IP Performance Optimization Configuration Commands - S600-E V200R010C00 Command Reference

Command Reference

S600-E V200R010C00

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

IP Performance Optimization Configuration Commands

clear ip df

Function

The clear ip df command enables fragmentation for outgoing control-plain IP packets on an interface.

The undo clear ip df command disables fragmentation for outgoing control-plain IP packets on an interface.

By default, fragmentation for outgoing control-plain IP packets on an interface is disabled.

Format

clear ip df

undo clear ip df

Parameters

None

Views

VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An IP header contains a Don't Fragment (DF) bit to identify whether packet fragmentation is allowed. Commonly, if the DF bit of a packet is set to 1, the packet cannot be fragmented. When the remote device or intermediate forwarding device receives IP packets, if it checks the packet length and discards packets whose length is longer than the Maximum Transmission Unit (MTU) on the interface, network communication is interrupted. You can run the clear ip df command to enable fragmentation for outgoing control-plane IP packets so that packets with the DF bit set to 1 are fragmented based on the MTU value on the interface.

After fragmentation for outgoing control-plain IP packets is enabled on an interface, the device sets the Don't Fragment (DF) field to 0 and fragments IP packets that meet the following conditions:

The value of the DF field in the IP packet header is 1.
The packet length is larger than the MTU value of the interface that sends the packets.

Precautions

This command takes effect only for the control-plain packets but not for the forwarding-plain packets.

Example

# Enable fragmentation for outgoing IP packets on VLANIF100.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] clear ip df

discard { ra | rr | srr | ts }

Function

The discard { ra | rr | srr | ts } command configures the device to discard the packets that contain the route alert option, route record option, source route option, or timestamp option on interfaces.

The undo discard { ra | rr | srr | ts } command configures the device to process the packets that contain the route alert option, route record option, source route option, or timestamp option on interfaces.

By default, the device processes packets sent to the CPU based on route options contained in these packets.

Format

discard { ra | rr | srr | ts }

undo discard { ra | rr | srr | ts }

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

IP packets can carry route options including the route alert option (ra), route record option (rr), source route option (srr), and timestamp option (ts).

These route options are used to diagnose network paths and temporarily transmit special services. These options, however, may be used by attackers to spy on the network structure for initiating attacks. This degrades network security and device performance. To solve this problem, you can run the discard { ra | rr | srr | ts } command to configure the device to discard the IP packets that contain the route options.

Precautions

The discard { ra | rr | srr | ts } command only takes effect for the packets on inbound interfaces.

The discard { ra | rr | srr | ts } command only takes effect for packets sent to the CPU. For packets that are not sent to the CPU, the device processes and forwards them using the same method of processing packets without route options regardless of whether the discard { ra | rr | srr | ts } command is configured or not.

Example

# Configure the device to discard the packets that contain the route alert option on the interface VLANIF100.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] discard ra

display icmp statistics

Function

The display icmp statistics command displays ICMP traffic statistics.

Format

display icmp statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To view information about ICMP packet sending and receiving, run the display icmp statistics command.

Example

# Display ICMP traffic statistics.

<HUAWEI> display icmp statistics
  Input: bad formats         0          bad checksum            0   
         echo                10         destination unreachable 0   
         source quench       0          redirects               0   
         echo reply          25         parameter problem       0   
         timestamp request   0          information request     0   
         mask requests       0          mask replies            0   
         time exceeded       0          timestamp reply         0         
         Mping request       0          Mping reply             0   
  Output:echo                25         destination unreachable 0   
         source quench       0          redirects               0   
         echo reply          10         parameter problem       0   
         timestamp request   0          information reply       0   
         mask requests       0          mask replies            0   
         time exceeded       0          timestamp reply         0
         Mping request       0          Mping reply             0

Table 5-33 Description of the display icmp statistics command output

Item	Description
Input	Received packets.
Output	Sent packets.
bad formats	Number of packets in incorrect format.
bad checksum	Number of packets with checksum errors.
echo	Number of echo request packets.
destination unreachable	Number of unreachable packets.
source quench	Number of source quench packets.
redirects	Number of redirection packets.
echo reply	Number of echo reply packets.
parameter problem	Number of packets with incorrect parameters.
timestamp request	Number of timestamp request packets.
information request	Number of information request packets.
information reply	Number of information reply packets.
mask requests	Number of mask request packets.
mask replies	Number of mask reply packets.
time exceeded	Number of expired packets.
timestamp reply	Number of timestamp reply packets.
Mping requests	Number of multicast ping request packets.
Mping reply	Number of multicast ping reply packets.

display ip interface

Function

The display ip interface command displays the IP configuration and statistics on interfaces. The statistics include the number of packets and bytes received and sent by interfaces, number of multicast packets sent and received by interfaces, and number of broadcast packets received, sent, forwarded, and discarded by interfaces.

The display ip interface brief command displays brief information about interface IP addresses, including the IP address, subnet mask, physical status, link-layer protocol status, and number of interfaces in different states.

Format

display ip interface [ interface-type interface-number ]

display ip interface brief [ interface-type [ interface-number ] | slot slot-id [ card card-number ] ]

display ip interface brief [ interface-type ] &<1-8>

Parameters

Parameter	Description	Value
interface-type interface-number	Specifies the type and number of an interface. If no interface is specified, IP configuration and statistics about all interfaces are displayed.	-
brief	Displays brief information, including the IP address, subnet mask, physical status, link-layer protocol status, and number of interfaces in different states.	-
slot slot-id	Displays the IP configuration and statistics of interfaces on the specified slot. If the slot number is not specified, brief information related to the IP addresses of the interfaces on all interface boards and main control boards is displayed.	-
card card-number	Displays the IP configuration and statistics of interfaces on specified card.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display ip interface brief command to view the following information:

IP configurations of all interfaces
IP configurations of interfaces of the specified type and a specified interface
IP configurations of interfaces that have IP addresses

This command, however, cannot display the IP configurations of Layer 2 interfaces or Eth-Trunk member interfaces.

You can run the display interface description command to view the interface description.
You can run the display interface command to view detailed information about the running status and statistics on the interface.

Example

# Display IP information about VLANIF15.

<HUAWEI> display ip interface vlanif 15 
Vlanif15 current state : UP
Line protocol current state : UP
The Maximum Transmit Unit : 1500 bytes
input packets : 766390, bytes : 41540847, multicasts : 681817
output packets : 242239, bytes : 14679482, multicasts : 172333
Directed-broadcast packets:
 received packets:            0, sent packets:            0
 forwarded packets:           0, dropped packets:           0
Internet Address is 10.1.1.119/24
Broadcast address : 10.1.1.255
TTL being 1 packet number:    164035
TTL invalid packet number:         0
ICMP packet input number:          0
  Echo reply:                      0
  Unreachable:                     0
  Source quench:                   0
  Routing redirect:                0
  Echo request:                    0
  Router advert:                   0
  Router solicit:                  0
  Time exceed:                     0
  IP header bad:                   0
  Timestamp request:               0
  Timestamp reply:                 0
  Information request:             0
  Information reply:               0
  Netmask request:                 0
  Netmask reply:                   0
  Unknown type:                    0

Table 5-34 Description of the display ip interface command output

Item	Description
current state :	Physical status of the interface: UP: indicates that the interface is physically Up. DOWN: indicates that the interface is physically Down. Administratively down: indicates that the administrator has run the shutdown command on the interface.
Line protocol current state :	Link layer protocol status of the interface: UP: The link layer protocol of the interface is running properly. DOWN: The link layer protocol of the interface is Down or no IP address is configured on the interface.
The Maximum Transmit Unit :	MTU of the interface. The default MTU of an Ethernet interface or a serial interface is 1500 bytes. Packets longer than the MTU are fragmented before being transmitted. If fragmentation is not allowed, the packets are discarded.
input packets : 766390, bytes : 41540847, multicasts : 681817	Total number of packets, bytes, and multicast packets received by the interface.
output packets : 242239, bytes : 14679482, multicasts : 172333	Total number of packets, bytes, and multicast packets sent by the interface.
Directed-broadcast packets:	Number of packets broadcast on the interface directly.
received packets:	Total number of received packets.
sent packets:	Total number of sent packets.
forwarded packets:	Total number of forwarded packets.
dropped packets:	Total number of discarded packets.
Internet Address is	IP address assigned to the interface and mask length.
Broadcast address :	Broadcast address of the interface.
TTL being 1 packet number:	Number of packets with TTL 1.
TTL invalid packet number:	Number of packets with invalid TTL.
ICMP packet input number:	Number of received ICMP packets.
Echo reply:	Number of Echo Reply packets.
Unreachable:	Number of Destination Unreachable packets.
Source quench:	Number of Source Quench packets.
Routing redirect:	Number of Redirect packets.
Echo request:	Number of Echo Request packets.
Router advert:	Number of Router Advertisement packets.
Router solicit:	Number of Router Solicitation packets.
Time exceed:	Number of Time Exceeded packets.
IP header bad:	Number of IP header error packets.
Timestamp request:	Number of Timestamp Request packets.
Timestamp reply:	Number of Timestamp Reply packets.
Information request:	Number of Information Request packets.
Information reply:	Number of Information Reply packets.
Netmask request:	Number of Address Mask Request packets.
Netmask reply:	Number of Address Mask Reply packets.
Unknown type:	Number of unknown packets.

# Display brief IP information about VLANIF15.

<HUAWEI> display ip interface brief vlanif 15
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(E): E-Trunk down 
Interface                         IP Address/Mask      Physical   Protocol
Vlanif15                          10.1.1.119/24        up         up

Table 5-35 Description of the display ip interface brief command output

Item	Description
*down	Reason why an interface is physically Down. Administratively down indicates that the administrator has run the shutdown command on the interface.
^down	^down: indicates that the interface is a backup interface.
(l): loopback	The letter "l" refers to loopback.
(s): spoofing	The letter "s" refers to spoofing.
(E): E-Trunk down	Indicates that the Eth-Trunk is Down because of the protocol negotiation on the E-Trunk.
Interface	Interface type and number.
IP Address/Mask	IP address and mask of an interface.
Physical	Physical status of an interface: Up: indicates that the interface is physically Up. (l) indicates that the loopback function is configured on the interface. Down: indicates that the interface becomes faulty. *down: indicates that the administrator has run the shutdown (interface view) command on the interface. (l) indicates that the loopback function is configured on the interface. !down: indicates that the FIB module is suspended. In this case, the link protocol status of the interface is Down.
Protocol	Link protocol status of the interface: Up: indicates that the link protocol of the interface is running properly. (s) indicates that the link protocol status of the interface is Up when this interface is created and has no IP address configured. This is an inherent attribute of an interface. When this interface is configured with an IP address, (s) is still displayed. Down: indicates that the link protocol of the interface fails or no IP address is configured on the interface. (l) indicates that the loopback function is configured on the interface.

Related Topics

display interface

display ip socket

Function

The display ip socket command displays information about the created IPv4 sockets.

Format

display ip socket [ monitor ] [ task-id task-id socket-id socket-id | socket-type socket-type ]

Parameters

Parameter	Description	Value
monitor	Displays information about the socket monitor. Information about the socket monitor is displayed together with information about the socket.	-
task-id task-id	Displays socket information of the task with a specified ID.	The value must be an existing task ID.
socket-id socket-id	Displays information about the socket with a specified ID.	The value must be an existing socket ID.
socket-type socket-type	Displays information about a socket of a specified type.	The value is an integer. Table 5-36 shows the value range.

Table 5-36 Value range of socket-type socket-type

Value	Description
1	TCP socket
2	UDP socket
3	RAWIP socket
4	RAWLINK socket

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

A socket monitor monitors and records each connection. A RawLink also monitors interfaces. The socket monitor records specific protocol events that occur during operations. In addition, it logs information in the disk space.

The socket monitor is similar to a black box of the system. It records specific events that happen during system operations. When the system fails, you can use information recorded by the socket monitor to locate faults.

You can also set the filtering rules, such as the task ID, socket ID, and socket type so that only the information matching the rules is displayed. This reduces information output and helps you locate faults accurately and efficiently.

Example

# Display information about the IP sockets.

<HUAWEI> display ip socket monitor
SOCK_STREAM:
Task = VTYD(30), socketid = 1, Proto = 6, 
LA = 0.0.0.0:23, FA = 0.0.0.0:0, 
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0, 
socket option = SO_ACCEPTCONN SO_KEEPALIVE SO_LINGER SO_REUSEPORT SO_SENDVPNID(23553) SO_SETKEEPALIVE SO_SETACL,
socket state = SS_PRIV SS_ASYNC
                          Socket Monitor:
Asyn Que status:
 read = 0, write = 0, connect = 0, close = 0,
 peer close = 0, accept = 0, keep alive down = 0,
 cram time = 0000-00-00 00:00:00+08:00, lost msg= 0, msg type=0x00000000;
Nothing else has been captured!
SOCK_DGRAM: 
Task = DHCP(54), socketid = 2, Proto = 17,
LA = 0.0.0.0:67, FA = 0.0.0.0:0,
sndbuf = 9216, rcvbuf = 41600, sb_cc = 0, rb_cc = 0, 
socket option = SO_BROADCAST SO_REUSEPORT SO_UDPCHECKSUM SO_SENDVPNID(14849),
socket state = SS_PRIV
                          Socket Monitor:
Statistics:
 input packets = 6,recv packets = 6,output packets = 0;
Rcvbuf status: 
 cram time = 0000-00-00 00:00:00+00:00, full times = 0,dropped packets = 0;
Asyn Que status: 
 read = 0, write = 0, connect = 0, close = 0, 
 peer close = 0, accept = 0, keep alive down = 0, 
 smb input = 0, smb output = 0, smooth over = 0,
 cram time = 0000-00-00 00:00:00+00:00, lost msg = 0, msg type = 0x00000000;

# Display the information about the IP socket with the task ID as 23 and socket ID as 1.

<HUAWEI> display ip socket monitor task-id 23 socket-id 1
Task = RSVP(23), socketid = 1, Proto = 46,
LA = 0.0.0.0, FA = 0.0.0.0,
sndbuf = 4194304, rcvbuf = 4194304, sb_cc = 0, rb_cc = 0,
socket option = 0,
socket state = SS_PRIV SS_NBIO SS_ASYNC
                          Socket Monitor:
Statistics:
 input packets = 0,recv packets = 0,output packets = 0;
Rcvbuf status:
 cram time = 00H00M00S: full times = 0,dropped packets = 0;
Asyn Que status:
 read = 0, write = 0, connect = 0, close = 0,
 peer close = 0, accept = 0, keep alive down = 0,
 smb input = 0, smb output = 0, smooth over = 0,
 cram time = 00H00M00S, lost msg = 0, msg type = 0x00000000;

# Display information about the IP socket with the socket type as TCP.

<HUAWEI> display ip socket monitor socket-type 1
SOCK_STREAM:
Task = VTYD(30), socketid = 1, Proto = 6,
LA = 0.0.0.0:23, FA = 0.0.0.0:0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_KEEPALIVE SO_REUSEPORT SO_SENDVPNID(14849) SO_SETKEEPALIVE,
socket state = SS_PRIV SS_ASYNC
                          Socket Monitor:
Asyn Que status:
 read = 0, write = 0, connect = 0, close = 0,
 peer close = 0, accept = 0, keep alive down = 0,
 cram time = 0000-00-00 00:00:00+00:00, lost msg= 0, msg type=0x00000000;
Nothing else has been captured!

Table 5-37 Description of the display ip socket command output

Item	Description
SOCK_STREAM	Socket types. There are the following socket types: SOCK_STREAM SOCK_DGRAM SOCK_RAWLINK SOCK_RAWIP
Task	Type and ID of the task that invokes the socket. For example, Task = VTYD(30) indicates that the task named VTYD uses the socket, with the task ID being 30.
socketid	Socket ID.
Proto	Protocol number.
LA	Local address/port number.
FA	Remote address/port number.
sndbuf	Maximum socket send buffer size. The value is in bytes.
rcvbuf	Maximum socket receive buffer size. The value is in bytes.
sb_cc	Number of sent packets. The value is in bytes and is valid only when TCP caches data packets.
rb_cc	Number of received packets. The value is in bytes.
socket option	Set socket options. There are the following socket options: SO_DEBUG: indicates that debugging is enabled. SO_ACCEPTCONN: indicates that the socket is the server and is responsible for monitoring. SO_REUSEADDR: indicates that addresses are overlapped. After the option is set, multiple identical addresses can be bound to an interface. SO_KEEPALIVE: indicates that the keepalive timer starts after a TCP connection is set up. SO_DONTROUTE: indicates that a socket must choose the direct route to the destination when setting up a connection. SO_BROADCAST: indicates that an interface can send broadcast packets. SO_REUSEPORT: indicates that interfaces are overlapped. After the option is set, multiple identical interfaces can be bound to the local interface. This option is often set on servers. SO_UDPCHECKSUM: indicates that the socket calculates the checksum of UDP packets. SO_SENDVPNID: indicates an exclusive option for VPNs. SO_SETKEEPALIVE: indicates that the keepalive timer starts after a TCP connection is set up. SO_SETACL: indicates that an ACL can be configured on the interface. SO_USELOOPBACK: indicates that a socket can use a loopback interface to receive or send data. SO_LINGER: indicates the time for closing a TCP connection. If the time is not set to 0, a TCP connection is closed after the timer expires. If the time is set to 0, a TCP connection is closed immediately. SO_OOBINLINE: indicates out-band data. When receiving data, a socket processes the out-band data first. SO_SENDDATAIF: indicates that a socket uses the specified interface to receive or send data. SO_SENDDATAIF_DONTSETTTL: indicates that a socket uses the specified interface to receive or send data but does not set the TTL value. SO_SETSRCADDR: indicates that a socket sets the source address of outgoing packets. SO_SENDBY_IF_NEXTHOP: indicates that a socket sets the outbound interface and next hop address of outgoing packets.
socket state	Socket status. There are the following socket status: SS_NOFDREF: indicates that the socket ID is deleted. SS_ISCONNECTED: indicates that a TCP connection is set up. SS_ISCONNECTING: indicates that a TCP connection is being set up. SS_ISDISCONNECTING: indicates that a TCP connection is being closed. SS_CANTSENDMORE: indicates that a socket cannot send data. SS_CANTRCVMORE: indicates that a socket cannot receive data. SS_RCVMARK: indicates that a socket sets the receiving option in the received packet. SS_NBIO: indicates that the type of a socket is non-blocking. SS_ISCONFIRMING: indicates that the upper-layer application will complete processing a connection. SS_BLOCKING: indicates that congestion occurs during packet receiving and sending. SS_RECALL: indicates that the message notification method is set by an asynchronous socket. SS_PRIV: indicates the option transferred from the Unix. The option is invalid in the current socket. SS_ASYNC: indicates the status identifier of an asynchronous socket.
Asyn Que status	Current asynchronous queue status.
read	Number of messages read by the asynchronous queue.
write	Number of messages written by the asynchronous queue.
connect	Number of connection messages in the asynchronous queue.
close	Number of messages about closed connections in the asynchronous queue.
peer close	Number of messages about connections closed by the remote end in the asynchronous queue.
accept	Number of messages received by the asynchronous queue.
keep alive down	Number of keepalivedown messages in the asynchronous queue.
cram time	Time for the asynchronous queue to become full.
lost msg	Number of asynchronous messages discarded by the asynchronous queue.
msg type	Current asynchronous message type.
smb input	Number of times of notifying the application layer to read received packets on the backup board.
smb output	Number of times of notifying the application layer to read sent packets on the backup board.
smooth over	Number of times of notifying the application layer that the smoothing is over.

Related Topics

reset ip socket monitor

display ip socket register-port

Function

The display ip socket register-port command displays non-well-known port numbers that have been assigned to services on the device.

Format

display ip socket register-port

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

As defined in RFC standards, port numbers larger than 1024 are non-well-known port numbers and can be assigned to desired services, such as NQA and SSH services. However, a non-well-known port number can be assigned to only one service on the same device. If you assign a non-well-known port number to two or more services, this port number takes effect for only the latest configured service. As a result, the other services using this port number will fail.

Before you assign a non-well-known port number to a service, run the display ip socket register-port command to check non-well-known port numbers that have been assigned to other services, preventing service failures caused by conflicts of non-well-known port numbers.

Example

# Display non-well-known port numbers that have been assigned to services on the device.

<HUAWEI> display ip socket register-port

Port      Task        Type
38514     INFO        TCP4
38514     INFO        TCP6
1025      SLAG        UDP4
3784      BFD         UDP4
4784      BFD         UDP4
5246      CWP_FWD     UDP4
5247      CWP_FWD     UDP4
38514     INFO        UDP4
60000     EZOP        UDP4
65531     CWP_FWD     UDP4
65532     CWP_FWD     UDP4
65533     CWP_FWD     UDP4
65534     CWP_FWD     UDP4
3784      BFD         UDP6
4784      BFD         UDP6
5246      CWP_FWD     UDP6
5247      CWP_FWD     UDP6
38514     INFO        UDP6
60000     EZOP        UDP6
65531     CWP_FWD     UDP6
65532     CWP_FWD     UDP6
65533     CWP_FWD     UDP6
65534     CWP_FWD     UDP6

Table 5-38 Description of the display ip socket register-port command output

Item	Description
Port	Non-well-known port number that has been assigned to a service.
Task	Name of the task to which a non-well-known port number is assigned.
Type	Port type, including TCP and UDP.

display ip statistics

Function

The display ip statistics command displays IP traffic statistics.

Format

display ip statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

IP traffic statistics include statistics about received packets (including discarded packets that carry source-route options), sent packets, fragmented packets, and reassembled packets. If a large number of bad protocol and no route fields is displayed in the command output, the device receives a large volume of IP packets of unknown protocol types and IP packets for which no routes can be found. In this situation, the device may be attacked by the connected devices.

Example

# Display IP traffic statistics.

<HUAWEI> display ip statistics

  Input:     sum                263482      local                263473         
             bad protocol            0      bad format                1         
             bad checksum            0      bad options               0         
             discard srr             0      discard rr                0         
             discard ra              0      discard ts                0         
             TTL exceeded            0                                          
  Output:    forwarding              0      local                303399         
             dropped             56479      no route                225         
  Fragment:  input                   0      output                    0         
             dropped                 0                                          
             fragmented              0      couldn't fragment         0         
  Reassembling:sum                   0      timeouts                  0

Table 5-39 Description of the display ip statistics command output

Item	Description
Input	Received packets.
sum	Total number of packets.
local	Number of packets sent to the upper-layer protocol.
bad protocol	Number of received IP packets of unknown protocol types. The protocol field in the IP header cannot be identified by the upper-layer protocol.
bad format	Number of packets in incorrect format.
bad checksum	Number of packets with checksum errors.
bad options	Number of packets with incorrect options.
discard srr	Number of discarded packets with source route options.
discard rr	Indicates the number of packets that are received and then discarded because of record-route options.
discard ra	Indicates the number of packets that are received and then discarded because of alert-route options.
discard ts	Indicates the number of packets that are received and then discarded because of time stamps options.
TTL exceeded	Number of packets discarded because the TTL expires.
Output	Sent packets.
forwarding	Number of forwarded packets.
local	Number of generated packets.
dropped	Number of discarded packets.
no route	Number of packets for which no correct route can be found, including the packets sent and forwarded by the local device.
Fragment	Number of packet fragments.
input	Number of received fragments.
output	Number of sent fragments.
dropped	Number of discarded fragments.
fragmented	Number of successfully fragmented packets.
couldn't fragment	Number of packets that cannot be fragmented.
Reassembling:sum	Number of successfully reassembled fragments.
timeouts	Number of expired fragments.

Related Topics

display ip interface

reset ip statistics

display load-balance mode

Function

The display load-balance mode command displays the load balancing mode on a switch.

Format

display load-balance mode [ packet | flow | slot slot-number ]

Parameters

Parameter	Description	Value
packet	Displays information about the switch adopting the per packet load balancing mode.	-
flow	Displays information about the switch adopting the per flow load balancing mode.	-
slot slot-number	Specifies the ID of a slot. After the slot ID is specified, the load balancing mode on a specified switch is displayed.	The value is an integer. It has a fixed value of 0 in a non-stack scenario, and depends on the device configuration in a stack scenario.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Using the display load-balance mode packet or the display load-balance mode flow command displays information about the switch adopting the specified load balancing mode.

The display load-balance mode slot slot-number command displays the load balancing mode on a specified switch.

If neither the slot ID nor load balancing mode is specified in the display load-balance mode command, by default, load balancing mode on the switch is displayed.

Example

# Display the load balancing modes on the switch.

<HUAWEI> display load-balance mode
load-balance flow slot 0

Table 5-40 Description of the display load-balance mode command output

Item	Description
load-balance	Load balancing mode packet: per packet load balancing flow: per flow load balancing
slot	Slot ID

Item

Description

load-balance

Load balancing mode

packet: per packet load balancing
flow: per flow load balancing

slot

Slot ID

Related Topics

load-balance (system view)

display network status

Function

Running the display network status command, you can check the network status of a device.

Format

display network status { all | tcp | udp | port port-number }

Parameters

Parameter	Description	Value
all	Displays all the network information.	-
tcp	Displays TCP.	-
udp	Displays UDP.	-
port port-number	Specifies the number of an interface.	The value is an integer ranging from 1 to 65535.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display network status command is used to check the network status, such as the running interfaces and services on the network. For example, when you find that an interface is being used by an unknown module during a security scan, run the command to check out the module.

Example

# Display all information about the network status.

<HUAWEI> display network status all
Proto Task/SockId Local Addr&Port          Foreign Addr&Port        State
TCP   VTYD/1      0.0.0.0:23               0.0.0.0:0                Listening
TCP   HTTP/2      0.0.0.0:80               0.0.0.0:0                Listening
TCP   HTTP/1      0.0.0.0:443              0.0.0.0:0                Listening
TCP   VTYD/59     192.168.50.166:23        10.135.19.141:60445      Established
TCP6  VTYD/2      ::->23                   ::->0                    Listening
UDP   AGNT/1      0.0.0.0:161              0.0.0.0:0
UDP   SLAG/1      0.0.0.0:1025             0.0.0.0:0
UDP   RDS /1      0.0.0.0:1812             0.0.0.0:0
UDP6  AGT6/1      ::->161                  ::->0
UDP6  RDS /2      ::->1812                 ::->0

Table 5-41 Description of the display network status command output

Item	Description
Proto	Protocol
Task/SockId	Task and Socket ID VTYD: Process login requests of all users. HTTP: Transfer hypertext from WWW servers to local browsers AGNT: Implement the IPv4 SNMP protocol. SLAG: Implement E-Trunk. RDS: Implement the RADIUS protocol, manage the protocol state machine, and maintain protocol databases. AGT6: Implement the IPv6 SNMP protocol.
Local Addr&Port	Local IP address and Port number
Foreign Addr&Port	Remote IP address and Port number
State	Connection status

display priority

Function

Using the display priority command, you can view the 802.1p priority and DSCP priority that are set in the system.

Format

display priority { 8021p | dscp }

Parameters

Parameter	Description	Value
8021p	Displays the 802.1p priority.	-
dscp	Displays the DSCP priority.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command displays the 802.1p priority and DSCP priority that are set in the system.

The display priority command displays information only after the set priority command is executed to set the 802.1p priority or DSCP priority.

Example

# Set the DSCP priority to 10, and display the DSCP priority set in the system.

<HUAWEI> system-view
[HUAWEI] set priority dscp 10
[HUAWEI] quit
<HUAWEI> display priority dscp
 The dscp priority is 10

Related Topics

set priority

display rawip statistics

Function

The display rawip statistics command displays RawIP traffic statistics.

Format

display rawip statistics [ verbose ]

Parameters

Parameter	Description	Value
verbose	Displays detailed RawIP traffic statistics based on the ICMP, RSVP, and Others protocols.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The statistics about RawIP packets include the number of sent RawIP packets and the number of received RawIP packets.

RSVP, and ICMP packets are encapsulated into RawIP packets to be sent. During the ping operation, for example, you can run the display rawip statistics command to view the number of RawIP packets sent by the local device to check whether the abnormality on the network is caused by abnormal sending and receiving of RawIP packets.

If you want to diagnose problems and monitor information of specific applications, configure verbose in the display rawip statistics command to display application-specific RawIP packet statistics. The applications can be ICMP, RSVP, and others.

Precautions

The number of packets received by a switch includes the number of forwarded packets, packets sent to the upper layer, and discarded packets.

RawIP traffic statistics are collected based on the well-known protocol number. The protocol number is identified by the protocol field in the IP packet header.

The protocol number of ICMP statistics is 1.
The protocol number of RSVP statistics is 46.
Statistics about packets with other protocol numbers are collected into the Others field.

Example

# View the statistics about RawIP packets.

<HUAWEI> display rawip statistics

Received packets:
  dropped packets because the socket buffer is full   : 0
  dropped packets because no matching socket is found : 0

Sent packets:
  dropped packets : 0

Table 5-42 Description of the display rawip statistics command output

Item	Description
Received packets	Indicates the number of received packets.
dropped packets because the socket buffer is full	Indicates the number of RawIP packets that are discarded because the socket buffer is full.
dropped packets because no matching socket is found	Indicates the number of RawIP packets that are discarded because the socket of the receiver does not match with that of the sender.
Sent packets	Indicates the number of sent packets.
dropped packets	Indicates the number of discarded packets.

Related Topics

reset rawip statistics

display snmp-agent trap feature-name ip all

Function

The display snmp-agent trap feature-name ip all command displays all trap messages of the IP module.

Format

display snmp-agent trap feature-name ip all

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The Simple Network Management Protocol (SNMP) is a standard network management protocol widely used on TCP/IP networks. It uses a central computer (a network management station) that runs network management software to manage network elements. The management agent on the network element automatically reports traps to the network management station. After that, the network administrator immediately takes measures to resolve the problem.

Prerequisites

SNMP has been enabled. See snmp-agent.

Usage Scenario

After the trap function of a specified feature is enabled, you can run the display snmp-agent trap feature-name ip all command to check the status of all traps of IP. You can use the snmp-agent trap enable feature-name ip command to enable the trap function of IP.

Example

# Display all trap messages of the IP module.

<HUAWEI>display snmp-agent trap feature-name ip all

------------------------------------------------------------------------------  
Feature name: IP                                                                
Trap number : 1                                                                 
------------------------------------------------------------------------------  
Trap name                       Default switch status   Current switch status   
hwIfIpAddressChange             off                     off

Table 5-43 Description of the display snmp-agent trap feature-name ip all command output

Item	Description
Feature name	Name of the module to which a trap message belongs.
Trap number	Number of trap messages.
Trap name	Name of a trap message of the IP module: hwIfIpAddressChange: alarm of the IP address changes.
Default switch status	Status of the default trap switch: on: indicates that the trap function is enabled. off: indicates that the trap function is disabled.
Current switch status	Status of the current trap switch: on: indicates that the trap function is enabled. off: indicates that the trap function is disabled.

Related Topics

snmp-agent trap enable feature-name ip

display snmp-agent trap feature-name tcp all

Function

The display snmp-agent trap feature-name tcp all command displays all trap messages of the TCP module.

Format

display snmp-agent trap feature-name tcp all

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Prerequisites

SNMP has been enabled. See snmp-agent.

Usage Scenario

After the trap function of a specified feature is enabled, you can run the display snmp-agent trap feature-name tcp all command to check the status of all traps of TCP. You can use the snmp-agent trap enable feature-name tcp command to enable the trap function of TCP.

Example

# Display all trap messages of the TCP module.

<HUAWEI> display snmp-agent trap feature-name tcp all
------------------------------------------------------------------------------
Feature name: TCP
Trap number : 1
------------------------------------------------------------------------------
Trap name                       Default switch status   Current switch status
hwTCPMD5AuthenFail              off                     off

Table 5-44 Description of the display snmp-agent trap feature-name tcp all command output

Item	Description
Feature name	Name of the module to which a trap message belongs.
Trap number	Number of trap messages.
Trap name	Name of a trap message of the TCP module: hwTCPMD5AuthenFail: alarm of the TCP MD5 authentication fails. It is an excessive trap.
Default switch status	Status of the default trap switch: on: indicates that the trap function is enabled. off: indicates that the trap function is disabled.
Current switch status	Status of the current trap switch: on: indicates that the trap function is enabled. off: indicates that the trap function is disabled.

Related Topics

snmp-agent trap enable feature-name tcp

display tcp statistics

Function

The display tcp statistics command displays TCP traffic statistics.

Format

display tcp statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The command displays TCP traffic statistics including different types of received and sent packets. For example, duplicate received packets and packets with checksum errors. In addition, connection-related statistics are displayed, for example, times of accepted connections, the number of retransmitted packets, and the number of keepalive packets.

Most of the preceding statistics are expressed in number of packets, and some of them are expressed in number of bytes.

Example

# Display TCP traffic statistics.

<HUAWEI> display tcp statistics
Received packets:
     Total: 0
     Total(64bit high-capacity counter): 0
     packets in sequence: 0 (0 bytes)
     window probe packets: 0, window update packets: 0
     checksum error: 0, offset error: 0, short error: 0

     duplicate packets: 0 (0 bytes), partially duplicate packets: 0 (0 bytes)
     out-of-order packets: 0 (0 bytes)
     packets of data after window: 0 (0 bytes)
     packets received after close: 0

     ACK packets: 0 (0 bytes)
     duplicate ACK packets: 0, too much ACK packets: 0

Sent packets:
    Total: 0
     Total(64bit high-capacity counter): 0
     urgent packets: 0
     control packets: 0 (including 0 RST)
     window probe packets: 0, window update packets: 0

     data packets: 0 (0 bytes),    data packets retransmitted: 0 (0 bytes)
     ACK-only packets: 0 (0 delayed)

Other information:
    Retransmitted timeout: 0, connections dropped in retransmitted timeout: 0
    Keep alive timeout: 0, keep alive probe: 0,     Keep alive timeout, so connections disconnected : 0
    Initiated connections: 0,     accepted connections: 0, established connections: 0
    Closed connections: 0 (    dropped: 0, initiated dropped: 0)
    Packets dropped with MD5 authentication: 0
    Packets permitted with MD5 authentication: 0
    Send Packets permitted with Keychain authentication: 0
    Receive Packets permitted with Keychain authentication: 0
    Receive Packets Dropped with Keychain authentication: 0

Table 5-45 Description of the display tcp statistics command output

Item	Description
Received packets	Statistics about received packets.
Total	Total number of packets.
Total (64bit high-capacity counter)	Total number of packets, using the 64-bit counter.
packets in sequence (bytes)	Number of bytes in the packets that arrive in order.
window probe packets	Number of window probe packets.
window update packets	Number of window update packets.
checksum error	Number of packets with checksum errors.
offset error	Number of packets with offset errors.
short error	Number of packets whose length is too short.
duplicate packets (bytes)	Number of bytes in the duplicate packets.
partially duplicate packets (bytes)	Number of bytes in partially duplicate packets.
out-of-order packets (bytes)	Number of bytes in the out-of-order packets.
packets of data after window (bytes)	Number of bytes in the packets whose size is greater than the window size.
packets received after close	Number of packets that arrive after a connection is closed.
ACK packets (bytes)	Number of acknowledged packets, in bytes.
duplicate ACK packets	Number of re-acknowledged packets.
too much ACK packets	Number of acknowledged packets with no data sent.
Sent packets	Number of sent packets.
urgent packets	Number of urgent packets.
control packets (RST)	Number of control packets (RST packets).
data packets	Number of data packets.
data packets retransmitted (0 bytes)	Number of bytes in the retransmitted packets.
ACK only packets (delayed)	Number of acknowledged packets that are delayed.
Other information	Other information.
Retransmitted timeout	Timeout interval of the retransmission timer.
connections dropped in retransmitted timeout	Number of connections discarded because the number of retransmission times exceeds the threshold.
Keep alive timeout	Timeout interval of the keepalive timer.
keep alive probe	Number of sent keepalive packets.
Keep alive timeout, so connections disconnected	Number of connections discarded because keepalive probe fails.
Initiated connections	Number of initiated connections.
accepted connections	Number of accepted connections.
established connections	Number of established connections.
Closed connections (dropped, initiated dropped)	Number of closed connections (number of discarded packets after a connection is set up or before a connection is set up).
Packets dropped with MD5 authentication	Number of packets that fail to pass MD5 authentication.
Packets permitted with MD5 authentication	Number of packets that pass MD5 authentication.
Send Packets permitted with Keychain authentication	Number of sent packets that carry keychain options.
Receive Packets permitted with Keychain authentication	Number of received packets that pass keychain authentication.
Receive Packets Dropped with Keychain authentication	Number of received packets that fail to pass keychain authentication.

Related Topics

display tcp status

Function

The display tcp status command displays current TCP connection status.

Format

display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ip-address ] [ local-port local-port-number ] [ remote-ip ip-address ] [ remote-port remote-port-number ] ]

Parameters

Parameter	Description	Value
task-id task-id	Displays the TCP connection status of the task with a specified ID.	The value must be an existing task ID.
socket-id socket-id	Displays the TCP connection status of the socket with a specified ID.	The value must be an existing socket ID.
local-ip ip-address	Displays the TCP connection status of a specified local IP address.	The value is in dotted decimal notation.
local-port local-port-number	Displays the TCP connection status of a specified local port ID.	The value must be an existing local port ID.
remote-ip ip-address	Displays the TCP connection status a specified remote IP address.	The value is in dotted decimal notation.
remote-port remote-port-number	Displays the TCP connection status of a specified remote port ID.	The value must be an existing remote port ID.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The transmission control protocol defined in RFC 793 ensures high reliability of transmission between hosts. TCP provides reliable and connection-oriented services in full duplex mode. Run the display tcp status command to monitor the TCP connection status. The following information is displayed.

ID of the TCP task control block.
ID of the IPv4 TCP task and socket.
Local IPv4 address and port ID.
Remote IPv4 address and port ID.
ID of the VPN instance to which the TCP connection belongs.
IPv4 TCP connection status.

You can set filtering rules based on the Task ID, socket ID, IP address and port number of the local device, and IP address and port number of the remote device so that only the information matching the rules is displayed. This prevents unnecessary information from being displayed and helps you locate faults accurately and efficiently.

Precautions

The command output is null if there is no TCP connection.

Example

# Display the TCP connection status on the local device.

<HUAWEI> display tcp status
TCPCB    Tid/Soid Local Add:port        Foreign Add:port      VPNID  State
0a5d560c 30 /1    0.0.0.0:23            0.0.0.0:0             14849 Listening

# Display the status of the TCP connection originated from the local IP address 0.0.0.0 and port 23.

<HUAWEI> display tcp status local-ip 0.0.0.0 local-port 23
TCPCB    Tid/Soid Local Add:port        Foreign Add:port      VPNID  State
0a5d560c 30 /1    0.0.0.0:23            0.0.0.0:0             14849 Listening

Table 5-46 Description of the display tcp status command output

Field	Description
TCPCB	ID of the TCP task control block.
Tid/Soid	Task ID and socket ID.
Local Add: port	IP address and port number of the local device. If the value of Local Add is 0.0.0.0, TCP connections of all IP addresses are monitored. If the value of port is 0, the TCP connection of all ports is monitored.
Foreign Add: port	IP address and port number of the remote device. If the value of Foreign Add is 0.0.0.0, the TCP connection of all IP addresses is monitored. If the value of port is 0, TCP connections of all ports are monitored.
VPNID	ID of the VPN instance to which the TCP connection belongs. -1: indicates all VPNs. 0: indicates the public VPN. Other values: indicates the private VPN. The VPNID is defined by users.
State	TCP connection status: Closed: indicates that the TCP connection is closed. Listening: indicates that the TCP connection is being monitored. Syn_Rcvd: indicates that a packet with the SYN flag is received. Established: indicates that the TCP connection has been set up. Close_Wait: indicates that a user sends a packet with the FIN flag to the server to close the TCP connection in Established state. The server then sends an ACK packet to the user after receiving the packet and enters the Close_Wait state. Fin_Wait1: indicates that a user sends a packet with the FIN flag to the server to close the TCP connection and enter this state. Fin_Wait2: indicates that a user receives an ACK packet that responds to the sent packet with the FIN flag. Time_Wait: indicates that TCP enters this state after the TCP connection is closed. When TCP has been in Time_Wait state two times the lifetime of the longest packets, records about the closed connection are deleted. Closing: indicates that the user and server close the TCP connection simultaneously.

display udp statistics

Function

The display udp statistics command displays UDP traffic statistics.

Format

display udp statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The command displays UDP traffic statistics including different types of received and sent packets. For example, packets with checksum errors. In addition, connection-related statistics are displayed, for example, the number of broadcast packets. The preceding statistics are expressed in number of packets.

Example

# Display UDP traffic statistics.

<HUAWEI> display udp statistics
Received packets:
    Total: 0
    Total(64bit high-capacity counter): 0
    checksum error: 0
    shorter than header: 0
    data length larger than packet: 0
    unicast(no socket on port): 0
    broadcast/multicast(no socket on port): 0
    not delivered, input socket full: 0
    input packets missing pcb cache: 0

Sent packets:
    Total: 0
    Total(64bit high-capacity counter): 0

Table 5-47 Description of the display udp statistics command output

Item	Description
Received packet: Total Total (64bit high-capacity counter)	Total number of received UDP packets. Total number of received UDP packets (using the 64-bit counter).
checksum error	Number of packets with checksum errors.
shorter than header	Number of packets whose length is shorter than the packet header.
data length larger than packet	Number of packets whose data length is greater than the packet length.
unicast (no socket on port)	Number of unicast packets.
broadcast/multicast (no socket on port)	Number of broadcast and multicast packets.
not delivered, input socket full	Number of packets that are not sent out because the socket buffer is full.
input packets missing pcb cache	Number of sent packets that are not found in the PCB cache.
Sent packets: Total Total (64bit high-capacity counter)	Total number of sent UDP packets. Total number of sent UDP packets (using the 64-bit counter).

Related Topics

reset udp statistics

icmp blackhole unreachable send

Function

The icmp blackhole unreachable send command enables the switch to send a Destination Unreachable ICMP packet to an initiator when a tracert packet matches an IPv4 blackhole route.

The undo icmp blackhole unreachable send command disables the switch from sending a Destination Unreachable ICMP packet to an initiator when a tracert packet matches an IPv4 blackhole route.

By default, the switch is disabled from sending a Destination Unreachable ICMP packet to an initiator when a tracert packet matches an IPv4 blackhole route.

Format

icmp blackhole unreachable send

undo icmp blackhole unreachable send

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If static IPv4 blackhole routes are configured on the switch configured with the user access and authentication function, when a user goes offline, only the IPv4 blackhole route corresponding to the user's address segment exists on the switch. When a tracert packet matches the IPv4 blackhole route, the switch discards the packet. As a result, an initiator cannot detect that the user has gone offline.

After you run the icmp blackhole unreachable send command, the switch sends a Destination Unreachable ICMP packet to an initiator, notifying the initiator that the user has gone offline if a user goes offline and a tracert packet matches the IPv4 blackhole route.

Example

# Enable the switch to send a Destination Unreachable ICMP packet to an initiator when a tracert packet matches an IPv4 blackhole route.

<HUAWEI> system-view
[HUAWEI] icmp blackhole unreachable send

icmp host-unreachable send

Function

The icmp host-unreachable send command enables the switch to send ICMP Host Unreachable packets.

The undo icmp host-unreachable send command disables the switch from sending ICMP Host Unreachable packets.

By default, the function of sending ICMP Host Unreachable packets is enabled.

Format

icmp host-unreachable send

undo icmp host-unreachable send

Parameters

None

Views

System view, VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

ICMP error packets contain network information, such as network connectivity, host reachability, and route availability. ICMP error packets are ultimately returned to the sender because the sender is the logical receiver of the ICMP error packets. The sender learns about the error types from the ICMP error packets, and then determines how to retransmit the data.

After receiving an IP packet, if the device finds that the destination is unreachable, the device discards the packet, and returns a Destination Unreachable packet to the source.

Port Unreachable, Protocol Unreachable, and Host Unreachable packets are ICMP Destination Unreachable packets.

When receiving a data packet of which the destination address is a local address and transport protocol is UDP, if the device detects that the port number of the packet does not match the running process, the source sends a Port Unreachable packet to the source.
When receiving a data packet of which the destination address is the local address, if the device does not support the transport layer protocol of the data packet, the device returns a Protocol Unreachable packet to the source.
When a device receives a data packet, but cannot forward it, the device returns a Host Unreachable packet to the source.

The Destination Unreachable packets facilitate network control and management. However, the inherent defects of the ICMP protocol make the routing devices and hosts be prone to attacks. Therefore, sending the ICMP Destination Unreachable packets has the following defects:

The ICMP packets increase traffic volume and burden the network devices.
If a device receives a large number of malicious attack packets and needs to return ICMP error packets, the device is busy handling ICMP packets, and the device performance is degraded.
The ICMP Destination Unreachable packets indicate that the destination is unreachable. If there are malicious attacks, user terminals cannot normally use the network.

After you run the undo icmp host-unreachable send command, the device does not send ICMP Host Unreachable packets externally. This prevents the peer device from processing a large number of ICMP packets.

Precautions

The icmp host-unreachable send command can be run in the system view or VLANIF interface view.

After the function of sending ICMP Host Unreachable packets is disabled in the system view, all VLANIF interfaces do not send ICMP Host Unreachable packets. Even if the function is enabled on a VLANIF interface, the VLANIF interface does not send ICMP Host Unreachable packets.
After the function of sending ICMP Host Unreachable packets is enabled in the system view, all VLANIF interfaces send ICMP Host Unreachable packets because the function is enabled on all interfaces by default. You can run the undo icmp host-unreachable send command in VLANIF interface view to disable the function on a specified VLANIF interface.

If the function of sending ICMP Host Unreachable packets is disabled, the switch does not send ICMP Host Unreachable packets in any situations.

This command needs to be configured on the inbound interface of ICMP packets in the VLANIF interface view.

Example

# Enable the switch to send ICMP Host Unreachable packets.

<HUAWEI> system-view
[HUAWEI] icmp host-unreachable send

# Enable VLANIF100 to send ICMP Host Unreachable packets.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] icmp host-unreachable send

Related Topics

display icmp statistics

icmp port-unreachable send

Function

The icmp port-unreachable send command enables the device to send ICMP Port Unreachable packets.

The undo icmp port-unreachable send command disables the device from sending ICMP Port Unreachable packets.

By default, the device sends ICMP Port Unreachable packets.

Format

icmp port-unreachable send

undo icmp port-unreachable send

Parameters

None

Views

System view, VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After receiving an IP packet, if the device finds that the destination is unreachable, the device discards the packet, and returns a Destination Unreachable packet to the source.

Port Unreachable, Protocol Unreachable, and Host Unreachable packets are ICMP Destination Unreachable packets.

When receiving a data packet of which the destination address is a local address and transport protocol is UDP, if the device detects that the port number of the packet does not match the running process, the source sends a Port Unreachable packet to the source.
When receiving a data packet of which the destination address is the local address, if the device does not support the transport layer protocol of the data packet, the device returns a Protocol Unreachable packet to the source.
When a device receives a data packet, but cannot forward it, the device returns a Host Unreachable packet to the source.

The ICMP packets increase traffic volume and burden the network devices.
If a device receives a large number of malicious attack packets and needs to return ICMP error packets, the device is busy handling ICMP packets, and the device performance is degraded.
The ICMP Destination Unreachable packets indicate that the destination is unreachable. If there are malicious attacks, user terminals cannot normally use the network.

After you run the undo icmp port-unreachable send command, the device does not send ICMP Port Unreachable packets externally. This prevents the peer device from processing a large number of ICMP packets.

Precautions

The icmp port-unreachable send command can be run in the system view or VLANIF interface view.

After the function of sending ICMP Port Unreachable packets is disabled in the system view, all VLANIF interfaces do not send ICMP Port Unreachable packets. Even if the function is enabled on a VLANIF interface, the VLANIF interface does not send ICMP Port Unreachable packets.
After the function of sending ICMP Port Unreachable packets is enabled in the system view, all VLANIF interfaces send ICMP Port Unreachable packets because the function is enabled on all interfaces by default. You can run the undo icmp port-unreachable send command in VLANIF interface view to disable the function on a specified VLANIF interface.

If the function of sending ICMP Port Unreachable packets is disabled, the switch does not send ICMP Port Unreachable packets in any situations.

Example

# Enable the device to send ICMP Port Unreachable packets.

<HUAWEI> system-view
[HUAWEI] icmp port-unreachable send

# Enable the device to send ICMP Port Unreachable packets on VLANIF100.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] icmp port-unreachable send

icmp protocol-unreachable send

Function

The icmp protocol-unreachable send command enables the function of sending ICMP Protocol Unreachable packets.

The undo icmp protocol-unreachable send command disables the function of sending ICMP Protocol Unreachable packets.

By default, the function of sending ICMP Protocol Unreachable packets is enabled.

Format

icmp protocol-unreachable send

undo icmp protocol-unreachable send

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After receiving an IP packet, if the device finds that the destination is unreachable, the device discards the packet, and returns a Destination Unreachable packet to the source.

Port Unreachable, Protocol Unreachable, and Host Unreachable packets are ICMP Destination Unreachable packets.

When receiving a data packet of which the destination address is a local address and transport protocol is UDP, if the device detects that the port number of the packet does not match the running process, the source sends a Port Unreachable packet to the source.
When receiving a data packet of which the destination address is the local address, if the device does not support the transport layer protocol of the data packet, the device returns a Protocol Unreachable packet to the source.
When a device receives a data packet, but cannot forward it, the device returns a Host Unreachable packet to the source.

The ICMP packets increase traffic volume and burden the network devices.
If a device receives a large number of malicious attack packets and needs to return ICMP error packets, the device is busy handling ICMP packets, and the device performance is degraded.
The ICMP Destination Unreachable packets indicate that the destination is unreachable. If there are malicious attacks, user terminals cannot normally use the network.

After you run the icmp protocol-unreachable send command, the device does not send ICMP Protocol Unreachable packets externally. This prevents the peer device from processing a large number of ICMP packets.

Example

# Enable the function of sending ICMP Protocol Unreachable packets.

<HUAWEI> system-view
[HUAWEI] icmp protocol-unreachable send

Related Topics

display icmp statistics

icmp receive

Function

The icmp receive command enables the device to receive ICMP packets with the local IP address as the destination IP address.

The undo icmp receive command disables the device from receiving ICMP packets with the local IP address as the destination IP address.

By default, the device receives ICMP packets with the local IP address as the destination IP address.

Format

icmp { type icmp-type code icmp-code | name icmp-name | all } receive

undo icmp { type icmp-type code icmp-code | name icmp-name | all } receive

Parameters

Parameter	Description	Value
type icmp-type	Specifies the type number of an ICMP packet.	The value is an integer ranging from 0 to 255.
code icmp-code	Specifies the code of an ICMP packet.	The value is an integer ranging from 0 to 255.
name icmp-name	Specifies the name of an ICMP packet.	The value is a string of case-insensitive characters, with spaces not supported. The value can be any of the following: echo echo-reply fragmentneed-dfset host-redirect host-tos-redirect host-unreachable information-reply information-request net-redirect net-tos-redirect net-unreachable parameter-problem port-unreachable protocol-unreachable reassembly-timeout source-quench source-route-failed timestamp-reply timestamp-request ttl-exceeded
all	Specifies all ICMP packets.	-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

On secure networks, the device can normally receive ICMP packets. In the case of heavy traffic on the network, if hosts or ports are frequently unreachable, the device will receive a large number of ICMP packets, which causes heavier traffic burdens over the network and degrades the performance of the device.
On insecure networks, network attackers often make use of ICMP error packets to probe on the internal structure of the network.

To improve network performance or enhance security, run the undo icmp receive command to disable switches from receiving ICMP packets with the local IP address as the destination IP address.

After network performance improves, you can run the icmp receive command to enable switches to receive ICMP packets with the local IP address as the destination IP address.

Precautions

After the undo icmp receive command is run, the device no longer process ICMP packets of a certain type, causing the host to fail to ping the device.

Example

# Disable the device from receiving ICMP packets with the type number being 3 and the code number being 1.

<HUAWEI> system-view
[HUAWEI] undo icmp type 3 code 1 receive

icmp redirect send

Function

The icmp redirect send command enables the switch to send ICMP redirect packets.

The undo icmp redirect send command disables the switch from sending ICMP redirect packets.

The function of sending ICMP Redirect packets is enabled.

Format

icmp redirect send

undo icmp redirect send

Parameters

None

Views

VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

ICMP Redirect packets are a type of ICMP error packets.

When a host starts, there may be only one default route to the gateway in its routing table. In the following situations, the device functions as a gateway to send an ICMP Redirect packet to the source host, requesting the host to select another next hop address for subsequent packet forwarding:

The interface that receives the data packet is the same as the interface used to forward the packet.
The device needs to forward a received packet. After looking up the routing table, the device finds that the next hop IP address is on the same network segment with the destination address of the packet.

After the device sends ICMP Redirect packets to the host that has only a few routes, the host can enrich the routing table and find out the optimal route.

The ICMP error packets facilitate network control and management. However, the inherent defects of the ICMP protocol make the routing devices and hosts be prone to attacks. Therefore, sending the ICMP error packets has the following defects:

The ICMP packets increase traffic volume and burden the network devices.
If a device receives a large number of malicious attack packets and needs to return ICMP error packets, the device is busy handling ICMP packets, and the device performance is degraded.
The ICMP Redirect function increases the number of routes in the host's routing table. When many routes are added, the host performance will be degraded.

You need to decide whether to enable ICMP Redirect packet sending according to network situation.

Precautions

The command is used on the interface that receives ICMP packets.

Example

# Enable VLANIF100 to send ICMP Redirect packets.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] icmp redirect send

Related Topics

display icmp statistics

icmp host-unreachable send

icmp ttl-exceeded send

Function

The icmp ttl-exceeded send command enables an interface to send ICMP Time Exceeded packets.

The undo icmp ttl-exceeded send command disables an interface from sending ICMP Time Exceeded packets.

By default, an interface is enabled to send ICMP Time Exceeded packets.

Format

icmp ttl-exceeded send

undo icmp ttl-exceeded send

Parameters

None

Views

VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

If the destination address of a received IP packet is not the local address and the TTL value is 1, a timeout error occurs. In this situation, the device discards the packet and returns an ICMP Time Exceeded packet to the source.

When replying with an ICMP Time Exceeded packet, an interface adds its IP address as the source IP address in the ICMP Time Exceeded packet, exposing the interface itself to attackers. In addition, after being attacked, the interface replies with numerous ICMP Time Exceeded packets, consuming CPU resources and degrading system performance. To resolve these problems, run the undo icmp ttl-exceeded send command to disable the interface from replying with ICMP Time Exceeded packets.

Example

# Enable VLANIF100 to send ICMP Time Exceeded packets.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] icmp ttl-exceeded send

icmp-reply fast

Function

The icmp-reply fast command enables the fast ICMP reply function.

The undo icmp-reply fast command disables the fast ICMP reply function.

By default, the fast ICMP reply function is enabled.

Format

icmp-reply fast

undo icmp-reply fast

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The ping program is used to check network connectivity. If two hosts cannot ping each other, they cannot set up a connection. The ping program uses the ICMP protocol. It encapsulates ICMP Echo Request packets into IP packets, and sends the packets to the destination host. The destination host returns an ICMP Echo Reply packet to the source host. If the source host receives a reply within a certain period, the source host considers that the destination host is reachable.

In normal situations, after an interface receives an ICMP Echo Request packet, this packet is sent to the protocol stack and handled by the CPU.

After ICMP fast reply is enabled, if an interface receives an ICMP Echo Request packet of which the destination address is the local address, the packet is not sent to the protocol stack for handing by the CPU, but handled by the interface. This improves forwarding performance of the device.

Precautions

The fast ICMP reply function is not supported for fragmented packets, packets with IP options, and MPLS-encapsulated packets.

After VLAN mapping is configured, the VLANIF interface corresponding to the mapped VLAN does not support the fast ICMP reply function.

A switch does not support fragmentation of the ICMP Echo Reply packets processed based on the fast ICMP reply mechanism to be sent to the remote end. The packets will not be discarded even if their length is greater than the MTU of the outbound interface.

Example

# Enable the fast ICMP reply function.

<HUAWEI> system-view
[HUAWEI] icmp-reply fast

ip error-packet-check disable

Function

The ip error-packet-check disable command disables the IP packet checking function.

The undo ip error-packet-check disable command enables the IP packet checking function.

By default, the IP packet checking function is enabled.

Format

ip error-packet-check disable

undo ip error-packet-check disable

Parameters

None

Views

GE interface view, XGE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the link type of an interface is QinQ or the VLAN mapping or VLAN stacking function is configured on the interface, the system checks IP packets so that the device cannot transparently transmit IP error packets. In addition, during Layer 2 forwarding, devices cannot transparently transmit packets with the same source and destination IP addresses. To enable the device to transparently transmit IP error packets, you can run the ip error-packet-check disable command to disable the IP packet checking function.

Precautions

When the IP packet checking function is disabled, the IP subnet-based VLAN assignment , policy-based VLAN assignment do not take effect. Therefore, confirm your action before disabling this function.

Example

# Disable the IP packet checking function on the interface GE0/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] ip error-packet-check disable

ip forward-broadcast

Function

Using the ip forward-broadcast command, you can enable an interface to forward directed broadcast packets.

Using the undo ip forward-broadcast command, you can disable an interface from forwarding directed broadcast packets.

By default, disable the interface from forwarding directed broadcast packets.

Format

ip forward-broadcast [ acl acl-number ]

undo ip forward-broadcast

Parameters

Parameter	Description	Value
acl acl-number	Specifies the number of an ACL.	The value is an integer that ranges from 2000 to 3999. The number of a basic ACL ranges from 2000 to 2999. The number of an advanced ACL ranges from 3000 to 3999.

Parameter

Description

Value

acl acl-number

Specifies the number of an ACL.

The value is an integer that ranges from 2000 to 3999.

The number of a basic ACL ranges from 2000 to 2999.
The number of an advanced ACL ranges from 3000 to 3999.

Views

VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Directed broadcast packets are sent to a specified network. In the destination IP address of a directed broadcast packet, the network number is that of the specified network and the host number is all 1s.

Hackers use directed broadcast packets to attack networks, which threatens the network security. Therefore, directed broadcast packets are isolated by Layer 3 switches in normal cases. However, in some scenarios, the device needs to receive or forward these directed broadcast packets. For example, when Wake on LAN (WOL) is configured on a PC, the command can be run to enable the interface to forward directed broadcast packets. (WOL enables a PC in dormancy or shutdown state to wake up from dormancy state to running state or turn from shutdown state to power-on state through the instruction from the peer of the network.)

The device can also be enabled to receive and forward a certain type of directed broadcast packets based on ACLs. For example, if the basic ACL is used, run the acl (system view) and rule (basic ACL view) commands to define the directed broadcast packets to be received and forwarded as permit, and then run the ip forward-broadcast command to bind this ACL.

Precautions

By default, the device identifies directed broadcast packets as malformed packets, and intercepts and discards them because the attack defense function of malformed packets is enabled on the device. In this case, the interface on the device cannot forward the directed broadcast packets.

To solve this problem, use either of the following methods:

Run the anti-attack abnormal disable command to disable the attack defense function of malformed packets. However, after this command is configured, other malformed packets will not be intercepted and discarded, which brings certain security risks. Use this command with caution.
Run the anti-attack disable command to disable all attack defense functions. However, after this command is configured, not only malformed packets but also fragmented, tcp-syn, udp-flood, and icmp-flood attack packets will not be intercepted and discarded, which brings certain security risks. Use this command with caution.

This command does not apply to scenarios of conflicts between host routes and subnet broadcast routes due to network segment overlapping.

Example

# Enable VLANIF100 to forward directed broadcast packets.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] ip forward-broadcast

Related Topics

display ip interface

ip verify source-address

Function

The ip verify source-address command enables an interface to check validity of source IP addresses of received packets.

The undo ip verify source-address command disables an interface from checking validity of source IP addresses of received packets.

By default, an interface does not check validity of source IP addresses of received packets.

Format

ip verify source-address

undo ip verify source-address

Parameters

None

Views

VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Configuring source IP address verification enables an interface to check validity of source IP addresses of received packets. Packets with invalid addresses are discarded, which improves the network security.

The following IP addresses are illegal source addresses:

Addresses with all 0s or 1s
Multicast addresses (class D addresses)
Class E addresses
Loopback addresses that are not generated on local hosts (in 127.x.x.x format)
Broadcast addresses of classes A, B, and C
Subnet broadcast addresses that are on the same network segment as the address of the inbound interface

The interface only check validity of source IP addresses of the packets that need to be forwarded to the CPU, and does not check validity of source IP addresses of the packets that will be directly forwarded according to the FIB table.

If the mask in the IP address of the received packet is of 31 bits, the receiver considers it as a valid source address without checking the broadcast address of the subnet.

Run the display this command in the interface view to check configuration of checking validity of source IP addresses.

Example

# Enable VLANIF100 to check validity of source IP addresses of received packets.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] ip verify source-address

Related Topics

display this

load-balance (system view)

Function

The load-balance command enables the per-packet load balancing mode for IP packet forwarding.

The undo load-balance command restores the load balancing mode for IP packet forwarding to the default configuration.

By default, flow-based load balancing is used.

Format

load-balance { flow | packet } [ all | slot slot-id ]

undo load-balance packet [ all | slot slot-id ]

Parameters

Parameter	Description	Value
flow	Indicates flow-based load balancing.	-
packet	Indicates packet-based load balancing.	-
all	In a stack, the configuration is applied to all devices in the stack. On a stand-alone switch, the configuration is applied to the local device.	-
slot slot-id	Indicates that the configuration is applied to the device with the specified stack ID.	The value is an integer. It has a fixed value of 0 in a non-stack scenario, and depends on the device configuration in a stack scenario.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If flow-based load balancing is used, the hash algorithm is used to calculate a value for selecting a link to forward packets. The value is calculated based on the protocol type, source IP address, destination IP address, source port number, and destination port number.

If packet-based load balancing is used, packets are forwarded through different links. Packet-based load balancing can be implemented only for packets forwarded by the CPU such as protocol packets.

Precautions

The load-balance command takes effect for packets both delivered by the local device and processed by the CPU.

Example

# Configure packet-based load balancing for IP packet forwarding.

<HUAWEI> system-view
[HUAWEI] load-balance packet

reset ip socket monitor

Function

The reset ip socket monitor command clears information in a socket monitor.

Format

reset ip socket monitor [ task-id task-id socket-id socket-id ]

Parameters

Parameter	Description	Value
task-id task-id	Clears information about the task with a specified ID in the socket monitor.	The value must be an existing task ID.
socket-id socket-id	Clears information about the socket with a specified ID in the socket monitor.	The value must be an existing socket ID.

Views

User view

Default Level

3: Management level

Usage Guidelines

A socket monitor monitors and records each connection. A RawLink monitor also monitors interfaces. The socket monitor records specific protocol events that occur during operations and logs information in the disk space.

You can specify the task ID and socket ID for deleting information about the socket monitor that meets the filtering condition.

Example

# Clear information in a socket monitor.

<HUAWEI> reset ip socket monitor

Related Topics

display ip socket

reset ip socket pktsort

Function

The reset ip socket pktsort command resets statistics on the dual receive buffer of the socket.

Format

reset ip socket pktsort task-id task-id socket-id socket-id

Parameters

Parameter	Description	Value
task-id task-id	Specifies the ID of a task.	The value must be an existing task ID.
socket-id socket-id	Specifies the ID of a socket.	The value must be an existing socket ID.

Views

User view

Default Level

3: Management level

Usage Guidelines

This command clears statistics on the dual receive buffer of the socket and restarts the count. Therefore, confirm your action before running the command.

Example

# Reset statistics on the dual receive buffer of the socket with the task ID of 2 and the socket ID of 6.

<HUAWEI> reset ip socket pktsort task-id 2 socket-id 6

reset ip statistics

Function

The reset ip statistics command clears IP traffic statistics on an interface.

Format

reset ip statistics [ interface interface-type interface-number ]

Parameters

Parameter	Description	Value
interface interface-type interface-number	Specifies the type and ID of an interface. If no optional parameter is specified, all the IP statistics will be deleted.	-

Views

User view

Default Level

3: Management level

Usage Guidelines

To collect IP traffic statistics on an interface in a period of time, you must clear the existing traffic statistics and collect IP statistics after a period of time. Run the display ip statistics command to display information.

If no parameter is specified, the command clears IP traffic statistics on all boards.

Example

# Clear IP statistics on all interfaces.

<HUAWEI> reset ip statistics

# Clear IP statistics on VLANIF10.

<HUAWEI> reset ip statistics interface vlanif 10

Related Topics

display ip interface

display ip statistics

reset rawip statistics

Function

The reset rawip statistics command clears RawIP packet statistics.

Format

reset rawip statistics

Parameters

None

Views

User view

Default Level

3: Management level

Usage Guidelines

You need to clear the existing statistics about RawIP packets before using the display rawip statistics command to view the statistics about RawIP packets in a specified period.

The reset rawip statistics command clears RawIP packet statistics. Confirm your action before running this command.

Example

# Clear RawIP packet statistics.

<HUAWEI> reset rawip statistics

Related Topics

display rawip statistics

reset tcp statistics

Function

The reset tcp statistics command deletes TCP traffic statistics.

Format

reset tcp statistics

Parameters

None

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To delete TCP packet statistics, run the reset tcp statistics command. To view TCP packet statistics, run the display tcp statistics [ verbose ] command. The command output contains the number of sent packets, the number of received packets, or the number of TCP packets for each protocol (verbose). You can run the reset tcp statistics command to delete existing statistics and then run the display tcp statistics command to collect statistics. The statistics help you check whether TCP packet counts are correct or help you diagnose faults.

Precautions

The reset tcp statistics command deletes TCP traffic statistics. Confirm your action before running this command.

Example

# Delete TCP traffic statistics.

<HUAWEI> reset tcp statistics

Related Topics

display tcp statistics

reset udp statistics

Function

The reset udp statistics command deletes UDP traffic statistics.

Format

reset udp statistics

Parameters

None

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To delete UDP packet statistics, run the reset udp statistics command. To view UDP packet statistics, run the display udp statistics [ verbose ] command. The command output contains the number of sent packets, the number of received packets, or the number of UDP packets for each protocol (verbose). You can run the reset udp statistics command to delete existing statistics and then run the display udp statistics command to collect statistics. The statistics help you check whether UDP packet counts are correct or help you diagnose faults.

Precautions

The reset udp statistics command deletes UDP traffic statistics. Confirm your action before running this command.

Example

# Delete UDP traffic statistics.

<HUAWEI> reset udp statistics

Related Topics

display udp statistics

set priority

Function

The set priority command sets the 802.1p priority and the DSCP priority.

The undo set priority command cancels the settings of the 802.1p priority and DSCP priority.

By default, the value of the 802.1p priority and DSCP priority is not set.

Format

set priority { 8021p 8021p-number | dscp dscp-number }

undo set priority { 8021p | dscp }

Parameters

Parameter	Description	Value
8021p 8021p-number	Specifies the 802.1p priority.	The value is an integer that ranges from 0 to 7.
dscp dscp-number	Specifies the DSCP priority. This parameter takes effect only for IPv4 packets.	The value is an integer that ranges from 0 to 63.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After you run the set priority command to set the 802.1p or DSCP priority, the priority of the protocol packet sent from the switch is changed to the value set by the command.

If the packet priority is specified in the corresponding protocol, the specified priority takes effect and the set priority 8021p command does not take effect.

Example

# Set the DSCP priority to 10.

<HUAWEI> system-view
[HUAWEI] set priority dscp 10

Related Topics

display priority

snmp-agent trap enable feature-name ip

Function

The snmp-agent trap enable feature-name ip command enables the trap function for the IP module.

The undo snmp-agent trap enable feature-name ip command disables the trap function for the IP module.

By default, the trap function is disabled for the IP module.

Format

snmp-agent trap enable feature-name ip [ trap-name hwifipaddresschange ]

undo snmp-agent trap enable feature-name ip [ trap-name hwifipaddresschange ]

Parameters

Parameter	Description	Value
trap-name	Enables the traps of IP events of specified types.	-
hwifipaddresschange	Indicates that IP address of the interface changes.	-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the trap function is enabled, the device generates traps during running and sends traps to the NMS through SNMP. When the trap function is not enabled, the device does not generate traps and the SNMP module does not send traps to the NMS.

You can specify trap-name to enable the trap function for one or more events. If you do not specify trap-name, all traps of the IP module will be enabled.

Example

# Enables IP address of the interface changes trap of IP module.

<HUAWEI> system-view
[HUAWEI] snmp-agent trap enable feature-name ip trap-name hwifipaddresschange

snmp-agent trap enable feature-name tcp

Function

The snmp-agent trap enable feature-name tcp command enables the trap function for the TCP module.

The undo snmp-agent trap enable feature-name tcp command disables the trap function for the TCP module.

By default, the trap function is disabled for the TCP module.

Format

snmp-agent trap enable feature-name tcp [ trap-name hwtcpmd5authenfail ]

undo snmp-agent trap enable feature-name tcp [ trap-name hwtcpmd5authenfail ]

Parameters

Parameter	Description	Value
trap-name	Enables the traps of TCP events of specified types.	-
hwtcpmd5authenfail	Indicates that the TCP MD5 authentication fails. It is an excessive trap.	-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

You can specify trap-name to enable the trap function for one or more events. If you do not specify trap-name, all traps of the TCP module will be enabled.

Example

# Enables the TCP MD5 authentication fails trap of TCP module.

<HUAWEI> system-view
[HUAWEI] snmp-agent trap enable feature-name tcp trap-name hwtcpmd5authenfail

tcp min-mss

Function

The tcp min-mss command sets the minimum value of maximum segment size (MSS) for a TCP connection.

The undo tcp min-mss command restores the default minimum value of the MSS for a TCP connection.

The default minimum MSS value for a TCP connection is 216 bytes.

Format

tcp min-mss mss-value

undo tcp min-mss

Parameters

Parameter	Description	Value
mss-value	Specifies the minimum MSS value for a TCP connection.	The value ranges from 32 byte to 1500 bytes. By default, the value is 216 bytes.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To establish a TCP connection, the MSS value is negotiated, which indicates the maximum length of packets that the local device can receive. The TCP client on a network may send a request packet for establishing a TCP connection carrying a small MSS value. For example, the MSS value is 1. After the TCP server receives the request packet carrying the MSS value, the TCP connection is established. The TCP client then may send large numbers of requests to the server by an application, causing the TCP server to generate large numbers of reply packets. This may burden the TCP server or network, causing denial of service (DoS) attacks. To resolve this problem, run the tcp min-mss command to set the minimum MSS value for a TCP connection. This configuration prevents a server from receiving packets carrying a small MSS value.

Precautions

The minimum MSS value configured using this command is not the negotiation parameter value carried in the MSS option. The negotiation parameter value carried in the MSS option of packets sent by the local device is calculated based on the MTU value.

The minimum MSS value configured using the tcp min-mss command must be less than the maximum MSS value configured using the tcp max-mss command.

If the tcp min-mss command is run more than once in the same view, the latest configuration overrides the previous one.

Configure the parameters under the guidance of the technical personnel.

Example

# Set the minimum MSS value for a TCP connection to 512 bytes.

<HUAWEI> system-view

[HUAWEI] tcp min-mss 512

Related Topics

tcp window

tcp max-mss

Function

The tcp max-mss command configures the maximum Maximum Segment Size (MSS) value for a TCP connection.

The undo tcp max-mss command deletes the maximum MSS value of a TCP connection.

By default, the maximum MSS value is not configured for TCP connections.

Format

tcp max-mss mss-value

undo tcp max-mss

Parameters

Parameter	Description	Value
mss-value	Specifies the maximum MSS value for a TCP connection.	The value is an integer ranging from 32 to 9600, in bytes.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To establish a TCP connection, the MSS value is negotiated, which indicates the maximum length of packets that the local device can receive. This length is the TCP payload length, excluding that of the TCP header. If the path MTU is unavailable on one end of a TCP connection, this end cannot adjust the TCP packet size based on the MTU. As a result, this end may send TCP packets that are longer than the MTUs on intermediate devices, which will discard these packets. To prevent this problem, run the tcp max-mss command on either end of a TCP connection to set the maximum MSS value of TCP packets. Then the MSS value negotiated by both ends will not exceed this maximum MSS value, and accordingly TCP packets sent from both ends will not be longer than this maximum MSS value and can travel through the intermediate network.

Precautions

The maximum MSS value configured using the tcp max-mss command must be greater than the minimum MSS value configured using the tcp min-mss command.

Example

# Set the maximum MSS value for a TCP connection to 1024 bytes.

<HUAWEI> system-view
[HUAWEI] tcp max-mss 1024

Related Topics

tcp min-mss

tcp timer fin-timeout

Function

The tcp timer fin-timeout command configures the value of the TCP FIN-Wait timer.

The undo tcp timer fin-timeout command restores the default value of the TCP FIN-Wait timer.

By default, the value of the TCP FIN-Wait timer is 675s.

Format

tcp timer fin-timeout interval

undo tcp timer fin-timeout

Parameters

Parameter	Description	Value
interval	Specifies the value of the TCP FIN-Wait timer.	The value is an integer that ranges from 76 to 3600, in seconds. The default value is 675s.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When a TCP connection changes from FIN_WAIT_1 to FIN_WAIT_2, the TCP FIN-Wait timer is started. If no response packet is received after the TCP FIN-Wait timer expires, the TCP connection is closed.

If you run this command in the same view for multiple times, only the last configuration takes effect.

You are advised to configure this parameter under the supervision of technical support personnel.

Example

# Set the value of the TCP FIN-Wait timer to 400s.

<HUAWEI> system-view

[HUAWEI] tcp timer fin-timeout 400

Related Topics

tcp timer syn-timeout

tcp window

tcp timer syn-timeout

Function

The tcp timer syn-timeout command configures the value of the TCP SYN-Wait timer.

The undo tcp timer syn-timeout command restores the default value of the TCP SYN-Wait timer.

By default, the value of the TCP SYN-Wait timer is 75s.

Format

tcp timer syn-timeout interval

undo tcp timer syn-timeout

Parameters

Parameter	Description	Value
interval	Specifies the value of the TCP SYN-Wait timer.	The value is an integer ranging from 2 to 600, in seconds. The default value is 75s.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When an SYN packet is sent, the TCP SYN-Wait timer is started. If no response packet is received after the TCP SYN-Wait timer expires, the TCP connection is closed.

If you run this command in the same view for multiple times, only the last configuration takes effect.

You are advised to configure this parameter under the supervision of technical support personnel.

Example

# Set the value of the TCP SYN-Wait timer to 100s.

<HUAWEI> system-view

[HUAWEI] tcp timer syn-timeout 100

Related Topics

tcp timer fin-timeout

tcp window

Function

The tcp window command configures the size of the receive or send buffer of a connection-oriented socket.

The undo tcp window command restores the default size of the receive or send buffer of a connection-oriented socket.

By default, the size of the receive or send buffer of a connection-oriented socket is 8k bytes.

Format

tcp window window-size

undo tcp window

Parameters

Parameter	Description	Value
window-size	Specifies the size of the receive or send buffer of a connection-oriented socket.	The value is an integer that ranges from 1 to 32, in k bytes. The default value is 8k bytes.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If you run this command in the same view for multiple times, only the last configuration takes effect.

You are advised to configure this parameter under the supervision of technical support personnel.

Example

# Set the size of the receive or send buffer of a connection-oriented socket to 3K bytes.

<HUAWEI> system-view

[HUAWEI] tcp window 3

Related Topics

tcp timer fin-timeout

tcp timer syn-timeout

clear ip df
discard { ra | rr | srr | ts }
display icmp statistics
display ip interface
display ip socket
display ip socket register-port
display ip statistics
display load-balance mode
display network status
display priority
display rawip statistics
display snmp-agent trap feature-name ip all
display snmp-agent trap feature-name tcp all
display tcp statistics
display tcp status
display udp statistics
icmp blackhole unreachable send
icmp host-unreachable send
icmp port-unreachable send
icmp protocol-unreachable send
icmp receive
icmp redirect send
icmp ttl-exceeded send
icmp-reply fast
ip error-packet-check disable
ip forward-broadcast
ip verify source-address
load-balance (system view)
reset ip socket monitor
reset ip socket pktsort
reset ip statistics
reset rawip statistics
reset tcp statistics
reset udp statistics
set priority
snmp-agent trap enable feature-name ip
snmp-agent trap enable feature-name tcp
tcp min-mss
tcp max-mss
tcp timer fin-timeout
tcp timer syn-timeout
tcp window

Translation

简体中文

Download

Updated: 2021-03-10

Document ID: EDOC1000141874

Downloads: 113

Average rating:

This Document Applies to these Products