NOFDREF—The user has closed the connection. · ISCONNECTED—The connection has been established. · ISCONNECTING—The connection is being established. · ISDISCONNECTING—The connection is being interrupted. · ISDISCONNECTED—The connection has been terminated. · ISPCBSYNCING—Internet protocol control blocks are being synchronized. · ISSMOOTHING—Synchronization is in progress. · N/A—None of above state.
Options	Socket options: · SO_DEBUG—Records socket debugging information. · SO_ACCEPTCONN—Enables the server to listen connection requests. · SO_REUSEADDR—Allows the local address reuse. · SO_KEEPALIVE—Requires the protocol to test whether the connection is still alive. · SO_DONTROUTE—Bypasses the routing table query for outgoing packets because the destination is in a directly connected network. · SO_BROADCAST—Supports broadcast packets. · SO_LINGER—Closes the socket. The system can still send remaining data in the socket send buffer. · SO_OOBINLINE—Stores the out-of-band data in the input queue. · SO_REUSEPORT—Allows the local port reuse. · SO_TIMESTAMP—Records the timestamps of the input packets, accurate to milliseconds. This option is applicable to protocols that are not connection orientated. · SO_TIMESTAMPNS—Has a similar function with the timestamp, accurate to nanoseconds. · SO_KEEPALIVETIME—Sets a keepalive time. · N/A—No options are set.
Error	Error code.
Receiving buffer (cc/hiwat/lowat/drop/state)	Displays receive buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · drop—Number of dropped packets. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ N/A—None of the above states.
Sending buffer (cc/hiwat/lowat/state)	Displays send buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ N/A—None of the above states.
Type	Socket type: · 1—SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams. · 2—SOCK_DGRAM. This socket uses UDP to provide datagram transmission. · 3—SOCK_RAW. This socket allows an application to change the next upper-layer protocol header. · N/A—None of the above types.
Protocol	Number of the protocol using the socket.
Inpcb flags	Flags in the Internet PCB: · INP_RECVOPTS—Receives IP options. · INP_RECVRETOPTS—Receives replied IP options. · INP_RECVDSTADDR—Receives destination IP address. · INP_HDRINCL—Provides the entire IP header. · INP_REUSEADDR—Reuses the IP address. · INP_REUSEPORT—Reuses the port number. · INP_ANONPORT—Port number not specified. · INP_RECVIF—Records the input interface of the packet. · INP_RECVTTL—Receives TTL of the packet. Only UDP and RawIP support this flag. · INP_DONTFRAG—Sets the Don't Fragment flag. · INP_ROUTER_ALERT—Receives packets with the router alert option. Only RawIP supports this flag. · INP_PROTOCOL_PACKET—Identifies a protocol packet. · INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag. · INP_RCVMACADDR—Receives the MAC address of the frame. · INP_RECVTOS—Receives TOS of the packet. Only UDP and RawIP support this flag. · N/A—None of the above flags.
Inpcb extflag	Extension flags in the Internet PCB: · INP_EXTRCVPVCIDX—Records the PVC index of the received packet. · INP_RCVPWID—Records the PW ID of the received packet. · INP_EXTDONTDROP—Does not drop the received packet. · N/A—None of the above flags.
Inpcb vflag	IP version flags in the Internet PCB: · INP_IPV4—IPv4 protocol. · N/A—Not the above flag.
TTL	TTL value in the Internet PCB.
Connection state	TCP connection state: · CLOSED—The server receives a disconnection request's reply from the client. · LISTEN—The server is waiting for connection requests. · SYN_SENT—The client is waiting for the server to reply to the connection request. · SYN_RCVD—The server receives a connection request. · ESTABLISHED—The server and client have established connections and can transmit data bidirectionally. · CLOSE_WAIT—The server receives a disconnection request from the client. · FIN_WAIT_1—The client is waiting for the server to reply to a disconnection request. · CLOSING—The server and client are waiting for peer's disconnection reply when receiving disconnection requests from each other. · LAST_ACK—The server is waiting for the client to reply to a disconnection request. · FIN_WAIT_2—The client receives a disconnection reply from the server. · TIME_WAIT—The client receives a disconnection request from the server.
TCP options	TCP options: · TF_SIGNATURE—Enables MD5 signature. · TF_NODELAY—Disables the Nagle algorithm that buffers the sent data inside the TCP. · TF_BINDFOREIGNADDR—Binds the peer IP address. · TF_NSR—Enables TCP NSR. · TF_REQ_SCALE—Enables the TCP window scale option. · TF_REQ_TSTMP—Enables the time stamp option. · TF_SACK_PERMIT—Enables the TCP selective acknowledgement option. · TF_ENHANCED_AUTH—Enables the enhanced authentication option. · TF_PMTU—Enables path MTU discovery.
NSR state	NSR state of the TCP connection: · CLOSED—Closed (initial) state. · CLOSING—The connection is to be closed. · ENABLED—The connection backup is enabled. · OPEN—The connection synchronization has started. · PENDING—The connection backup is not ready. · READY—The connection backup is ready. · SMOOTH—The connection data is being smoothed. Between the parentheses is the role of the connection: · M—Main connection. · S—Standby connection.
Sending VRF	VRF from which packets are sent.
Receiving VRF	VRF from which packets are received.

‌

display udp

Use display udp to display brief information about UDP connections.

Syntax

display udp [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays brief information about UDP connections for all cards.

Usage guidelines

Brief UDP connection information includes local IP address and port number, and peer IP address and port number.

Examples

# Display brief information about UDP connections.

<Sysname> display udp

#: Kernel UDP connection

Local Addr:port Foreign Addr:port Slot Cpu PCB

0.0.0.0:69 0.0.0.0:0 1 0 0x0000000000000003

#1.0.0.1:179 0.0.0.0:0 0 0 N/A

192.168.20.200:1024 192.168.20.14:69 5 0 0x0000000000000002

Table 7 Command output

Field	Description
#	The pound sign (#) indicates a Comware kernel connection.
Local Addr:port	Local IP address and port number.
Foreign Addr:port	Peer IP address and port number.
PCB	PCB index.

‌

display udp socket-loadbalance

Use display udp socket-loadbalance to display brief information about UDP socket load balancing.

Syntax

display udp socket-loadbalance [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays brief information about UDP socket load balancing for the active MPU.

Usage guidelines

Service modules might create multiple UDP sockets on a service port and balance loads among the sockets to improve packet processing performance. In this case, the system distributes packets received on the same port with the same local IP address to multiple UDP sockets.

Examples

# Display brief information about UDP socket load balancing.

<Sysname> display udp socket-loadbalance

LocalAddr:port VrfIndex LBCount Slot

192.168.5.1:4568 0 10 1

10::1:457 0 10 1

Table 8 Command output

Field	Description
LocalAddr:port	Local IP address and port number.
VrfIndex	VPN instance index.
LBCount	Number of UDP sockets.
Slot	Slot number of the card.

‌

Related commands

display udp socket-loadbalance verbose

Use display udp socket-loadbalance verbose to display detailed information about UDP socket load balancing.

Syntax

display udp socket-loadbalance verbose [ slot slot-number ] [ port port-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays detailed information about UDP socket load balancing for the active MPU.

port port-number: Specifies a port by its number. The value range for the port-number argument is 1025 to 65535. If you do not specify a port, this command displays detailed information about UDP socket load balancing for all ports that have multiple UDP sockets.

Usage guidelines

Examples

# Display detailed information about UDP socket load balancing for all ports.

<Sysname> display udp socket-loadbalance verbose

LocalAddr:port: 10::1:457

VrfIndex: 0

Location: slot 1

LBCount: 10

LBConnectionlist:

NO Cc Drops Failures RvdPkts PCB

1 4294967296 4294967296 4294967296 4294967296 0000000000000001

2 9600 429 429 111111111 0000000000000002

3 960 4 4 11111111 0000000000000003

4 42 42 42 1111 0000000000000004

5 4 4 4 111 0000000000000005

6 4294 42949 42949 1111111 0000000000000006

7 429496 429496 429496 1111111 0000000000000007

8 429 42 42 1111 0000000000000008

9 429 429 429 11911 0000000000000009

10 42949 429496 429496 111111111 000000000000000A

# Display detailed information about UDP socket load balancing for a specific port.

<Sysname> display udp socket-loadbalance verbose port 4568

Local Addr:port: 192.168.5.1:4568

VrfIndex: 0

Index: 00000001

Location: slot 1

LBCount: 10

LBConnectionlist:

NO Cc Drops Failures RvdPkts PCB

1 4294967296 4294967296 4294967296 4294967296 000000000000000C

2 9600 429 429 111111111 000000000000000D

3 960 4 4 11111111 000000000000000E

4 42 42 42 1111 000000000000000F

5 4 4 4 111 0000000000000010

6 4294 42949 42949 1111111 0000000000000011

7 429496 429496 429496 1111111 0000000000000012

8 429 42 42 1111 0000000000000013

9 429 429 429 11911 0000000000000014

10 42949 429496 429496 111111111 0000000000000015

Table 9 Command output

Field	Description
LocalAddr:port	Local IP address and port number.
VrfIndex	VPN instance index.
Location	Socket location.
LBCount	Number of UDP sockets.
LBConnectionlist	UDP socket list.
No	Entry sequence number.
Cc	Used receiving buffer space in bytes.
Drops	Number of dropped packets because the receiving buffer is full.
Failures	Number of the packets that failed to be issued to the kernel.
RvdPkts	Number of received packets.
PCB	Protocol control block index.

‌

Related commands

display udp verbose

display udp statistics

Use display udp statistics to display UDP traffic statistics.

Syntax

display udp statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays UDP traffic statistics for all cards.

Usage guidelines

UDP traffic statistics include information about received and sent UDP packets.

Examples

# Display UDP traffic statistics.

<Sysname> display udp statistics

Received packets:

Total: 240

checksum error: 0, no checksum: 0

shorter than header: 0, data length larger than packet: 0

no socket on port(unicast): 0

no socket on port(broadcast/multicast): 240

not delivered, input socket full: 0 ;kenerl buff full: 0

Sent packets:

Total: 0

Table 10 Command output

Field	Description
Received packets:	Information about received packets. · Total—Total number of UDP packets. · checksum error—Number of packets with checksum error. · no checksum—Number of packets with no checksum. · shorter than header—Number of packets whose packet length is shorter than the header length. · data length larger than packet—Number of packets whose data length is longer than the packet length. · no socket on port(unicast)—Number of unicasts with no socket on the port. · no socket on port(broadcast/multicast)—Number of broadcasts and multicasts with no socket on the port. · not delivered, input socket full: xxx ;kenerl buff full: yyy—Number of packets that are not delivered to the upper layer because the socket buffer is full. Number of discarded packets because the kernel buffer is full.
Sent packets	Number of sent packets.

Field

Description

Received packets:

Information about received packets.

· Total—Total number of UDP packets.

· checksum error—Number of packets with checksum error.

· no checksum—Number of packets with no checksum.

· shorter than header—Number of packets whose packet length is shorter than the header length.

· data length larger than packet—Number of packets whose data length is longer than the packet length.

· no socket on port(unicast)—Number of unicasts with no socket on the port.

· no socket on port(broadcast/multicast)—Number of broadcasts and multicasts with no socket on the port.

· not delivered, input socket full: xxx ;kenerl buff full: yyy—Number of packets that are not delivered to the upper layer because the socket buffer is full. Number of discarded packets because the kernel buffer is full.

Sent packets

Number of sent packets.

Related commands

reset udp statistics

display udp verbose

Use display udp verbose to display detailed information about UDP connections.

Syntax

display udp verbose [ slot slot-number [ pcb pcb-index ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pcb pcb-index: Displays detailed UDP connection information for the specified PCB. The index is a hexadecimal string in the range of 1 to ffffffffffffffff.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays detailed information about UDP connections for all cards.

Usage guidelines

The detailed information includes socket creator, status, option, type, protocol number, source IP address and port number, and destination IP address and port number for UDP connections.

Examples

# Display detailed UDP connection information.

<Sysname> display udp verbose

Total UDP socket number: 1

Connection info: src = 0.0.0.0:69, dst = 0.0.0.0:0

Location: slot 6

Creator: sock_test_mips[250]

State: N/A

Options: N/A

Error: 0

Receiving buffer(cc/hiwat/lowat/drop/full/state): 0 / 41600 / 1 / 0 / 0 / N/A

Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A

Type: 2

Protocol: 17

Inpcb flags: N/A

Inpcb extflag: N/A

Inpcb vflag: INP_IPV4

TTL: 255(minimum TTL: 0)

Sending VRF: 0

Receiving VRF: 0xffff

Table 11 Command output

Field	Description
Total UDP socket number	Total number of UDP sockets.
Connection info	Connection information, including source IP address, source port number, destination IP address, and destination port number.
Location	Socket location.
Creator	Name of the operation that created the socket. The number in brackets is the process number of the creator.
State	Socket state: · NOFDREF—The user has closed the connection. · ISCONNECTED—The connection has been established. · ISCONNECTING—The connection is being established. · ISDISCONNECTING—The connection is being interrupted. · ISDISCONNECTED—The connection has been terminated. · ISPCBSYNCING—Internet protocol control blocks are being synchronized. · ISSMOOTHING—Synchronization is in progress. · N/A—None of above state.
Options	Socket options: · SO_DEBUG—Records socket debugging information. · SO_ACCEPTCONN—Enables the server to listen connection requests. · SO_REUSEADDR—Allows the local address reuse. · SO_KEEPALIVE—Requires the protocol to test whether the connection is still alive. · SO_DONTROUTE—Bypasses the routing table query for outgoing packets because the destination is in a directly connected network. · SO_BROADCAST—Supports broadcast packets. · SO_LINGER—Closes the socket. The system can still send remaining data in the socket send buffer. · SO_OOBINLINE—Stores the out-of-band data in the input queue. · SO_REUSEPORT—Allows the local port reuse. · SO_TIMESTAMP—Records the timestamps of the input packets, accurate to milliseconds. This option is applicable to protocols that are not connection orientated. · SO_TIMESTAMPNS—Has a similar function with the timestamp, accurate to nanoseconds. · N/A—No options are set.
Error	Error code.
Receiving buffer(cc/hiwat/lowat/drop/full/state)	Displays receive buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · drop—Number of dropped packets. · full—Number of dropped packets because the kernel sending buffer is full. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ N/A—None of the above states.
Sending buffer(cc/hiwat/lowat/state)	Displays send buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ N/A—None of the above states.
Type	Socket type: · 1—SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams. · 2—SOCK_DGRAM. This socket uses UDP to provide datagram transmission. · 3—SOCK_RAW. This socket allows an application to change the next upper-layer protocol header. · N/A—None of the above types.
Protocol	Number of the protocol using the socket.
Inpcb flags	Flags in the Internet PCB: · INP_RECVOPTS—Receives IP options. · INP_RECVRETOPTS—Receives replied IP options. · INP_RECVDSTADDR—Receives destination IP address. · INP_HDRINCL—Provides the entire IP header. · INP_REUSEADDR—Reuses the IP address. · INP_REUSEPORT—Reuses the port number. · INP_ANONPORT—Port number not specified. · INP_RECVIF—Records the input interface of the packet. · INP_RECVTTL—Receives TTL of the packet. Only UDP and RawIP support this flag. · INP_DONTFRAG—Sets the Don't Fragment flag. · INP_ROUTER_ALERT—Receives packets with the router alert option. Only RawIP supports this flag. · INP_PROTOCOL_PACKET—Identifies a protocol packet. · INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag. · INP_RCVMACADDR—Receives the MAC address of the frame. · INP_RECVTOS—Receives TOS of the packet. Only UDP and RawIP support this flag. · N/A—None of the above flags.
Inpcb extflag	Extension flags in the Internet PCB: · INP_EXTRCVPVCIDX—Records the PVC index of the received packet. · INP_RCVPWID—Records the PW ID of the received packet. · N/A—None of the above flags.
Inpcb vflag	IP version flags in the Internet PCB: · INP_IPV4—IPv4 protocol. · N/A—Not the above flag.
TTL	TTL value in the Internet PCB.
Sending VRF	VRF from which packets are sent.
Receiving VRF	VRF from which packets are received.

‌

ip exceed-mtu fragment

Use ip exceed-mtu fragment to e nable the device to perform software forwarding for outgoing oversize packets during hardware forwarding.

Use undo ip exceed-mtu fragment to disable the device from performing software forwarding for outgoing oversize packets during hardware forwarding.

Syntax

ip exceed-mtu fragment

undo ip exceed-mtu fragment

Default

The device does not perform software forwarding for outgoing oversize packets during hardware forwarding.

Views

System view

Predefined user roles

network-admin

Usage guidelines

During hardware forwarding, the device does not fragment oversize packets outgoing from an interface, because the hardware ignores the MTU value of the output interface. After you execute this command, the device processes an outgoing packet as follows:

· If the original packet length is smaller than the MTU value of the output interface, the device will forward the packet through hardware.

· If the original packet length exceeds the MTU value of the output interface, the device will deliver the packet to the CPU and forward the packet through software.

¡ If the Don't Fragment (DF) bit is set in the packet, the device will discard the packet.

With the ip unreachables enable command configured, the device will send an ICMP destination unreachable message to the packet source.

¡ If the DF bit is not set in the packet, the device will forward the packet after fragmentation.

The undo ip exceed-mtu fragment command restores the forwarding method to hardware forwarding for outgoing packets.

To configure the MTU value for an interface, you can use the ip mtu, ipv6 mtu, or mtu command. When you configure the ip mtu or ipv6 mtu command in conjunction with the mtu command on an interface, configuration of the ip mtu or ipv6 mtu command takes precedence over that of the mtu command. After you restore configuration of the ip mtu or ipv6 mtu command to the default, configuration of the mtu command takes effect on the interface.

Examples

# Enable the device to perform software forwarding for outgoing oversize packets during hardware forwarding.

<Sysname> system-view

[Sysname] ip exceed-mtu fragment

Related commands

ip mtu

ip unreachables enable

ipv6 mtu

mtu

ip forward-broadcast

Use ip forward-broadcast to enable an interface to forward directed broadcast packets destined for the directly connected network.

Use undo ip forward-broadcast to disable an interface from forwarding directed broadcast packets destined for the directly connected network.

Syntax

ip forward-broadcast

undo ip forward-broadcast

Default

An interface cannot forward directed broadcasts destined for the directly connected network.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

A directed broadcast packet is destined for all hosts on a specific network. In the destination IP address of the directed broadcast, the network ID identifies the target network, and the host ID is made up of all ones.

This command enables an interface to forward directed broadcasts destined for the directly connected network.

Hackers can exploit directed broadcasts to attack the target network. In some scenarios, however, an interface must send such directed broadcast packets to support features such as UDP helper and Wake on LAN.

Examples

# Enable HundredGigE 1/0/1 to forward directed broadcast packets destined for the directly connected network.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] ip forward-broadcast

ip icmp error-interval

Use ip icmp error-interval to set the interval for tokens to arrive in the bucket and the bucket size for ICMP error messages.

Use undo ip icmp error-interval to restore the default.

Syntax

ip icmp error-interval interval [ bucketsize ]

undo ip icmp error-interval

Default

A token is placed in the bucket every 100 milliseconds, and the bucket allows a maximum of 10 tokens.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the interval for tokens to arrive in the bucket. The value range is 0 to 2147483647 milliseconds. To disable the ICMP rate limit, set the value to 0.

bucketsize: Specifies the maximum number of tokens allowed in the bucket. The value range is 1 to 200.

Usage guidelines

This command limits the rate at which ICMP error messages are sent. Use this command to avoid sending excessive ICMP error messages within a short period that might cause network congestion. A token bucket algorithm is used with one token representing one ICMP error message.

A token is placed in the bucket at intervals until the maximum number of tokens that the bucket can hold is reached.

A token is removed from the bucket when an ICMP error message is sent. When the bucket is empty, ICMP error messages are not sent until a new token is placed in the bucket.

Examples

# Set the interval to 200 milliseconds for tokens to arrive in the bucket and the bucket size to 40 tokens for ICMP error messages.

<Sysname> system-view

[Sysname] ip icmp error-interval 200 40

ip icmp fragment discarding

Use ip icmp fragment discarding to disable forwarding of ICMP fragments.

Use undo ip icmp fragment discarding to enable forwarding of ICMP fragments.

Syntax

ip icmp fragment discarding

undo ip icmp fragment discarding

Default

Forwarding of ICMP fragments is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Disabling forwarding of ICMP fragments can prevent ICMP fragment attacks.

Examples

# Disable forwarding of ICMP fragments.

<Sysname> system-view

[Sysname] ip icmp fragment discarding

ip icmp receive enable

Use ip icmp receive enable to enable the device to receive a specific type of ICMP messages.

Use undo ip icmp receive enable to disable the device from receiving a specific type of ICMP messages.

Syntax

ip icmp { name icmp-name | type icmp-type code icmp-code } receive enable

undo ip icmp { name icmp-name | type icmp-type code icmp-code } receive enable

Default

The device can receive all types of ICMP messages.

Views

System view

Predefined user roles

network-admin

Parameters

name icmp-name: Specifies an ICMP message name, a case-insensitive string of 1 to 20 characters.

type icmp-type: Specifies an ICMP message type. The value range for the icmp-type argument is 0 to 255.

code icmp-code: Specifies an ICMP message code. The value range for the icmp-code argument is 0 to 255.

Usage guidelines

CAUTION:

Disabling receiving ICMP messages of a specific type might affect network operation. Please use this feature with caution.

‌

By default, the device receives all types of ICMP messages. Such a setting might affect device performance if a large number of ICMP responses are received within a short time. To solve this issue, you can use this command to disable the device from receiving a specific type of ICMP messages.

Table 12 shows common ICMP messages and their meanings.

Table 12 Common ICMP messages

Name	Type	Code	Description
echo	8	0	Echo request used to ping a target node.
echo-reply	0	0	Echo reply sent by a target node after receiving an echo request.
fragmentneed-dfset	3	4	Packets that need fragmentation but have the DF bit set.
host-redirect	5	1	Host redirection.
host-tos-redirect	5	3	Host ToS redirection.
host-unreachable	3	1	Unreachable host.
information-reply	16	0	Information reply.
information-request	15	0	Information request.
net-redirect	5	0	Network redirection.
net-tos-redirect	5	2	Network ToS redirection.
net-unreachable	3	0	Unreachable network.
parameter-problem	12	0	Invalid parameter.
port-unreachable	3	3	Unreachable port.
protocol-unreachable	3	2	Unreachable protocol.
reassembly-timeout	11	1	Fragment reassembly timeout.
source-quench	4	0	Source quench message.
source-route-failed	3	5	Source route failure.
timestamp-reply	14	0	Timestamp reply.
timestamp-request	13	0	Timestamp request.
ttl-exceeded	11	0	TTL exceeded in transit.

‌

Examples

# Enable the device to receive ICMP echo reply messages.

<Sysname> system-view

[Sysname] ip icmp name echo-reply receive enable

ip icmp send enable

Use ip icmp send enable to enable the device to send a specific type of ICMP messages.

Use undo ip icmp send enable to disable the device from sending a specific type of ICMP messages.

Syntax

ip icmp { name icmp-name | type icmp-type code icmp-code } send enable

undo ip icmp { name icmp-name | type icmp-type code icmp-code } send enable

Default

The device sends all types of ICMP messages except Destination Unreachable, Time Exceeded, and Redirect messages.

Views

System view

Predefined user roles

network-admin

Parameters

name icmp-name: Specifies an ICMP message name, a case-insensitive string of 1 to 20 characters.

type icmp-type: Specifies an ICMP message type. The value range for the icmp-type argument is 0 to 255.

code icmp-code: Specifies an ICMP message code. The value range for the icmp-code argument is 0 to 255.

Usage guidelines

CAUTION:

Disabling sending ICMP messages of a specific type might affect network operation. Please use this feature with caution.

By default, t he device sends all types of ICMP messages except Destination Unreachable, Time Exceeded, and Redirect messages. Attackers might obtain information from specific types of ICMP messages, causing security issues.

For security purposes, you can use this command to disable the device from sending ICMP messages of specific types.

To enable sending Destination Unreachable, Time Exceeded, or Redirect messages, you can perform one of the following tasks:

· Execute the ip icmp send enable command.

· Execute one of the following commands as needed:

¡ ip unreachables enable

¡ ip ttl-expires enable

¡ ip redirects enable

Table 12 shows common ICMP messages and their meanings.

Examples

# Enable the device to send ICMP echo reply messages.

<Sysname> system-view

[Sysname] ip icmp name echo-reply send enable

Related commands

ip icmp fragment discarding

ip redirects enable

ip ttl-expires enable

ip unreachables enable

ip icmp source

Use ip icmp source to specify the source address for outgoing ICMP packets.

Use undo ip icmp source to remove the specified source address for outgoing ICMP packets.

Syntax

ip icmp source [ vpn-instance vpn-instance-name ] ip-address

undo ip icmp source [ vpn-instance vpn-instance-name ]

Default

No source address is specified for outgoing ICMP packets. The default source IP addresses for different types of ICMP packets vary as follows:

· For an ICMP error message, the source IP address is the IP address of the receiving interface of the packet that triggers the ICMP error message. ICMP error messages include Time Exceeded, Port Unreachable, and Parameter Problem messages.

· For an ICMP echo request, the source IP address is the IP address of the sending interface.

· For an ICMP echo reply, the source IP address is the destination IP address of the ICMP echo request specific to this reply.

Views

System view

Predefined user roles

network-admin

Parameters

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the specified address belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. The specified VPN instance must exist. If you do not specify a VPN instance, the ip-address argument specifies an IP address on the public network.

ip-address: Specifies an IP address.

Usage guidelines

It is a good practice to specify the IP address of the loopback interface as the source IP address for outgoing ping echo request and ICMP error messages. This feature helps users locate the sending device easily.

Examples

# Specify 1.1.1.1 as the source address for outgoing ICMP packets.

<Sysname> system-view

[Sysname] ip icmp source 1.1.1.1

ip mtu

Use ip mtu to set the MTU of IPv4 packets sent over an interface.

Use undo ip mtu to restore the default.

Syntax

ip mtu mtu-size

undo ip mtu

Default

The MTU of IPv4 packets sent over an interface is not set.

Views

Interface view

Predefined user roles

network-admin

Parameters

mtu-size: Specifies the MTU in bytes. The value range for the mtu-size argument is 128 to 9216.

Usage guidelines

When a packet exceeds the MTU of IPv4 packets sent over an interface, the device processes the packet in one of the following ways:

· If the packet disallows fragmentation, the device discards it.

· If the packet allows fragmentation, the device fragments it and forwards the fragments.

Fragmentation and reassembling consume system resources, so set an appropriate MTU to avoid fragmentation.

If an interface supports both the mtu and ip mtu commands, the device fragments a packet based on the MTU set by the ip mtu command.

Examples

# Set the MTU of interface HundredGigE 1/0/1 to 1280 bytes.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] ip mtu 1280

ip redirects enable

Use ip redirects enable to enable sending ICMP redirect messages.

Use undo ip redirects enable to disable sending ICMP redirect messages.

Syntax

ip redirects enable

undo ip redirects enable

Default

Sending ICMP redirect messages is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

ICMP redirect messages simplify host management and enable hosts to gradually optimize their routing tables.

A host that has only one route destined for the default gateway sends all packets to the default gateway. The default gateway sends an ICMP redirect message to inform the host of a correct next hop by following these rules:

· The receiving and sending interfaces are the same.

· The packet source IP address and the IP address of the packet receiving interface are on the same segment.

· There is no source route option in the received packet.

Examples

# Enable sending ICMP redirect messages.

<Sysname> system-view

[Sysname] ip redirects enable

ip ttl-expires enable

Use ip ttl-expires enable to enable sending ICMP time exceeded messages.

Use undo ip ttl-expires enable to disable sending ICMP time exceeded messages.

Syntax

ip ttl-expires enable

undo ip ttl-expires enable

Default

Sending ICMP time exceeded messages is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

A device sends ICMP time exceeded messages by following these rules:

· The device sends an ICMP TTL exceeded in transit message to the source when the following conditions are met:

¡ The received packet is not destined for the device.

¡ The TTL field of the packet is 1.

· When the device receives the first fragment of an IP datagram destined for the device itself, it starts a timer. If the timer expires before all the fragments of the datagram are received, the device sends an ICMP fragment reassembly time exceeded message to the source.

A device disabled from sending ICMP time exceeded messages does not send ICMP TTL exceeded in transit messages but can still send ICMP fragment reassembly time exceeded messages.

Examples

# Enable sending ICMP time exceeded messages.

<Sysname> system-view

[Sysname] ip ttl-expires enable

ip unreachables enable

Use ip unreachables enable to enable sending ICMP destination unreachable messages.

Use undo ip unreachables enable to disable sending ICMP destination unreachable messages.

Syntax

ip unreachables enable

undo ip unreachables enable

Default

Sending ICMP destination unreachable messages is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

A device sends ICMP destination unreachable messages by following these rules:

· The device sends the source an ICMP network unreachable message when the following conditions are met:

¡ The received packet does not match any route.

¡ No default route exists in the routing table.

· The device sends the source an ICMP protocol unreachable message when the following conditions are met:

¡ The received packet is destined for the device.

¡ The transport layer protocol of the packet is not supported by the device.

· The device sends the source an ICMP port unreachable message when the following conditions are met:

¡ The received UDP packet is destined for the device.

¡ The packet's port number does not match the running process.

· The device sends the source an ICMP source route failed message when the following conditions are met:

¡ The source uses Strict Source Routing to send packets.

¡ The intermediate device finds that the next hop specified by the source is not directly connected.

· The device sends the source an ICMP fragmentation needed and DF set message when the following conditions are met:

¡ The MTU of the sending interface is smaller than the packet.

¡ The packet has Don't Fragment set.

Examples

# Enable sending ICMP destination unreachable messages.

<Sysname> system-view

[Sysname] ip unreachables enable

ip virtual-reassembly aging

Use ip virtual-reassembly aging to set the aging time for cached packet fragments.

Use undo ip virtual-reassembly aging to restore the default.

Syntax

ip virtual-reassembly aging aging-milliseconds

undo ip virtual-reassembly aging

Default

The aging time for cached packet fragments is 3000 milliseconds.

Views

System view

Predefined user roles

network-admin

Parameters

aging-milliseconds: Set the aging time for cached packet fragments, in milliseconds. The value range for this argument is 100 to 5000.

Usage guidelines

With virtual fragment reassembly enabled, the device sets an aging timer for each cached fragment. When the timer of a packet fragment expires, the device discards the fragment. You can perform this task to set the aging time as needed.

Fragments of different packets in the cache queue might have the same packet ID, especially when the device has cached a large number of packet fragments. If a fragment is lost, the system might mistakenly use a fragment of a later received packet that has the same packet ID to substitute for the lost one, causing reassembly errors. To resolve this issue, set a short aging time as a best practice to reduce cached fragments if a large number of packets are cached for a service and packet loss occurs.

This command takes effect only when IPv4 virtual fragment reassembly is enabled.

Examples

# Set the aging time to 300 milliseconds for cached packet fragments.

<Sysname> system-view

[Sysname] ip virtual-reassembly aging 300

Related commands

ip virtual-reassembly enable

Use ip virtual-reassembly enable to enable IPv4 virtual fragment reassembly.

Use undo ip virtual-reassembly enable to disable IPv4 virtual fragment reassembly.

Syntax

ip virtual-reassembly enable

undo ip virtual-reassembly enable

Default

IPv4 virtual fragment reassembly is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

To prevent each service module from processing packet fragments that do not arrive in order, you can enable the virtual fragment reassembly feature. This feature virtually reassembles the fragments of a datagram through fragment check, sequencing, and caching, ensuring fragments arrive at each service module in order.

VFR can detect and prevent the following types of attacks:

· Tiny fragment attack—The first fragment size is too small to hold the Layer 4 (such as TCP and UDP) header field, which is forced into the second fragment. VFR discards all tiny fragments.

· Overlapping fragment attack—Two consecutive incoming fragments are identical or overlap with each other. If an overlapping fragment is detected, VFR discards all fragments within a fragment chain.

· Fragment flooding attack—The maximum number of concurrent preassemblies or the number of fragments per datagram exceeds the upper limits. VFR discards subsequent fragments if the upper limit is reached.

The enabling status of VFR can be managed through CLI or controlling the enabling status of a service module that can call VFR. VRF is enabled in either of the following conditions:

· A service module that can call it is enabled.

· The ip virtual-reassembly enable command is executed.

If fragment reassembly is required, but a service module cannot call it, execute this command at CLI.

Examples

# Enable IPv4 virtual fragment reassembly

<Sysname> system-view

[Sysname] ip virtual-reassembly enable

reset ip statistics

Use reset ip statistics to clear IP traffic statistics.

Syntax

reset ip statistics [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears IP traffic statistics for all cards.

Usage guidelines

Use this command to clear history IP traffic statistics before you collect IP traffic statistics for a time period.

Examples

# Clear IP traffic statistics.

<Sysname> reset ip statistics

Related commands

display ip interface (Layer 3—IP Services Command Reference)

display ip statistics

reset udp statistics

Use reset udp statistics to clear UDP traffic statistics.

Syntax

reset udp statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear UDP traffic statistics.

<Sysname> reset udp statistics

Related commands

display udp statistics

statistics l3-packet enable

Use statistics l3-packet enable to enable Layer 3 packet statistics collection.

Use undo statistics l3-packet enable to disable Layer 3 packet statistics collection.

Syntax

statistics l3-packet enable { inbound | outbound }

undo statistics l3-packet enable { inbound | outbound }

Default

Layer 3 packet statistics collection is disabled.

Views

Interface view

Predefined user roles

network-admin

Parameters

inbound: Enables statistics collection for incoming Layer 3 packets.

outbound: Enables statistics collection for outgoing Layer 3 packets.

Usage guidelines

With this feature enabled on an interface, the device counts incoming and outgoing IP packets on the interface. To display the collected statistics, execute the display interface command.

When the interface is processing a large number of packets, enabling this feature will cause high CPU usage and degrade forwarding performance. If the statistics are not necessary, disable this feature to ensure device performance.

The statistics l3-packet enable outbound configuration cannot collect statistics on outbound packets that require decapsulation.

Do not enable NetStream/IPv6 NetStream and Layer 3 packet statistics collection simultaneously on the same interface's outbound direction. If both features are enabled on the outbound direction of an interface, Layer 3 packet statistics collection does not take effect. For more information about NetStream/IPv6 NetStream, see Network Management and Monitoring Configuration Guide.

Examples

# Enable Layer 3 packet statistics collection on HundredGigE 1/0/1.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] statistics l3-packet enable inbound

Related commands

display ip interface (Layer 3—IP Services Command Reference)

display interface (Interface Command Reference)

tcp mss

Use tcp mss to set the TCP maximum segment size (MSS).

Use undo tcp mss to restore the default.

Syntax

tcp mss value

undo tcp mss

Default

The TCP MSS is not set.

Views

Interface view

Predefined user roles

network-admin

Parameters

value: Specifies the TCP MSS in bytes. The value range is 128 to 9176 bytes.

Usage guidelines

The MSS option informs the receiver of the largest segment that the sender can accept. Each end announces its MSS during TCP connection establishment. If the size of a TCP segment is smaller than the MSS of the receiver, TCP sends the TCP segment without fragmentation. If not, TCP fragments the segment according to the receiver's MSS.

If you set the TCP MSS on an interface, the size of each TCP segment received or sent on the interface cannot exceed the MSS value.

This configuration takes effect only on TCP connections that are established after the configuration and not on the TCP connections that already exist.

This configuration is effective only on IP packets.

Examples

# Set the TCP MSS to 300 bytes on HundredGigE 1/0/1.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] tcp mss 300

tcp path-mtu-discovery

Use tcp path-mtu-discovery to enable TCP path MTU discovery.

Use undo tcp path-mtu-discovery to disable TCP path MTU discovery.

Syntax

tcp path-mtu-discovery [ aging age-time | no-aging ]

undo tcp path-mtu-discovery

Default

TCP path MTU discovery is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

aging age-time: Specifies the aging time for the path MTU, in the range of 10 to 30 minutes. The default aging time is 10 minutes.

no-aging: Does not age out the path MTU.

Usage guidelines

After you enable TCP path MTU discovery, all new TCP connections detect the path MTU. The device uses the path MTU to calculate the MSS to avoid IP fragmentation.

After you disable TCP path MTU discovery, the system stops all path MTU timers. The TCP connections established later do not detect the path MTU, but the TCP connections previously established still can detect the path MTU.

Examples

# Enable TCP path MTU discovery and set the path MTU aging time to 20 minutes.

<Sysname> system-view

[Sysname] tcp path-mtu-discovery aging 20

tcp-proxy congestion-method

Use tcp-proxy congestion-method to specify a TCP congestion control algorithm for TCP proxy.

Use undo tcp-proxy congestion-method to restore the default.

Syntax

tcp-proxy congestion-method { bbrv1 | bbrv2 | bic | reno }

undo tcp-proxy congestion-method

Default

The TCP congestion control algorithm is Reno for TCP proxy.

Views

System view

Predefined user roles

network-admin

Parameters

bbrv1: Specifies BBRv1 as the TCP congestion control algorithm.

bbrv2: Specifies BBRv2 as the TCP congestion control algorithm.

bic: Specifies BIC as the TCP congestion control algorithm.

reno: Specifies Reno as the TCP congestion control algorithm.

Usage guidelines

This command does not take effect on the modules that support TCP congestion control algorithm configuration. The TCP congestion control algorithm used by such a module depends on its configuration. For example, in the WAAS module, you can use the waas tfo congestion-method command to specify a TCP congestion control algorithm for the WAN side.

The modules that do not support TCP congestion control algorithm configuration use the same algorithm as the TCP proxy module.

When you use this command, you can configure one of the following TCP congestion control algorithms:

· Reno—Use this algorithm in scenarios with low latency and low bandwidth. In scenarios with high latency and high bandwidth, the speed of data transmission takes a long time to reach the maximum and thus the bandwidth utilization rate is low.

Reno is an early TCP congestion control algorithm that increases the number of congestion windows on receipt of ACK messages.

· BIC—Use this algorithm in scenarios with high bandwidth and low packet loss ratio.

BIC can make good use of remaining bandwidth resources and improve throughput, because this algorithm does not slow down packet sending as long as no packet loss occurs. However, the transmission latency of this algorithm is high. This algorithm will reduce the number of congestion windows when transmission errors cause packet loss.

· BBR—Use this algorithm in scenarios with high bandwidth, high latency, and packet loss.

BBR does not use packet loss as a congestion signal. In a scenario with high packet loss ratio, this algorithm can ensure high throughput and reduce transmission latency effectively. BBRv2 improves intra-protocol fairness by balancing aggressiveness.

Examples

# Specify Reno as the TCP congestion control algorithm for TCP proxy.

<Sysname> system-view

[Sysname] tcp-proxy congestion-method reno

Related commands

waas tfo congestion-method

tcp syn-cookie enable

Use tcp syn-cookie enable to enable SYN Cookie to protect the device from SYN flood attacks.

Use undo tcp syn-cookie enable to disable SYN Cookie.

Syntax

tcp syn-cookie enable

undo tcp syn-cookie enable

Default

SYN Cookie is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

A TCP connection is established through a three-way handshake:

1. The sender sends a SYN packet to the server.

2. The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED state, and replies with a SYN ACK packet to the sender.

3. The sender receives the SYN ACK packet and replies with an ACK packet. Then, a TCP connection is established.

An attacker can exploit this mechanism to mount SYN flood attacks. The attacker sends a large number of SYN packets, but they do not respond to the SYN ACK packets from the server. As a result, the server establishes a large number of TCP semi-connections and cannot handle normal services.

SYN Cookie can protect the server from SYN flood attacks. When the server receives a SYN packet, it responds to the request with a SYN ACK packet without establishing a TCP semi-connection.

The server establishes a TCP connection and enters ESTABLISHED state only when it receives an ACK packet from the sender.

Examples

# Enable SYN Cookie.

<Sysname> system-view

[Sysname] tcp syn-cookie enable

tcp timer fin-timeout

Use tcp timer fin-timeout to set the TCP FIN wait timer.

Use undo tcp timer fin-timeout to restore the default.

Syntax

tcp timer fin-timeout time-value

undo tcp timer fin-timeout

Default

The TCP FIN wait timer is 675 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Specifies the TCP FIN wait timer in the range of 76 to 3600 seconds.

Usage guidelines

TCP starts the FIN wait timer when the state of a TCP connection changes to FIN_WAIT_2. If no FIN packet is received within the timer interval, the TCP connection is terminated.

If a FIN packet is received, TCP changes the connection state to TIME_WAIT. If a non-FIN packet is received, TCP restarts the timer and tears down the connection when the timer expires.

Examples

# Set the TCP FIN wait timer to 800 seconds.

<Sysname> system-view

[Sysname] tcp timer fin-timeout 800

tcp timer syn-timeout

Use tcp timer syn-timeout to set the TCP SYN wait timer.

Use undo tcp timer syn-timeout to restore the default.

Syntax

tcp timer syn-timeout time-value

undo tcp timer syn-timeout

Default

The TCP SYN wait timer is 75 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Specifies the TCP SYN wait timer in the range of 2 to 600 seconds.

Usage guidelines

TCP starts the SYN wait timer after sending a SYN packet. Within the SYN wait timer if no response is received or the upper limit on TCP connection tries is reached, TCP fails to establish the connection.

Examples

# Set the TCP SYN wait timer to 80 seconds.

<Sysname> system-view

[Sysname] tcp timer syn-timeout 80

tcp window

Use tcp window to set the size of the TCP receive/send buffer.

Use undo tcp window to restore the default.

Syntax

tcp window window-size

undo tcp window

Default

The size of the TCP receive/send buffer is 63 KB.

Views

System view

Predefined user roles

network-admin

Parameters

window-size: Specifies the size of the TCP receive/send buffer, in the range of 5 to 64 KB.

Examples

# Set the size of the TCP receive/send buffer to 6 KB.

<Sysname> system-view

[Sysname] tcp window 6

Field	Description
bad formats	Number of received messages with error format.
bad checksum	Number of received messages with checksum errors.
echo	Number of received or sent ICMP echo request messages.
destination unreachable	Number of received or sent destination unreachable messages.
source quench	Number of received or sent source quench messages.
redirects	Number of received or sent redirect messages.
echo replies	Number of received or sent echo reply messages.
parameter problem	Number of received or sent parameter problem messages.
timestamp	Number of received timestamp request messages or number of sent timestamp reply messages.
information requests	Number of received information request messages.
mask requests	Number of received or sent mask request messages.
mask replies	Number of received or sent mask reply messages.
invalid type	Number of received messages with invalid type.
router solicit	Number of received RS messages.
broadcast/multicast echo requests ignored	Number of dropped incoming broadcast or multicast echo request messages.
broadcast/multicast timestamp requests ignored	Number of dropped incoming broadcast or multicast timestamp request messages.
information replies	Number of sent information reply messages.
time exceeded	Number of received or send ICMP time exceeded messages
bad address	Number of sent messages with invalid destination addresses.
packet error	Number of sent error messages.
router advert	Number of received or sent RA messages.

06-Layer 3—IP Services Command Reference

ip exceed-mtu fragment

ip icmp fragment discarding

reset ip statistics

tcp mss

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us