No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
MENU
Support Documentation

Command Reference

S7700 and S9700 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IP Performance Optimization Configuration Commands

IP Performance Optimization Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

clear ip df

Function

The clear ip df command enables fragmentation for outgoing IP packets on an interface.

The undo clear ip df command disables fragmentation for outgoing IP packets on an interface.

By default, fragmentation for outgoing IP packets on an interface is disabled.

Format

clear ip df

undo clear ip df

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An IP header contains a Don't Fragment (DF) bit to identify whether packet fragmentation is allowed. Commonly, if the DF bit of a packet is set to 1, the packet cannot be fragmented. When the remote device or intermediate forwarding device receives IP packets, if it checks the packet length and discards packets whose length is longer than the Maximum Transmission Unit (MTU) on the interface, network communication is interrupted. You can run the clear ip df command to enable fragmentation for outgoing control-plane IP packets so that packets with the DF bit set to 1 are fragmented based on the MTU value on the interface.

After fragmentation for outgoing control-plain IP packets is enabled on an interface, the device sets the Don't Fragment (DF) field to 0 and fragments IP packets that meet the following conditions:

  • The value of the DF field in the IP packet header is 1.

  • The packet length is larger than the MTU value of the interface that sends the packets.

Precautions

This command takes effect only for the control-plain packets but not for the forwarding-plain packets.

Example

# Enable fragmentation for outgoing IP packets on VLANIF100.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] clear ip df
# Enable fragmentation for outgoing IP packets on GE1/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] clear ip df

discard { ra | rr | srr | ts }

Function

The discard { ra | rr | srr | ts } command configures the device to discard the packets that contain the route alert option, route record option, source route option, or timestamp option on interfaces.

The undo discard { ra | rr | srr | ts } command configures the device to process the packets that contain the route alert option, route record option, source route option, or timestamp option on interfaces.

By default, the device processes packets sent to the CPU based on route options contained in these packets.

Format

discard { ra | rr | srr | ts }

undo discard { ra | rr | srr | ts }

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

IP packets can carry route options including the route alert option (ra), route record option (rr), source route option (srr), and timestamp option (ts).

These route options are used to diagnose network paths and temporarily transmit special services. These options, however, may be used by attackers to spy on the network structure for initiating attacks. This degrades network security and device performance. To solve this problem, you can run the discard { ra | rr | srr | ts } command to configure the device to discard the IP packets that contain the route options.

Precautions

The discard { ra | rr | srr | ts } command only takes effect for the packets on inbound interfaces.

The discard { ra | rr | srr | ts } command only takes effect for packets sent to the CPU. For packets that are not sent to the CPU, the device processes and forwards them using the same method of processing packets without route options regardless of whether the discard { ra | rr | srr | ts } command is configured or not.

Example

# Configure the device to discard the packets that contain the route alert option on the interface VLANIF100.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] discard ra
# Configure the device to discard the packets that contain the route alert option on the interface GE1/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] discard ra

display icmp statistics

Function

The display icmp statistics command displays ICMP traffic statistics.

Format

display icmp statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To view information about ICMP packet sending and receiving, run the display icmp statistics command.

Example

# Display ICMP traffic statistics.

<HUAWEI> display icmp statistics
  Input: bad formats         0          bad checksum            0   
         echo                10         destination unreachable 0   
         source quench       0          redirects               0   
         echo reply          25         parameter problem       0   
         timestamp request   0          information request     0   
         mask requests       0          mask replies            0   
         time exceeded       0          timestamp reply         0         
         Mping request       0          Mping reply             0   
  Output:echo                25         destination unreachable 0   
         source quench       0          redirects               0   
         echo reply          10         parameter problem       0   
         timestamp request   0          information reply       0   
         mask requests       0          mask replies            0   
         time exceeded       0          timestamp reply         0
         Mping request       0          Mping reply             0
Table 6-44  Description of the display icmp statistics command output

Item

Description

Input

Received packets.

Output

Sent packets.

bad formats

Number of packets in incorrect format.

bad checksum

Number of packets with checksum errors.

echo

Number of echo request packets.

destination unreachable

Number of unreachable packets.

source quench

Number of source quench packets.

redirects

Number of redirection packets.

echo reply

Number of echo reply packets.

parameter problem

Number of packets with incorrect parameters.

timestamp request

Number of timestamp request packets.

information request

Number of information request packets.

information reply

Number of information reply packets.

mask requests

Number of mask request packets.

mask replies

Number of mask reply packets.

time exceeded

Number of expired packets.

timestamp reply

Number of timestamp reply packets.

Mping requests

Number of multicast ping request packets.

Mping reply

Number of multicast ping reply packets.

display ip interface

Function

The display ip interface command displays the IP configuration and statistics on interfaces. The statistics include the number of packets and bytes received and sent by interfaces, number of multicast packets sent and received by interfaces, and number of broadcast packets received, sent, forwarded, and discarded by interfaces.

The display ip interface brief command displays brief information about interface IP addresses, including the IP address, subnet mask, physical status, link-layer protocol status, and number of interfaces in different states.

Format

display ip interface [ interface-type interface-number ]

display ip interface brief [ interface-type [ interface-number ] | slot slot-id [ card card-number ] ]

display ip interface brief [ interface-type ] &<1-8>

Parameters

Parameter Description Value
interface-type interface-number

Specifies the type and number of an interface. If no interface is specified, IP configuration and statistics about all interfaces are displayed.

 -
brief Displays brief information, including the IP address, subnet mask, physical status, link-layer protocol status, and number of interfaces in different states. -
slot slot-id

Displays the IP configuration and statistics of interfaces on the specified slot.

If the slot number is not specified, brief information related to the IP addresses of the interfaces on all interface boards and main control boards is displayed.

 -
card card-number

Displays the IP configuration and statistics of interfaces on specified card.

 -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display ip interface brief command to view the following information:
  • IP configurations of all interfaces
  • IP configurations of interfaces of the specified type and a specified interface
  • IP configurations of interfaces that have IP addresses
This command, however, cannot display the IP configurations of Layer 2 interfaces or Eth-Trunk member interfaces.
NOTE:

Example

# Display IP information about VLANIF15.
<HUAWEI> display ip interface vlanif 15 
Vlanif15 current state : UP
Line protocol current state : UP
The Maximum Transmit Unit : 1500 bytes
input packets : 766390, bytes : 41540847, multicasts : 681817
output packets : 242239, bytes : 14679482, multicasts : 172333
Directed-broadcast packets:
 received packets:            0, sent packets:            0
 forwarded packets:           0, dropped packets:           0
Internet Address is 10.1.1.119/24
Broadcast address : 10.1.1.255
TTL being 1 packet number:    164035
TTL invalid packet number:         0
ICMP packet input number:          0
  Echo reply:                      0
  Unreachable:                     0
  Source quench:                   0
  Routing redirect:                0
  Echo request:                    0
  Router advert:                   0
  Router solicit:                  0
  Time exceed:                     0
  IP header bad:                   0
  Timestamp request:               0
  Timestamp reply:                 0
  Information request:             0
  Information reply:               0
  Netmask request:                 0
  Netmask reply:                   0
  Unknown type:                    0
Table 6-45  Description of the display ip interface command output

Item

Description

Vlanif15 current state
Physical status of the interface:

  • UP: indicates that the interface is physically Up.

  • DOWN: indicates that the interface is physically Down.

  • Administratively down: indicates that the administrator has run the shutdown command on the interface.

Line protocol current state
Link layer protocol status of the interface:

  • UP: The link layer protocol of the interface is running properly.

  • DOWN: The link layer protocol of the interface is Down or no IP address is configured on the interface.

The Maximum Transmit Unit

MTU of the interface. The default MTU of an Ethernet interface or a serial interface is 1500 bytes. Packets longer than the MTU are fragmented before being transmitted. If fragmentation is not allowed, the packets are discarded.

input packets : 766390, bytes : 41540847, multicasts : 681817

Total number of packets, bytes, and multicast packets received by the interface.

output packets : 242239, bytes : 14679482, multicasts : 172333

Total number of packets, bytes, and multicast packets sent by the interface.

Directed-broadcast packets

Number of packets broadcast on the interface directly.

received packets

Total number of received packets.

sent packets

Total number of sent packets.

forwarded packets

Total number of forwarded packets.

dropped packets

Total number of discarded packets.

Internet Address is

IP address assigned to the interface and mask length.

Broadcast address

Broadcast address of the interface.

TTL being 1 packet number

Number of packets with TTL 1.

TTL invalid packet number

Number of packets with invalid TTL.

ICMP packet input number

Number of received ICMP packets.

Echo reply

Number of Echo Reply packets.

Unreachable

Number of Destination Unreachable packets.

Source quench

Number of Source Quench packets.

Routing redirect

Number of Redirect packets.

Echo request

Number of Echo Request packets.

Router advert

Number of Router Advertisement packets.

Router solicit

Number of Router Solicitation packets.

Time exceed

Number of Time Exceeded packets.

IP header bad

Number of IP header error packets.

Timestamp request

Number of Timestamp Request packets.

Timestamp reply

Number of Timestamp Reply packets.

Information request

Number of Information Request packets.

Information reply

Number of Information Reply packets.

Netmask request

Number of Address Mask Request packets.

Netmask reply

Number of Address Mask Reply packets.

Unknown type

Number of unknown packets.
# Display brief IP information about VLANIF15.
<HUAWEI> display ip interface brief vlanif 15
*down: administratively down
!down: FIB overload down 
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
(E): E-Trunk down 
Interface                         IP Address/Mask      Physical   Protocol
Vlanif15                          10.1.1.119/24        up         up
Table 6-46  Description of the display ip interface brief command output

Item

Description

*down:

Reason why an interface is physically Down. Administratively down indicates that the administrator has run the shutdown command on the interface.
!down: FIB overload down

Indicates that the interface goes Down because the number of route prefixes in the FIB exceeds the upper limit.

^down

^down: indicates that the interface is a backup interface.

(l): loopback

The letter "l" refers to loopback.

(s): spoofing

The letter "s" refers to spoofing.

(d): Dampening Suppressed

The interface protocol is in the suppressed state.
(E): E-Trunk down

Indicates that the Eth-Trunk is Down because of the protocol negotiation on the E-Trunk.

Interface

Interface type and number.

IP Address/Mask

IP address and mask of an interface.

Physical
Physical status of an interface:

  • Up: indicates that the interface is physically Up. (l) indicates that the loopback function is configured on the interface.

  • Down: indicates that the interface becomes faulty.

  • *down: indicates that the administrator has run the shutdown (interface view) command on the interface. (l) indicates that the loopback function is configured on the interface.

Protocol

Link protocol status of the interface:

  • Up: indicates that the link protocol of the interface is running properly. (s) indicates that the link protocol status of the interface is Up when this interface is created and has no IP address configured. This is an inherent attribute of an interface. When this interface is configured with an IP address, (s) is still displayed.

  • Down: indicates that the link protocol of the interface fails or no IP address is configured on the interface.

(l) indicates that the loopback function is configured on the interface.
Related Topics

display ip forwarding status

Function

The display ip forwarding status command displays whether IPv4 Layer 3 unicast forwarding is enabled on a switch.

Format

display ip forwarding status

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check whether IPv4 Layer 3 unicast forwarding is enabled on a switch.

Example

# Display whether IPv4 Layer 3 unicast forwarding is enabled on the switch.

<HUAWEI> display ip forwarding status
Current IP forwarding status: Open
Table 6-47  Description of the display ip forwarding status command output

Item

Description

Current IP forwarding status

Whether IPv4 Layer 3 unicast forwarding is enabled:

  • Open: The function is enabled.

  • Closed: The function is disabled.

To configure IPv4 Layer 3 unicast forwarding, run the ip forwarding disable command.
Related Topics

display ip socket

Function

The display ip socket command displays information about the created IPv4 sockets.

Format

display ip [ ha ] socket [ monitor ] [ task-id task-id socket-id socket-id | socket-type socket-type ]

Parameters

Parameter Description Value
ha Displays IPv4 socket information on the slave main control board. -
monitor Displays information about the socket monitor. Information about the socket monitor is displayed together with information about the socket. -
task-id task-id Displays socket information of the task with a specified ID. The value must be an existing task ID.
socket-id socket-id Displays information about the socket with a specified ID. The value must be an existing socket ID.
socket-type socket-type Displays information about a socket of a specified type. The value is an integer. Table 6-48 shows the value range.
Table 6-48  Value range of socket-type socket-type

Value

Description

1

TCP socket

2

UDP socket

3

RAWIP socket

4

RAWLINK socket

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

A socket monitor monitors and records each connection. A RawLink also monitors interfaces. The socket monitor records specific protocol events that occur during operations. In addition, it logs information in the disk space.

The socket monitor is similar to a black box of the system. It records specific events that happen during system operations. When the system fails, you can use information recorded by the socket monitor to locate faults.

You can also set the filtering rules, such as the task ID, socket ID, and socket type so that only the information matching the rules is displayed. This reduces information output and helps you locate faults accurately and efficiently.

Example

# Display information about the IP sockets.
<HUAWEI> display ip socket monitor
SOCK_STREAM:
Task = VTYD(30), socketid = 1, Proto = 6, 
LA = 0.0.0.0:23, FA = 0.0.0.0:0, 
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0, 
socket option = SO_ACCEPTCONN SO_KEEPALIVE SO_LINGER SO_REUSEPORT SO_SENDVPNID(23553) SO_SETKEEPALIVE SO_SETACL,
socket state = SS_PRIV SS_ASYNC
                          Socket Monitor:
Asyn Que status:
 read = 0, write = 0, connect = 0, close = 0,
 peer close = 0, accept = 0, keep alive down = 0,
 cram time = 0000-00-00 00:00:00+08:00, lost msg= 0, msg type=0x00000000;
Nothing else has been captured!
SOCK_DGRAM: 
Task = DHCP(54), socketid = 2, Proto = 17,
LA = 0.0.0.0:67, FA = 0.0.0.0:0,
sndbuf = 9216, rcvbuf = 41600, sb_cc = 0, rb_cc = 0, 
socket option = SO_BROADCAST SO_REUSEPORT SO_UDPCHECKSUM SO_SENDVPNID(14849),
socket state = SS_PRIV
                          Socket Monitor:
Statistics:
 input packets = 6,recv packets = 6,output packets = 0;
Rcvbuf status: 
 cram time = 0000-00-00 00:00:00+00:00, full times = 0,dropped packets = 0;
Asyn Que status: 
 read = 0, write = 0, connect = 0, close = 0, 
 peer close = 0, accept = 0, keep alive down = 0, 
 smb input = 0, smb output = 0, smooth over = 0,
 cram time = 0000-00-00 00:00:00+00:00, lost msg = 0, msg type = 0x00000000;
# Display the information about the IP socket with the task ID as 23 and socket ID as 1.
<HUAWEI> display ip socket monitor task-id 23 socket-id 1
Task = RSVP(23), socketid = 1, Proto = 46,
LA = 0.0.0.0, FA = 0.0.0.0,
sndbuf = 4194304, rcvbuf = 4194304, sb_cc = 0, rb_cc = 0,
socket option = 0,
socket state = SS_PRIV SS_NBIO SS_ASYNC
                          Socket Monitor:
Statistics:
 input packets = 0,recv packets = 0,output packets = 0;
Rcvbuf status:
 cram time = 00H00M00S: full times = 0,dropped packets = 0;
Asyn Que status:
 read = 0, write = 0, connect = 0, close = 0,
 peer close = 0, accept = 0, keep alive down = 0,
 smb input = 0, smb output = 0, smooth over = 0,
 cram time = 00H00M00S, lost msg = 0, msg type = 0x00000000;
# Display information about the IP socket with the socket type as TCP.
<HUAWEI> display ip socket monitor socket-type 1
SOCK_STREAM:
Task = VTYD(30), socketid = 1, Proto = 6,
LA = 0.0.0.0:23, FA = 0.0.0.0:0,
sndbuf = 8192, rcvbuf = 8192, sb_cc = 0, rb_cc = 0,
socket option = SO_ACCEPTCONN SO_KEEPALIVE SO_REUSEPORT SO_SENDVPNID(14849) SO_SETKEEPALIVE,
socket state = SS_PRIV SS_ASYNC
                          Socket Monitor:
Asyn Que status:
 read = 0, write = 0, connect = 0, close = 0,
 peer close = 0, accept = 0, keep alive down = 0,
 cram time = 0000-00-00 00:00:00+00:00, lost msg= 0, msg type=0x00000000;
Nothing else has been captured!
Table 6-49  Description of the display ip socket command output

Item

Description

SOCK_STREAM
Socket types. There are the following socket types:

  • SOCK_STREAM

  • SOCK_DGRAM

  • SOCK_RAWLINK

  • SOCK_RAWIP

Task

Type and ID of the task that invokes the socket. For example, Task = VTYD(30) indicates that the task named VTYD uses the socket, with the task ID being 30.

socketid

Socket ID.

Proto

Protocol number.

LA

Local address/port number.

FA

Remote address/port number.

sndbuf

Maximum socket send buffer size. The value is in bytes.

rcvbuf

Maximum socket receive buffer size. The value is in bytes.

sb_cc

Number of sent packets. The value is in bytes and is valid only when TCP caches data packets.

rb_cc

Number of received packets. The value is in bytes.

socket option
Set socket options. There are the following socket options:

  • SO_DEBUG: indicates that debugging is enabled.

  • SO_ACCEPTCONN: indicates that the socket is the server and is responsible for monitoring.

  • SO_REUSEADDR: indicates that addresses are overlapped. After the option is set, multiple identical addresses can be bound to an interface.

  • SO_KEEPALIVE: indicates that the keepalive timer starts after a TCP connection is set up.

  • SO_DONTROUTE: indicates that a socket must choose the direct route to the destination when setting up a connection.

  • SO_BROADCAST: indicates that an interface can send broadcast packets.

  • SO_REUSEPORT: indicates that interfaces are overlapped. After the option is set, multiple identical interfaces can be bound to the local interface. This option is often set on servers.

  • SO_UDPCHECKSUM: indicates that the socket calculates the checksum of UDP packets.

  • SO_SENDVPNID: indicates an exclusive option for VPNs.

  • SO_SETKEEPALIVE: indicates that the keepalive timer starts after a TCP connection is set up.

  • SO_SETACL: indicates that an ACL can be configured on the interface.

  • SO_USELOOPBACK: indicates that a socket can use a loopback interface to receive or send data.

  • SO_LINGER: indicates the time for closing a TCP connection. If the time is not set to 0, a TCP connection is closed after the timer expires. If the time is set to 0, a TCP connection is closed immediately.

  • SO_OOBINLINE: indicates out-band data. When receiving data, a socket processes the out-band data first.

  • SO_SENDDATAIF: indicates that a socket uses the specified interface to receive or send data.

  • SO_SENDDATAIF_DONTSETTTL: indicates that a socket uses the specified interface to receive or send data but does not set the TTL value.

  • SO_SETSRCADDR: indicates that a socket sets the source address of outgoing packets.

  • SO_SENDBY_IF_NEXTHOP: indicates that a socket sets the outbound interface and next hop address of outgoing packets.

socket state
Socket status. There are the following socket status:

  • SS_NOFDREF: indicates that the socket ID is deleted.

  • SS_ISCONNECTED: indicates that a TCP connection is set up.

  • SS_ISCONNECTING: indicates that a TCP connection is being set up.

  • SS_ISDISCONNECTING: indicates that a TCP connection is being closed.

  • SS_CANTSENDMORE: indicates that a socket cannot send data.

  • SS_CANTRCVMORE: indicates that a socket cannot receive data.

  • SS_RCVMARK: indicates that a socket sets the receiving option in the received packet.

  • SS_NBIO: indicates that the type of a socket is non-blocking.

  • SS_ISCONFIRMING: indicates that the upper-layer application will complete processing a connection.

  • SS_BLOCKING: indicates that congestion occurs during packet receiving and sending.

  • SS_RECALL: indicates that the message notification method is set by an asynchronous socket.

  • SS_PRIV: indicates the option transferred from the Unix. The option is invalid in the current socket.

  • SS_ASYNC: indicates the status identifier of an asynchronous socket.

Asyn Que status

Current asynchronous queue status.

read

Number of messages read by the asynchronous queue.

write

Number of messages written by the asynchronous queue.

connect

Number of connection messages in the asynchronous queue.

close

Number of messages about closed connections in the asynchronous queue.

peer close

Number of messages about connections closed by the remote end in the asynchronous queue.

accept

Number of messages received by the asynchronous queue.

keep alive down

Number of keepalivedown messages in the asynchronous queue.

cram time

Time for the asynchronous queue to become full.

lost msg

Number of asynchronous messages discarded by the asynchronous queue.

msg type

Current asynchronous message type.

smb input

Number of times of notifying the application layer to read received packets on the backup board.

smb output

Number of times of notifying the application layer to read sent packets on the backup board.

smooth over

Number of times of notifying the application layer that the smoothing is over.

display ip socket register-port

Function

The display ip socket register-port command displays non-well-known port numbers that have been assigned to services on the device.

Format

display ip socket register-port

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

As defined in RFC standards, port numbers larger than 1024 are non-well-known port numbers and can be assigned to desired services, such as NQA and FTP services. However, a non-well-known port number can be assigned to only one service on the same device. If you assign a non-well-known port number to two or more services, this port number takes effect for only the latest configured service. As a result, the other services using this port number will fail.

Before you assign a non-well-known port number to a service, run the display ip socket register-port command to check non-well-known port numbers that have been assigned to other services, preventing service failures caused by conflicts of non-well-known port numbers.

Example

# Display non-well-known port numbers that have been assigned to services on the device.

<HUAWEI> display ip socket register-port
Port      Task        Type
5247      CWP_FWD     UDP4
31009     MPLSFW      UDP4
38514     INFO        UDP4
60000     EZOP        UDP4
65030     ipfpm       UDP4
65531     CWP_FWD     UDP4
65532     CWP_FWD     UDP4
65533     CWP_FWD     UDP4
65534     CWP_FWD     UDP4
3232      mdt         UDP6
3503      MPLSFW      UDP6
3784      BFD         UDP6
4784      BFD         UDP6
5246      CWP_FWD     UDP6
5247      CWP_FWD     UDP6
31009     MPLSFW      UDP6
38514     INFO        UDP6
60000     EZOP        UDP6
65531     CWP_FWD     UDP6
65532     CWP_FWD     UDP6
65533     CWP_FWD     UDP6
65534     CWP_FWD     UDP6
Table 6-50  Description of the display ip socket register-port command output

Item

Description

Port

Non-well-known port number that has been assigned to a service.

Task

Name of the task to which a non-well-known port number is assigned.

Type

Port type, including TCP and UDP.

display ip socket vcpu

Function

The display ip socket vcpu command displays socket information about the virtual CPU.

Format

display ip socket vcpu vcpuid

NOTE:

Only the switches using SRUH or SRUE main control units support this command.

Parameters

Parameter Description Value
vcpuid

Specifies the ID of the available virtual CPU.

The value range depends on the device configuration.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view socket information about the virtual CPU. If a fault occurs in the system, you can use socket information about the virtual CPU to locate the fault.

Example

# Display socket information about the virtual CPU.

<HUAWEI> display ip socket vcpu 1
SOCK_STREAM:                                                                    
SOCK_DGRAM:                                                                     
Task = CWP_(51), socketid = 2, Proto = 17,                                      
LA=0.0.0.0:5247, FA=0.0.0.0:0,                                                  
sndbuf = 9216, rcvbuf = 41600(0), sb_cc = 0, rb_cc = 0,                         
socket option = SO_UDPCHECKSUM,                                                 
socket state = SS_PRIV SS_NBIO SS_ASYNC                                         
                                                                                
Task = CWP_(51), socketid = 1, Proto = 17,                                      
LA=0.0.0.0:5246, FA=0.0.0.0:0,                                                  
sndbuf = 9216, rcvbuf = 41600(0), sb_cc = 0, rb_cc = 0,                         
socket option = SO_UDPCHECKSUM,                                                 
socket state = SS_PRIV SS_NBIO SS_ASYNC                                         
                                                                                
SOCK_RAWIP:
Table 6-51  Description of the display ip socket vcpu command output

Item

Description

SOCK_STREAM
Socket types. There are the following socket types:

  • SOCK_STREAM

  • SOCK_DGRAM

  • SOCK_RAWLINK

  • SOCK_RAWIP

Task = CWP_(51)

Type and ID of the task that invokes the socket. For example, Task = CWP_(51) indicates that the task named CWP uses the socket, with the task ID being 51.

socketid

Socket ID.

Proto

Protocol number.

LA

Local address/port number.

FA

Remote address/port number.

sndbuf

Maximum socket send buffer size. The value is in bytes.

rcvbuf

Maximum socket receive buffer size. The value is in bytes.

sb_cc

Number of sent packets. The value is in bytes and is valid only when TCP caches data packets.

rb_cc

Number of received packets. The value is in bytes.

socket option
Set socket options. There are the following socket options:

  • SO_DEBUG: indicates that debugging is enabled.

  • SO_ACCEPTCONN: indicates that the socket is the server and is responsible for monitoring.

  • SO_REUSEADDR: indicates that addresses are overlapped. After the option is set, multiple identical addresses can be bound to an interface.

  • SO_KEEPALIVE: indicates that the keepalive timer starts after a TCP connection is set up.

  • SO_DONTROUTE: indicates that a socket must choose the direct route to the destination when setting up a connection.

  • SO_BROADCAST: indicates that an interface can send broadcast packets.

  • SO_REUSEPORT: indicates that interfaces are overlapped. After the option is set, multiple identical interfaces can be bound to the local interface. This option is often set on servers.

  • SO_UDPCHECKSUM: indicates that the socket calculates the checksum of UDP packets.

  • SO_SENDVPNID: indicates an exclusive option for VPNs.

  • SO_SETKEEPALIVE: indicates that the keepalive timer starts after a TCP connection is set up.

  • SO_SETACL: indicates that an ACL can be configured on the interface.

  • SO_USELOOPBACK: indicates that a socket can use a loopback interface to receive or send data.

  • SO_LINGER: indicates the time for closing a TCP connection. If the time is not set to 0, a TCP connection is closed after the timer expires. If the time is set to 0, a TCP connection is closed immediately.

  • SO_OOBINLINE: indicates out-band data. When receiving data, a socket processes the out-band data first.

  • SO_SENDDATAIF: indicates that a socket uses the specified interface to receive or send data.

  • SO_SENDDATAIF_DONTSETTTL: indicates that a socket uses the specified interface to receive or send data but does not set the TTL value.

  • SO_SETSRCADDR: indicates that a socket sets the source address of outgoing packets.

  • SO_SENDBY_IF_NEXTHOP: indicates that a socket sets the outbound interface and next hop address of outgoing packets.

socket state
Socket status. There are the following socket status:

  • SS_NOFDREF: indicates that the socket ID is deleted.

  • SS_ISCONNECTED: indicates that a TCP connection is set up.

  • SS_ISCONNECTING: indicates that a TCP connection is being set up.

  • SS_ISDISCONNECTING: indicates that a TCP connection is being closed.

  • SS_CANTSENDMORE: indicates that a socket cannot send data.

  • SS_CANTRCVMORE: indicates that a socket cannot receive data.

  • SS_RCVMARK: indicates that a socket sets the receiving option in the received packet.

  • SS_NBIO: indicates that the type of a socket is non-blocking.

  • SS_ISCONFIRMING: indicates that the upper-layer application will complete processing a connection.

  • SS_BLOCKING: indicates that congestion occurs during packet receiving and sending.

  • SS_RECALL: indicates that the message notification method is set by an asynchronous socket.

  • SS_PRIV: indicates the option transferred from the Unix. The option is invalid in the current socket.

  • SS_ASYNC: indicates the status identifier of an asynchronous socket.

display ip statistics

Function

The display ip statistics command displays IP traffic statistics.

Format

display ip statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

IP traffic statistics include statistics about received packets (including discarded packets that carry source-route options), sent packets, fragmented packets, and reassembled packets. If a large number of bad protocol and no route fields is displayed in the command output, the device receives a large volume of IP packets of unknown protocol types and IP packets for which no routes can be found. In this situation, the device may be attacked by the connected devices.

Example

# Display IP traffic statistics.

<HUAWEI> display ip statistics
  Input:     sum                263482      local                263473         
             bad protocol            0      bad format                1         
             bad checksum            0      bad options               0         
             discard srr             0      discard rr                0         
             discard ra              0      discard ts                0         
             TTL exceeded            0                                          
  Output:    forwarding              0      local                303399         
             dropped             56479      no route                225         
  Fragment:  input                   0      output                    0         
             dropped                 0                                          
             fragmented              0      couldn't fragment         0         
  Reassembling:sum                   0      timeouts                  0
Table 6-52  Description of the display ip statistics command output

Item

Description

Input

Received packets.

sum

Total number of packets.

local

Number of packets sent to the upper-layer protocol.

bad protocol

Number of received IP packets of unknown protocol types. The protocol field in the IP header cannot be identified by the upper-layer protocol.

bad format

Number of packets in incorrect format.

bad checksum

Number of packets with checksum errors.

bad options

Number of packets with incorrect options.

discard srr

Number of discarded packets with source route options.

discard rr

Indicates the number of packets that are received and then discarded because of record-route options.

discard ra

Indicates the number of packets that are received and then discarded because of alert-route options.

discard ts

Indicates the number of packets that are received and then discarded because of time stamps options.

TTL exceeded

Number of packets discarded because the TTL expires.

Output

Sent packets.

forwarding

Number of forwarded packets.

local

Number of generated packets.

dropped

Number of discarded packets.

no route

Number of packets for which no correct route can be found, including the packets sent and forwarded by the local device.

Fragment

Number of packet fragments.

input

Number of received fragments.

output

Number of sent fragments.

dropped

Number of discarded fragments.

fragmented

Number of successfully fragmented packets.

couldn't fragment

Number of packets that cannot be fragmented.

Reassembling:sum

Number of successfully reassembled fragments.

timeouts

Number of expired fragments.

display load-balance mode

Function

The display load-balance mode command displays the load balancing mode on an LPU.

Format

display load-balance mode [ packet | flow | slot slot-number ]

Parameters

Parameter Description Value
packet Displays information about the LPU adopting the per packet load balancing mode. -
flow Displays information about the LPU adopting the per flow load balancing mode. -
slot slot-number Specifies the ID of a slot. After the slot ID is specified, the load balancing mode on a specified LPU is displayed.

The value is an integer, and the value range depends on the device configuration.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Using the display load-balance mode packet or the display load-balance mode flow command displays information about the LPU adopting the specified load balancing mode.

The display load-balance mode slot slot-number command displays the load balancing mode on a specified LPU.

If neither the slot ID nor load balancing mode is specified in the display load-balance mode command, by default, load balancing modes on all the registered interface boards are displayed in the sequence of their slot IDs.by default, load balancing mode on the switch is displayed.

Example

# Display the load balancing modes on all interface boards.

<HUAWEI> display load-balance mode
load-balance packet slot 1
load-balance packet slot 2
load-balance flow slot 3
Table 6-53  Description of the display load-balance mode command output

Item

Description

load-balance

Load balancing mode

  • packet: per packet load balancing

  • flow: per flow load balancing

slot

Slot ID

display network status

Function

Running the display network status command, you can check the network status of a device.

Format

display network status { all | tcp | udp | port port-number }

Parameters

Parameter Description Value
all Displays all the network information. -
tcp Displays TCP. -
udp Displays UDP. -
port port-number Specifies the number of an interface. The value is an integer ranging from 1 to 65535.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display network status command is used to check the network status, such as the running interfaces and services on the network. For example, when you find that an interface is being used by an unknown module during a security scan, run the command to check out the module.

Example

# Display all information about the network status.
<HUAWEI> display network status all
Proto Task/SockId Local Addr&Port          Foreign Addr&Port        State
TCP   VTYD/1      0.0.0.0:23               0.0.0.0:0                Listening
TCP   HTTP/2      0.0.0.0:80               0.0.0.0:0                Listening
TCP   HTTP/1      0.0.0.0:443              0.0.0.0:0                Listening
TCP   VTYD/59     192.168.50.166:23        10.135.19.141:60445      Established
TCP6  VTYD/2      ::->23                   ::->0                    Listening
UDP   AGNT/1      0.0.0.0:161              0.0.0.0:0
UDP   SLAG/1      0.0.0.0:1025             0.0.0.0:0
UDP   RDS /1      0.0.0.0:1812             0.0.0.0:0
UDP6  AGT6/1      ::->161                  ::->0
UDP6  RDS /2      ::->1812                 ::->0
Table 6-54  Description of the display network status command output

Item

Description

Proto

Protocol

Task/SockId

Task and Socket ID

  • VTYD: Process login requests of all users.
  • HTTP: Transfer hypertext from WWW servers to local browsers
  • AGNT: Implement the IPv4 SNMP protocol.
  • SLAG: Implement E-Trunk.
  • RDS: Implement the RADIUS protocol, manage the protocol state machine, and maintain protocol databases.
  • AGT6: Implement the IPv6 SNMP protocol.

Local Addr&Port

Local IP address and Port number

Foreign Addr&Port

Remote IP address and Port number

State

Connection status

display priority

Function

Using the display priority command, you can view the 802.1p priority and DSCP priority that are set in the system.

Format

display priority { 8021p | dscp }

Parameters

Parameter

Description

Value

8021p

Displays the 802.1p priority.

-

dscp

Displays the DSCP priority.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command displays the 802.1p priority and DSCP priority that are set in the system.

The display priority command displays information only after the set priority command is executed to set the 802.1p priority or DSCP priority.

Example

# Set the DSCP priority to 10, and display the DSCP priority set in the system.

<HUAWEI> system-view
[HUAWEI] set priority dscp 10
[HUAWEI] quit
<HUAWEI> display priority dscp
 The dscp priority is 10
Related Topics

display rawip statistics

Function

The display rawip statistics command displays RawIP traffic statistics.

Format

display rawip statistics [ verbose ]

Parameters

Parameter Description Value
verbose Displays detailed RawIP traffic statistics based on the ICMP, RSVP, OSPF, and Others protocols. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The statistics about RawIP packets include the number of sent RawIP packets and the number of received RawIP packets.

RSVP, OSPF, and ICMP packets are encapsulated into RawIP packets to be sent. During the ping operation, for example, you can run the display rawip statistics command to view the number of RawIP packets sent by the local device to check whether the abnormality on the network is caused by abnormal sending and receiving of RawIP packets.

If you want to diagnose problems and monitor information of specific applications, configure verbose in the display rawip statistics command to display application-specific RawIP packet statistics. The applications can be ICMP, RSVP, OSPF, and others.

Precautions

The number of packets received by a switch includes the number of forwarded packets, packets sent to the upper layer, and discarded packets.

RawIP traffic statistics are collected based on the well-known protocol number. The protocol number is identified by the protocol field in the IP packet header.
  • The protocol number of ICMP statistics is 1.
  • The protocol number of OSPF statistics is 89.
  • The protocol number of RSVP statistics is 46.
  • Statistics about packets with other protocol numbers are collected into the Others field.

Example

# View the statistics about RawIP packets.
<HUAWEI> display rawip statistics
Received packets:
  dropped packets because the socket buffer is full   : 0
  dropped packets because no matching socket is found : 0

Sent packets:
  dropped packets : 0
Table 6-55  Description of the display rawip statistics command output

Item

Description

Received packets

Indicates the number of received packets.

dropped packets because the socket buffer is full

Indicates the number of RawIP packets that are discarded because the socket buffer is full.

dropped packets because no matching socket is found

Indicates the number of RawIP packets that are discarded because the socket of the receiver does not match with that of the sender.

Sent packets

Indicates the number of sent packets.

dropped packets

Indicates the number of discarded packets.
# Display detailed RawIP traffic statistics.
<HUAWEI> display rawip statistics verbose
Received packets:
------------------------------------------------------------------
Application    Overflow         No Matching
------------------------------------------------------------------
ICMP           0                0
OSPF           0                0
RSVP           0                0
Others         0                1
------------------------------------------------------------------

Sent packets:
------------------------------------------------------------------
Application    Dropped Packets
------------------------------------------------------------------
ICMP           0
OSPF           0
RSVP           0
Others         0
------------------------------------------------------------------
Table 6-56  Description of the display rawip statistics verbose command output

Item

Description

Received packets

Statistics on received packets.

Application

Application type.

Overflow

Number of RawIP packets discarded because the Socket buffer is full.

No Matching

Number of RawIP packets discarded because the receiver's Socket is mismatching.

ICMP

ICMP packets.

OSPF

OSPF packets.

RSVP

RSVP packets.

Others

Other types of packets.

Sent packets

Statistics about sent packets.

Dropped Packets

Number of discarded packets.

display snmp-agent trap feature-name ip all

Function

The display snmp-agent trap feature-name ip all command displays all trap messages of the IP module.

Format

display snmp-agent trap feature-name ip all

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The Simple Network Management Protocol (SNMP) is a standard network management protocol widely used on TCP/IP networks. It uses a central computer (a network management station) that runs network management software to manage network elements. The management agent on the network element automatically reports traps to the network management station. After that, the network administrator immediately takes measures to resolve the problem.

Prerequisites

SNMP has been enabled. See snmp-agent.

Usage Scenario

After the trap function of a specified feature is enabled, you can run the display snmp-agent trap feature-name ip all command to check the status of all traps of IP. You can use the snmp-agent trap enable feature-name ip command to enable the trap function of IP.

Example

# Display all trap messages of the IP module.

<HUAWEI>display snmp-agent trap feature-name ip all
------------------------------------------------------------------------------  
Feature name: IP                                                                
Trap number : 1                                                                 
------------------------------------------------------------------------------  
Trap name                       Default switch status   Current switch status   
hwIfIpAddressChange             off                     off
Table 6-57  Description of the display snmp-agent trap feature-name ip all command output

Item

Description

Feature name

Name of the module to which a trap message belongs.

Trap number

Number of trap messages.

Trap name
Name of a trap message of the IP module:
  • hwIfIpAddressChange: alarm of the IP address changes.

Default switch status
Status of the default trap switch:
  • on: indicates that the trap function is enabled.
  • off: indicates that the trap function is disabled.

Current switch status
Status of the current trap switch:
  • on: indicates that the trap function is enabled.
  • off: indicates that the trap function is disabled.

display snmp-agent trap feature-name tcp all

Function

The display snmp-agent trap feature-name tcp all command displays all trap messages of the TCP module.

Format

display snmp-agent trap feature-name tcp all

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The Simple Network Management Protocol (SNMP) is a standard network management protocol widely used on TCP/IP networks. It uses a central computer (a network management station) that runs network management software to manage network elements. The management agent on the network element automatically reports traps to the network management station. After that, the network administrator immediately takes measures to resolve the problem.

Prerequisites

SNMP has been enabled. See snmp-agent.

Usage Scenario

After the trap function of a specified feature is enabled, you can run the display snmp-agent trap feature-name tcp all command to check the status of all traps of TCP. You can use the snmp-agent trap enable feature-name tcp command to enable the trap function of TCP.

Example

# Display all trap messages of the TCP module.

<HUAWEI> display snmp-agent trap feature-name tcp all
------------------------------------------------------------------------------
Feature name: TCP
Trap number : 1
------------------------------------------------------------------------------
Trap name                       Default switch status   Current switch status
hwTCPMD5AuthenFail              off                     off
Table 6-58  Description of the display snmp-agent trap feature-name tcp all command output

Item

Description

Feature name

Name of the module to which a trap message belongs.

Trap number

Number of trap messages.

Trap name
Name of a trap message of the TCP module:
  • hwTCPMD5AuthenFail: alarm of the TCP MD5 authentication fails. It is an excessive trap.

Default switch status
Status of the default trap switch:
  • on: indicates that the trap function is enabled.
  • off: indicates that the trap function is disabled.

Current switch status
Status of the current trap switch:
  • on: indicates that the trap function is enabled.
  • off: indicates that the trap function is disabled.

display tcp statistics

Function

The display tcp statistics command displays TCP traffic statistics.

Format

display tcp statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The command displays TCP traffic statistics including different types of received and sent packets. For example, duplicate received packets and packets with checksum errors. In addition, connection-related statistics are displayed, for example, times of accepted connections, the number of retransmitted packets, and the number of keepalive packets.

Most of the preceding statistics are expressed in number of packets, and some of them are expressed in number of bytes.

Example

# Display TCP traffic statistics.
<HUAWEI> display tcp statistics
Received packets:
     Total: 0
     Total(64bit high-capacity counter): 0
     packets in sequence: 0 (0 bytes)
     window probe packets: 0, window update packets: 0
     checksum error: 0, offset error: 0, short error: 0

     duplicate packets: 0 (0 bytes), partially duplicate packets: 0 (0 bytes)
     out-of-order packets: 0 (0 bytes)
     packets of data after window: 0 (0 bytes)
     packets received after close: 0

     ACK packets: 0 (0 bytes)
     duplicate ACK packets: 0, too much ACK packets: 0

Sent packets:
    Total: 0
     Total(64bit high-capacity counter): 0
     urgent packets: 0
     control packets: 0 (including 0 RST)
     window probe packets: 0, window update packets: 0

     data packets: 0 (0 bytes),    data packets retransmitted: 0 (0 bytes)
     ACK-only packets: 0 (0 delayed)

Other information:
    Retransmitted timeout: 0, connections dropped in retransmitted timeout: 0
    Keep alive timeout: 0, keep alive probe: 0,     Keep alive timeout, so connections disconnected : 0
    Initiated connections: 0,     accepted connections: 0, established connections: 0
    Closed connections: 0 (    dropped: 0, initiated dropped: 0)
    Packets dropped with MD5 authentication: 0
    Packets permitted with MD5 authentication: 0
    Send Packets permitted with Keychain authentication: 0
    Receive Packets permitted with Keychain authentication: 0
    Receive Packets Dropped with Keychain authentication: 0
Table 6-59  Description of the display tcp statistics command output

Item

Description

Received packets

Statistics about received packets.

Total

Total number of packets.

Total (64bit high-capacity counter)

Total number of packets, using the 64-bit counter.

packets in sequence (bytes)

Number of bytes in the packets that arrive in order.

window probe packets

Number of window probe packets.

window update packets

Number of window update packets.

checksum error

Number of packets with checksum errors.

offset error

Number of packets with offset errors.

short error

Number of packets whose length is too short.

duplicate packets (bytes)

Number of bytes in the duplicate packets.

partially duplicate packets (bytes)

Number of bytes in partially duplicate packets.

out-of-order packets (bytes)

Number of bytes in the out-of-order packets.

packets of data after window (bytes)

Number of bytes in the packets whose size is greater than the window size.

packets received after close

Number of packets that arrive after a connection is closed.

ACK packets (bytes)

Number of acknowledged packets, in bytes.

duplicate ACK packets

Number of re-acknowledged packets.

too much ACK packets

Number of acknowledged packets with no data sent.

Sent packets

Number of sent packets.

urgent packets

Number of urgent packets.

control packets (RST)

Number of control packets (RST packets).

data packets

Number of data packets.

data packets retransmitted (0 bytes)

Number of bytes in the retransmitted packets.

ACK only packets (delayed)

Number of acknowledged packets that are delayed.

Other information

Other information.

Retransmitted timeout

Timeout interval of the retransmission timer.

connections dropped in retransmitted timeout

Number of connections discarded because the number of retransmission times exceeds the threshold.

Keep alive timeout

Timeout interval of the keepalive timer.

keep alive probe

Number of sent keepalive packets.

Keep alive timeout, so connections disconnected

Number of connections discarded because keepalive probe fails.

Initiated connections

Number of initiated connections.

accepted connections

Number of accepted connections.

established connections

Number of established connections.

Closed connections (dropped, initiated dropped)

Number of closed connections (number of discarded packets after a connection is set up or before a connection is set up).

Packets dropped with MD5 authentication

Number of packets that fail to pass MD5 authentication.

Packets permitted with MD5 authentication

Number of packets that pass MD5 authentication.

Send Packets permitted with Keychain authentication

Number of sent packets that carry keychain options.

Receive Packets permitted with Keychain authentication

Number of received packets that pass keychain authentication.

Receive Packets Dropped with Keychain authentication

Number of received packets that fail to pass keychain authentication.
Related Topics

display tcp status

Function

The display tcp status command displays current TCP connection status.

Format

display tcp status [ [ task-id task-id ] [ socket-id socket-id ] | [ local-ip ip-address ] [ local-port local-port-number ] [ remote-ip ip-address ] [ remote-port remote-port-number ] ]

Parameters

Parameter Description Value
task-id task-id Displays the TCP connection status of the task with a specified ID. The value must be an existing task ID.
socket-id socket-id Displays the TCP connection status of the socket with a specified ID. The value must be an existing socket ID.
local-ip ip-address Displays the TCP connection status of a specified local IP address. The value is in dotted decimal notation.
local-port local-port-number Displays the TCP connection status of a specified local port ID. The value must be an existing local port ID.
remote-ip ip-address Displays the TCP connection status a specified remote IP address. The value is in dotted decimal notation.
remote-port remote-port-number Displays the TCP connection status of a specified remote port ID. The value must be an existing remote port ID.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The transmission control protocol defined in RFC 793 ensures high reliability of transmission between hosts. TCP provides reliable and connection-oriented services in full duplex mode. Run the display tcp status command to monitor the TCP connection status. The following information is displayed.
  • ID of the TCP task control block.
  • ID of the IPv4 TCP task and socket.
  • Local IPv4 address and port ID.
  • Remote IPv4 address and port ID.
  • ID of the VPN instance to which the TCP connection belongs.
  • IPv4 TCP connection status.

You can set filtering rules based on the Task ID, socket ID, IP address and port number of the local device, and IP address and port number of the remote device so that only the information matching the rules is displayed. This prevents unnecessary information from being displayed and helps you locate faults accurately and efficiently.

Precautions

The command output is null if there is no TCP connection.

Example

# Display the TCP connection status on the local device.

<HUAWEI> display tcp status
TCPCB    Tid/Soid Local Add:port        Foreign Add:port      VPNID  State
0a5d560c 30 /1    0.0.0.0:23            0.0.0.0:0             14849 Listening

# Display the status of the TCP connection originated from the local IP address 0.0.0.0 and port 23.

<HUAWEI> display tcp status local-ip 0.0.0.0 local-port 23
TCPCB    Tid/Soid Local Add:port        Foreign Add:port      VPNID  State
0a5d560c 30 /1    0.0.0.0:23            0.0.0.0:0             14849 Listening
Table 6-60  Description of the display tcp status command output

Field

Description

TCPCB

ID of the TCP task control block.

Tid/Soid

Task ID and socket ID.

Local Add: port

IP address and port number of the local device. If the value of Local Add is 0.0.0.0, TCP connections of all IP addresses are monitored. If the value of port is 0, the TCP connection of all ports is monitored.

Foreign Add: port

IP address and port number of the remote device. If the value of Foreign Add is 0.0.0.0, the TCP connection of all IP addresses is monitored. If the value of port is 0, TCP connections of all ports are monitored.

VPNID
ID of the VPN instance to which the TCP connection belongs.
  • -1: indicates all VPNs.
  • 0: indicates the public VPN.
  • Other values: indicates the private VPN. The VPNID is defined by users.

State
TCP connection status:

  • Closed: indicates that the TCP connection is closed.

  • Listening: indicates that the TCP connection is being monitored.

  • Syn_Rcvd: indicates that a packet with the SYN flag is received.

  • Established: indicates that the TCP connection has been set up.

  • Close_Wait: indicates that a user sends a packet with the FIN flag to the server to close the TCP connection in Established state. The server then sends an ACK packet to the user after receiving the packet and enters the Close_Wait state.

  • Fin_Wait1: indicates that a user sends a packet with the FIN flag to the server to close the TCP connection and enter this state.

  • Fin_Wait2: indicates that a user receives an ACK packet that responds to the sent packet with the FIN flag.

  • Time_Wait: indicates that TCP enters this state after the TCP connection is closed. When TCP has been in Time_Wait state two times the lifetime of the longest packets, records about the closed connection are deleted.

  • Closing: indicates that the user and server close the TCP connection simultaneously.

display udp statistics

Function

The display udp statistics command displays UDP traffic statistics.

Format

display udp statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The command displays UDP traffic statistics including different types of received and sent packets. For example, packets with checksum errors. In addition, connection-related statistics are displayed, for example, the number of broadcast packets. The preceding statistics are expressed in number of packets.

Example

# Display UDP traffic statistics.
<HUAWEI> display udp statistics
Received packets:
    Total: 0
    Total(64bit high-capacity counter): 0
    checksum error: 0
    shorter than header: 0
    data length larger than packet: 0
    unicast(no socket on port): 0
    broadcast/multicast(no socket on port): 0
    not delivered, input socket full: 0
    input packets missing pcb cache: 0

Sent packets:
    Total: 0
    Total(64bit high-capacity counter): 0
Table 6-61  Description of the display udp statistics command output

Item

Description

Received packet:

Total

Total (64bit high-capacity counter)

Total number of received UDP packets.

Total number of received UDP packets (using the 64-bit counter).

checksum error

Number of packets with checksum errors.

shorter than header

Number of packets whose length is shorter than the packet header.

data length larger than packet

Number of packets whose data length is greater than the packet length.

unicast (no socket on port)

Number of unicast packets.

broadcast/multicast (no socket on port)

Number of broadcast and multicast packets.

not delivered, input socket full

Number of packets that are not sent out because the socket buffer is full.

input packets missing pcb cache

Number of sent packets that are not found in the PCB cache.

Sent packets:

Total

Total (64bit high-capacity counter)

Total number of sent UDP packets.

Total number of sent UDP packets (using the 64-bit counter).
Related Topics

icmp blackhole unreachable send

Function

The icmp blackhole unreachable send command enables the switch to send a Destination Unreachable ICMP packet to an initiator when a tracert packet matches an IPv4 blackhole route.

The undo icmp blackhole unreachable send command disables the switch from sending a Destination Unreachable ICMP packet to an initiator when a tracert packet matches an IPv4 blackhole route.

By default, the switch is disabled from sending a Destination Unreachable ICMP packet to an initiator when a tracert packet matches an IPv4 blackhole route.

Format

icmp blackhole unreachable send

undo icmp blackhole unreachable send

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If static IPv4 blackhole routes are configured on the switch configured with the user access and authentication function, when a user goes offline, only the IPv4 blackhole route corresponding to the user's address segment exists on the switch. When a tracert packet matches the IPv4 blackhole route, the switch discards the packet. As a result, an initiator cannot detect that the user has gone offline.

After you run the icmp blackhole unreachable send command, the switch sends a Destination Unreachable ICMP packet to an initiator, notifying the initiator that the user has gone offline if a user goes offline and a tracert packet matches the IPv4 blackhole route.

Example

# Enable the switch to send a Destination Unreachable ICMP packet to an initiator when a tracert packet matches an IPv4 blackhole route.

<HUAWEI> system-view
[HUAWEI] icmp blackhole unreachable send

icmp broadcast-address echo enable

Function

The icmp broadcast-address echo enable command enables a switch to respond to ICMP Echo Request packets with broadcast destination addresses.

The undo icmp broadcast-address echo enable command disables a switch from responding to ICMP Echo Request packets with broadcast destination addresses.

By default, the function of responding to ICMP Echo Request packets with broadcast destination addresses is enabled.

Format

icmp broadcast-address echo enable

undo icmp broadcast-address echo enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The ping program is used to check network connectivity. If two hosts cannot ping each other, they cannot set up a connection. The ping program uses the ICMP protocol. It encapsulates ICMP Echo Request packets into IP packets, and sends the packets to the destination host. The destination host must return an ICMP Echo Reply packet to the source host. If the source host receives a reply within a certain period, the source host considers that the destination host is reachable.

In normal situations, after an interface receives an ICMP Echo Request, this packet is sent to the protocol stack and handled by the CPU.

When the ping command is run to check network connectivity, if the destination address is a broadcast address, all the devices receiving this ICMP Echo Request in the broadcast domain will handle this packet. If attackers initiate attacks using the ping program, the device has to continuously handle ICMP packets, causing a high CPU usage and degrading forwarding performance.

To disable the device from responding to the ICMP Echo Request packets of which the destination addresses are broadcast addresses, run the undo icmp broadcast-address echo enable command. This command can improve forwarding capacity of the device.

NOTE:
The icmp broadcast-address echo enable command makes sense only for ICMP Echo Request packets.

Example

# Disable a switch from responding to ICMP Echo Request packets with broadcast destination addresses.
<HUAWEI> system-view
[HUAWEI] undo icmp broadcast-address echo enable

icmp host-unreachable send

Function

The icmp host-unreachable send command enables the switch to send ICMP Host Unreachable packets.

The undo icmp host-unreachable send command disables the switch from sending ICMP Host Unreachable packets.

By default, the function of sending ICMP Host Unreachable packets is enabled.

Format

icmp host-unreachable send

undo icmp host-unreachable send

Parameters

None

Views

System view, interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

ICMP error packets contain network information, such as network connectivity, host reachability, and route availability. ICMP error packets are ultimately returned to the sender because the sender is the logical receiver of the ICMP error packets. The sender learns about the error types from the ICMP error packets, and then determines how to retransmit the data.

After receiving an IP packet, if the device finds that the destination is unreachable, the device discards the packet, and returns a Destination Unreachable packet to the source.

Port Unreachable, Protocol Unreachable, and Host Unreachable packets are ICMP Destination Unreachable packets.
  • When receiving a data packet of which the destination address is a local address and transport protocol is UDP, if the device detects that the port number of the packet does not match the running process, the source sends a Port Unreachable packet to the source.
  • When receiving a data packet of which the destination address is the local address, if the device does not support the transport layer protocol of the data packet, the device returns a Protocol Unreachable packet to the source.
  • When a device receives a data packet, but cannot forward it, the device returns a Host Unreachable packet to the source.
The Destination Unreachable packets facilitate network control and management. However, the inherent defects of the ICMP protocol make the routing devices and hosts be prone to attacks. Therefore, sending the ICMP Destination Unreachable packets has the following defects:
  • The ICMP packets increase traffic volume and burden the network devices.
  • If a device receives a large number of malicious attack packets and needs to return ICMP error packets, the device is busy handling ICMP packets, and the device performance is degraded.
  • The ICMP Destination Unreachable packets indicate that the destination is unreachable. If there are malicious attacks, user terminals cannot normally use the network.

After you run the undo icmp host-unreachable send command, the device does not send ICMP Host Unreachable packets externally. This prevents the peer device from processing a large number of ICMP packets.

Precautions

The icmp host-unreachable send command can be run in the system view or interface view.
  • After the function of sending ICMP Host Unreachable packets is disabled in the system view, all interfaces do not send ICMP Host Unreachable packets. Even if the function is enabled on an interface, the interface does not send ICMP Host Unreachable packets.
  • After the function of sending ICMP Host Unreachable packets is enabled in the system view, all interfaces send ICMP Host Unreachable packets because the function is enabled on all interfaces by default. You can run the undo icmp host-unreachable send command in interface view to disable the function on a specified interface.

If the function of sending ICMP Host Unreachable packets is disabled, the switch does not send ICMP Host Unreachable packets in any situations.

This command needs to be configured on the inbound interface of ICMP packets in the interface view.

Example

# Enable the switch to send ICMP Host Unreachable packets.

<HUAWEI> system-view
[HUAWEI] icmp host-unreachable send

# Enable VLANIF100 to send ICMP Host Unreachable packets.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] icmp host-unreachable send
# Enable GE1/0/1 to send ICMP Host Unreachable packets.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] icmp host-unreachable send

icmp port-unreachable send

Function

The icmp port-unreachable send command enables the device to send ICMP Port Unreachable packets.

The undo icmp port-unreachable send command disables the device from sending ICMP Port Unreachable packets.

By default, the device sends ICMP Port Unreachable packets.

Format

icmp port-unreachable send

undo icmp port-unreachable send

Parameters

None

Views

System view, interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

ICMP error packets contain network information, such as network connectivity, host reachability, and route availability. ICMP error packets are ultimately returned to the sender because the sender is the logical receiver of the ICMP error packets. The sender learns about the error types from the ICMP error packets, and then determines how to retransmit the data.

After receiving an IP packet, if the device finds that the destination is unreachable, the device discards the packet, and returns a Destination Unreachable packet to the source.

Port Unreachable, Protocol Unreachable, and Host Unreachable packets are ICMP Destination Unreachable packets.
  • When receiving a data packet of which the destination address is a local address and transport protocol is UDP, if the device detects that the port number of the packet does not match the running process, the source sends a Port Unreachable packet to the source.
  • When receiving a data packet of which the destination address is the local address, if the device does not support the transport layer protocol of the data packet, the device returns a Protocol Unreachable packet to the source.
  • When a device receives a data packet, but cannot forward it, the device returns a Host Unreachable packet to the source.
The Destination Unreachable packets facilitate network control and management. However, the inherent defects of the ICMP protocol make the routing devices and hosts be prone to attacks. Therefore, sending the ICMP Destination Unreachable packets has the following defects:
  • The ICMP packets increase traffic volume and burden the network devices.
  • If a device receives a large number of malicious attack packets and needs to return ICMP error packets, the device is busy handling ICMP packets, and the device performance is degraded.
  • The ICMP Destination Unreachable packets indicate that the destination is unreachable. If there are malicious attacks, user terminals cannot normally use the network.

After you run the icmp port-unreachable send command, the device does not send ICMP Port Unreachable packets externally. This prevents the peer device from processing a large number of ICMP packets.

Precautions

The icmp port-unreachable send command can be run in the system view or interface view.
  • After the function of sending ICMP Port Unreachable packets is disabled in the system view, all interfaces do not send ICMP Port Unreachable packets. Even if the function is enabled on an interface, the interface does not send ICMP Port Unreachable packets.
  • After the function of sending ICMP Port Unreachable packets is enabled in the system view, all interfaces send ICMP Port Unreachable packets because the function is enabled on all interfaces by default. You can run the undo icmp port-unreachable send command in interface view to disable the function on a specified interface.

If the function of sending ICMP Port Unreachable packets is disabled, the switch does not send ICMP Port Unreachable packets in any situations.

Example

# Enable the device to send ICMP Port Unreachable packets.

<HUAWEI> system-view
[HUAWEI] icmp port-unreachable send
# Enable the device to send ICMP Port Unreachable packets on VLANIF100.
<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] icmp port-unreachable send
# Enable the device to send ICMP Port Unreachable packets on GE1/0/1.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] icmp port-unreachable send

icmp protocol-unreachable send

Function

The icmp protocol-unreachable send command enables the function of sending ICMP Protocol Unreachable packets.

The undo icmp protocol-unreachable send command disables the function of sending ICMP Protocol Unreachable packets.

By default, the function of sending ICMP Protocol Unreachable packets is enabled.

Format

icmp protocol-unreachable send

undo icmp protocol-unreachable send

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

ICMP error packets contain network information, such as network connectivity, host reachability, and route availability. ICMP error packets are ultimately returned to the sender because the sender is the logical receiver of the ICMP error packets. The sender learns about the error types from the ICMP error packets, and then determines how to retransmit the data.

After receiving an IP packet, if the device finds that the destination is unreachable, the device discards the packet, and returns a Destination Unreachable packet to the source.

Port Unreachable, Protocol Unreachable, and Host Unreachable packets are ICMP Destination Unreachable packets.
  • When receiving a data packet of which the destination address is a local address and transport protocol is UDP, if the device detects that the port number of the packet does not match the running process, the source sends a Port Unreachable packet to the source.
  • When receiving a data packet of which the destination address is the local address, if the device does not support the transport layer protocol of the data packet, the device returns a Protocol Unreachable packet to the source.
  • When a device receives a data packet, but cannot forward it, the device returns a Host Unreachable packet to the source.
The Destination Unreachable packets facilitate network control and management. However, the inherent defects of the ICMP protocol make the routing devices and hosts be prone to attacks. Therefore, sending the ICMP Destination Unreachable packets has the following defects:
  • The ICMP packets increase traffic volume and burden the network devices.
  • If a device receives a large number of malicious attack packets and needs to return ICMP error packets, the device is busy handling ICMP packets, and the device performance is degraded.
  • The ICMP Destination Unreachable packets indicate that the destination is unreachable. If there are malicious attacks, user terminals cannot normally use the network.

After you run the icmp protocol-unreachable send command, the device does not send ICMP Protocol Unreachable packets externally. This prevents the peer device from processing a large number of ICMP packets.

Example

# Enable the function of sending ICMP Protocol Unreachable packets.

<HUAWEI> system-view
[HUAWEI] icmp protocol-unreachable send

icmp receive

Function

The icmp receive command enables the device to receive ICMP packets.

The undo icmp receive command disables the device from receiving ICMP packets.

By default, the device receives ICMP packets.

Format

icmp { type icmp-type code icmp-code | name icmp-name | all } receive

undo icmp { type icmp-type code icmp-code | name icmp-name | all } receive

Parameters

Parameter Description Value
type icmp-type Specifies the type number of an ICMP packet. The value is an integer ranging from 0 to 255.
code icmp-code Specifies the code of an ICMP packet. The value is an integer ranging from 0 to 255.
name icmp-name Specifies the name of an ICMP packet. The value is a string of case-insensitive characters, with spaces not supported. The value can be any of the following:

  • echo

  • echo-reply

  • fragmentneed-dfset

  • host-redirect

  • host-tos-redirect

  • host-unreachable

  • information-reply

  • information-request

  • net-redirect

  • net-tos-redirect

  • net-unreachable

  • parameter-problem

  • port-unreachable

  • protocol-unreachable

  • reassembly-timeout

  • source-quench

  • source-route-failed

  • timestamp-reply

  • timestamp-request

  • ttl-exceeded
all Specifies all ICMP packets. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

  • On secure networks, the device can normally receive ICMP packets. In the case of heavy traffic on the network, if hosts or ports are frequently unreachable, the device will receive a large number of ICMP packets, which causes heavier traffic burdens over the network and degrades the performance of the device.

  • On insecure networks, network attackers often make use of ICMP error packets to probe on the internal structure of the network.

The undo icmp receive command can be used to disable the device from receiving ICMP packets for the purpose of improving network performance or enhancing network security.

If the network status is normal and the device is required to receive ICMP packets, you can run the icmp receive command.

Precautions

After the undo icmp receive command is run, the device no longer process ICMP packets of a certain type, causing the host to fail to ping the device.

Example

# Disable the device from receiving ICMP packets with the type number being 3 and the code number being 1.

<HUAWEI> system-view
[HUAWEI] undo icmp type 3 code 1 receive

icmp redirect send

Function

The icmp redirect send command enables the switch to send ICMP redirect packets.

The undo icmp redirect send command disables the switch from sending ICMP redirect packets.

The function of sending ICMP Redirect packets is enabled.

Format

icmp redirect send

undo icmp redirect send

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

ICMP error packets contain network information, such as network connectivity, host reachability, and route availability. ICMP error packets are ultimately returned to the sender because the sender is the logical receiver of the ICMP error packets. The sender learns about the error types from the ICMP error packets, and then determines how to retransmit the data.

ICMP Redirect packets are a type of ICMP error packets.

When a host starts, there may be only one default route to the gateway in its routing table. In the following situations, the device functions as a gateway to send an ICMP Redirect packet to the source host, requesting the host to select another next hop address for subsequent packet forwarding:

  • The interface that receives the data packet is the same as the interface used to forward the packet.
  • The device needs to forward a received packet. After looking up the routing table, the device finds that the next hop IP address is on the same network segment with the destination address of the packet.

After the device sends ICMP Redirect packets to the host that has only a few routes, the host can enrich the routing table and find out the optimal route.

The ICMP error packets facilitate network control and management. However, the inherent defects of the ICMP protocol make the routing devices and hosts be prone to attacks. Therefore, sending the ICMP error packets has the following defects:

  • The ICMP packets increase traffic volume and burden the network devices.
  • If a device receives a large number of malicious attack packets and needs to return ICMP error packets, the device is busy handling ICMP packets, and the device performance is degraded.
  • The ICMP Redirect function increases the number of routes in the host's routing table. When many routes are added, the host performance will be degraded.

You need to decide whether to enable ICMP Redirect packet sending according to network situation.

Precautions

The command is used on the interface that receives ICMP packets.

Example

# Enable VLANIF100 to send ICMP Redirect packets.
<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] icmp redirect send
# Enable GE1/0/1 to send ICMP Redirect packets.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] icmp redirect send

icmp time-exceed

Function

The icmp time-exceed command specifies the format of ICMP Time Exceeded packets.

The undo icmp time-exceed command restores the default format of ICMP Time Exceeded packets.

By default, ICMP Time Exceeded packets carry extension headers in compliant mode and original datagrams are of variable length.

Format

icmp time-exceed { extension { compliant | non-compliant } | classic }

undo icmp time-exceed

Parameters

Parameter Description Value
extension Indicates that ICMP Time Exceeded packets carry extension headers. -
compliant Indicates that ICMP Time Exceeded packets carry extension headers in compliant mode and original datagrams are of variable length. -
non-compliant Indicates that ICMP Time Exceeded packets carry extension headers in non-compliant mode and original datagrams are of fixed length. -
classic Indicates that ICMP Time Exceeded packets do not carry extension headers. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When using the tracert command to check the network connectivity, you can run the icmp time-exceed command to specify the format of ICMP Time Exceeded packets.
  • When the icmp time-exceed command carry the parameter extension compliant, ICMP Time Exceeded packets carry extension headers in compliant mode and original datagrams are of variable length. ICMP Time Exceeded packets carry as many original datagrams as possible. Lengths of original datagrams carried in ICMP Time Exceeded packets are recorded in ICMP headers.
  • When the icmp time-exceed command carry the parameter extension non-compliant, ICMP Time Exceeded packets carry extension headers in non-compliant mode and original datagrams are of fixed length. If the length of original datagrams is less than 128 bytes, the system automatically fills the length to 128 bytes.
  • When the icmp time-exceed command carry the parameter classic, ICMP Time Exceeded packets do not carry extension headers.

Example

# Configure ICMP Time Exceeded packets to carry extension headers in compliant mode.

<HUAWEI> system-view
[HUAWEI] icmp time-exceed extension compliant
Related Topics

icmp ttl-exceeded drop

Function

The icmp ttl-exceeded drop command enables an LPU to discard the ICMP packets whose TTL values are 1.

The undo icmp ttl-exceeded drop command disables an LPU from discarding the ICMP packets whose TTL values are 1.

By default, the function of discarding ICMP packets with TTL values of 1 is disabled on an LPU.

Format

icmp ttl-exceeded drop { slot slot-id | all }

undo icmp ttl-exceeded drop { slot slot-id | all }

Parameters

Parameter

Description

Value

slot slot-id

Indicates the slot ID of an LPU.

The value is determined based on the device configuration.
all

Indicates all the LPUs. This parameter is used when you need to enable all the LPUs to discard or disable all the LPUs from discarding the ICMP packets whose TTL values are 1.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

TTL is a field in an IP packet that limits the lifespan of the IP packet on the network. The TTL value is set by the sender, and is reduced by 1 every time the packet passes a device. If a forwarding device receives an IP packet of which the TTL is 0 and the destination address is not the local address, the device discards this packet and returns an ICMP packet to the sender.

ICMP packets are encapsulated into IP packets. When receiving an ICMP packet of which the destination address is not the local address and the TTL value is 1, the device discards the packet and returns an ICMP Time Exceeded.

When receiving a packet of which the TTL value is 1, the switch sends the packet to the CPU. The tracert function implements hop-by-hop detection using the packets with TTL value 1. If an attacker sends a large number of IP packets with TTL value 1 to a target device, the CPU of the target device is busy handling these IP packets and returns ICMP Destination Unreachable packets. Therefore, the CPU usage becomes high.

If a switch is configured to discard the ICMP packets with TTL value 1, the pressure on the switch can be reduced and network attacks can be prevented.

Precautions

After the function is enabled on the device, the tracert command does not take effect.

Example

# Enable the LPU in slot 1 to discard the ICMP packets whose TTL values are 1.

<HUAWEI> system-view
[HUAWEI] icmp ttl-exceeded drop slot 1

icmp ttl-exceeded send

Function

The icmp ttl-exceeded send command enables an interface to send ICMP Time Exceeded packets.

The undo icmp ttl-exceeded send command disables an interface from sending ICMP Time Exceeded packets.

By default, an interface is enabled to send ICMP Time Exceeded packets.

Format

icmp ttl-exceeded send

undo icmp ttl-exceeded send

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

If the destination address of a received IP packet is not the local address and the TTL value is 1, a timeout error occurs. In this situation, the device discards the packet and returns an ICMP Time Exceeded packet to the source.

When replying with an ICMP Time Exceeded packet, an interface adds its IP address as the source IP address in the ICMP Time Exceeded packet, exposing the interface itself to attackers. In addition, after being attacked, the interface replies with numerous ICMP Time Exceeded packets, consuming CPU resources and degrading system performance. To resolve these problems, run the undo icmp ttl-exceeded send command to disable the interface from replying with ICMP Time Exceeded packets.

Example

# Enable VLANIF100 to send ICMP Time Exceeded packets.
<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] icmp ttl-exceeded send
# Enable GE1/0/1 to send ICMP Time Exceeded packets.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] icmp ttl-exceeded send

icmp unreachable drop

Function

The icmp unreachable drop command enables the function of discarding ICMP Destination Unreachable packets.

The undo icmp unreachable drop command disables the function of discarding the ICMP Destination Unreachable packets.

By default, the function of discarding ICMP Destination Unreachable packets is disabled.

Format

icmp unreachable drop

undo icmp unreachable drop

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

ICMP error packets contain network information, such as network connectivity, host reachability, and route availability. ICMP error packets are ultimately returned to the sender because the sender is the logical receiver of the ICMP error packets. The sender learns about the error types from the ICMP error packets, and then determines how to retransmit the data.

After receiving an IP packet, if the device finds that the destination is unreachable, the device discards the packet, and returns a Destination Unreachable packet to the source.

Port Unreachable, Protocol Unreachable, and Host Unreachable packets are ICMP Destination Unreachable packets.
  • When receiving a data packet of which the destination address is a local address and transport protocol is UDP, if the device detects that the port number of the packet does not match the running process, the source sends a Port Unreachable packet to the source.
  • When receiving a data packet of which the destination address is the local address, if the device does not support the transport layer protocol of the data packet, the device returns a Protocol Unreachable packet to the source.
  • When a device receives a data packet, but cannot forward it, the device returns a Host Unreachable packet to the source.
The Destination Unreachable packets facilitate network control and management. However, the inherent defects of the ICMP protocol make the routing devices and hosts be prone to attacks. Therefore, sending the ICMP Destination Unreachable packets has the following defects:
  • The ICMP packets increase traffic volume and burden the network devices.
  • If a device receives a large number of malicious attack packets and needs to return ICMP error packets, the device is busy handling ICMP packets, and the device performance is degraded.
  • The ICMP Destination Unreachable packets indicate that the destination is unreachable. If there are malicious attacks, user terminals cannot normally use the network.

The switch sends ICMP Destination Unreachable packets to the CPU for processing. When a large number of such packets are received, the CPU may be overloaded. To reduce the number of ICMP packets on the network, you can enable the switch to discard ICMP Destination Unreachable packets. After the configuration, the workload on the switch is reduced and malicious attacks can be prevented.

Example

# Enable the function of discarding ICMP Destination Unreachable packets.

<HUAWEI> system-view
[HUAWEI] icmp unreachable drop

icmp with-options drop

Function

The icmp with-options drop command enables an LPU to discard ICMP packets that carry options.

The undo icmp with-options drop command disables an LPU from discarding ICMP packets that carry options.

By default, the function of discarding ICMP packets with TTL values of 1 is disabled on an LPU.

Format

icmp with-options drop { slot slot-id | all }

undo icmp with-options drop { slot slot-id | all }

Parameters

Parameter

Description

Value

slot slot-id

The value is an integer. It must be the slot ID of an LPU that is inserted into the chassis.

The value is determined based on the device configuration.
all

Indicates all the LPUs. You can use this parameter to enable all the LPUs to discard or disable all the LPUs from discarding the ICMP packets that carry options.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the ping -r command is run to detect network connectivity, the IP packet is forwarded by Layer 3 routing devices. Every Layer 3 device fills its own IP address into the option field of the IP packet. When the IP packet reaches the destination, the ICMP Echo Reply packet should contain the IP addresses of all passing devices, including the devices on the forward and return paths. When the ping program receives the reply packet, it can display the IP addresses of all passing Layer 3 devices.

If the length of IP packet encapsulating the ICMP packet exceeds the interface MTU, this IP packet is fragmented. Only the IP header of the first fragment includes the option field. The fragment carrying the option field is sent to the protocol stack and processed by the CPU.

When malicious attacks are initiated using ICMP packets, the device needs to process a large number of fragments carrying the option field, so the forwarding performance of the device degrades. To reduce impact on the forwarding performance and prevent ICMP packet attacks, you can enable the LPU to discard the ICMP fragments carrying option fields.

Example

# Enable the LPU in slot 1 to discard the ICMP packets that carry options.

<HUAWEI> system-view
[HUAWEI] icmp with-options drop slot 1

icmp-reply fast

Function

The icmp-reply fast command enables the fast ICMP reply function.

The undo icmp-reply fast command disables the fast ICMP reply function.

By default, the fast ICMP reply function is enabled.

Format

icmp-reply fast

undo icmp-reply fast

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The ping program is used to check network connectivity. If two hosts cannot ping each other, they cannot set up a connection. The ping program uses the ICMP protocol. It encapsulates ICMP Echo Request packets into IP packets, and sends the packets to the destination host. The destination host returns an ICMP Echo Reply packet to the source host. If the source host receives a reply within a certain period, the source host considers that the destination host is reachable.

In normal situations, after an interface receives an ICMP Echo Request packet, this packet is sent to the protocol stack and handled by the CPU.

After ICMP fast reply is enabled, if an interface receives an ICMP Echo Request packet of which the destination address is the local address, the packet is not sent to the protocol stack for handing by the CPU, but handled by the interface. This improves forwarding performance of the device.

Precautions

The fast ICMP reply function takes effect on sub-interfaces on switches since V200R010C00.

The fast ICMP reply function does not take effect on VBDIF interfaces.

Example

# Enable the fast ICMP reply function.

<HUAWEI> system-view
[HUAWEI] icmp-reply fast

ip forward-broadcast

Function

Using the ip forward-broadcast command, you can enable an interface to forward directed broadcast packets.

Using the undo ip forward-broadcast command, you can disable an interface from forwarding directed broadcast packets.

By default, disable the interface from forwarding directed broadcast packets.

Format

ip forward-broadcast [ acl acl-number ]

undo ip forward-broadcast

Parameters

Parameter

Description

Value
acl acl-number Specifies the number of an ACL.

The value is an integer that ranges from 2000 to 3999.

  • The number of a basic ACL ranges from 2000 to 2999.
  • The number of an advanced ACL ranges from 3000 to 3999.

Views

VE sub-interface view, VBDIF interface view, VLANIF interface view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, 100GE interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Directed broadcast packets are sent to a specified network. In the destination IP address of a directed broadcast packet, the network number is that of the specified network and the host number is all 1s.

Hackers use directed broadcast packets to attack networks, which threatens the network security. Therefore, directed broadcast packets are isolated by Layer 3 switches in normal cases. However, in some scenarios, the device needs to receive or forward these directed broadcast packets. For example, when Wake on LAN (WOL) is configured on a PC, the command can be run to enable the interface to forward directed broadcast packets. (WOL enables a PC in dormancy or shutdown state to wake up from dormancy state to running state or turn from shutdown state to power-on state through the instruction from the peer of the network.)

The device can also be enabled to receive and forward a certain type of directed broadcast packets based on ACLs. For example, if the basic ACL is used, run the acl (system view) and rule (basic ACL view) commands to define the directed broadcast packets to be received and forwarded as permit, and then run the ip forward-broadcast command to bind this ACL.

Only broadcast packets that match the permit action defined in the ACL are forwarded. Broadcast packets that match the deny action defined in the ACL or do not match any ACL rules are not forwarded.

Precautions

By default, the device identifies directed broadcast packets as malformed packets, and intercepts and discards them because the attack defense function of malformed packets is enabled on the device. In this case, the interface on the device cannot forward the directed broadcast packets.

To solve this problem, use either of the following methods:

  • Run the anti-attack abnormal disable command to disable the attack defense function of malformed packets. However, after this command is configured, other malformed packets will not be intercepted and discarded, which brings certain security risks. Use this command with caution.

  • Run the anti-attack disable command to disable all attack defense functions. However, after this command is configured, not only malformed packets but also fragmented, tcp-syn, udp-flood, and icmp-flood attack packets will not be intercepted and discarded, which brings certain security risks. Use this command with caution.

This command does not apply to VPN scenarios, address unnumbering scenarios, and scenarios of conflicts between host routes and subnet broadcast routes due to network segment overlapping.

Example

# Enable VLANIF100 to forward directed broadcast packets.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] ip forward-broadcast
# Enable GE1/0/1 to forward directed broadcast packets.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] ip forward-broadcast
Related Topics

ip forwarding converge normal

Function

The ip forwarding converge normal command disables the device to perform Layer 2 forwarding for IP traffic during ring network switchover.

The undo ip forwarding converge command enables the device from performing Layer 2 forwarding for IP traffic during ring network switchover.

By default, the device is enabled from performing Layer 2 forwarding for IP traffic during ring network switchover.

NOTE:

This command only takes effect on X series cards.

Format

ip forwarding converge normal

undo ip forwarding converge

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the device deployed with the ring network protocols (STP, RSTP, MSTP, SEP, ERPS, RRPP, VBST, and Smart Link) performs link switchover due to a link fault, the ARP entries need to be learned again. This deteriorates the Layer 3 convergence performance of IP traffic. If the device is enabled to perform Layer 2 forwarding for IP traffic during the switchover, the convergence performance can be improved. By default, the device is enabled from performing Layer 2 forwarding for IP traffic during ring network switchover.

Precautions

After the device is enabled to perform Layer 2 forwarding for IP traffic, it will forward the IP traffic in broadcast mode during ring network switchover. Therefore, the IP traffic increases within a short time.

Example

# Disable the device from performing Layer 2 forwarding for IP traffic during ring network switchover.

<HUAWEI> system-view
[HUAWEI] ip forwarding converge normal

ip forwarding disable

Function

The ip forwarding disable command disables IPv4 Layer 3 unicast forwarding on a switch.

The undo ip forwarding disable command enables IPv4 Layer 3 unicast forwarding on a switch.

By default, IPv4 Layer 3 unicast forwarding is enabled on a switch.

Format

ip forwarding disable

undo ip forwarding disable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

You can run this command to disable IPv4 Layer 3 unicast forwarding on a switch.

After IPv4 Layer 3 unicast forwarding is disabled on a switch, the IPv4 routing function becomes ineffective on the switch, and the switch cannot forward Layer 3 packets based on the IPv4 routing table and FIB table.

Example

# Disable IPv4 Layer 3 unicast forwarding on the switch.

<HUAWEI> system-view
[HUAWEI] ip forwarding disable
Warning: This operation will close IPv4 forwarding function and affect IPv4 traffic forwarding. Continue? [Y/N]:y

ip verify source-address

Function

The ip verify source-address command enables an interface to check validity of source IP addresses of received packets.

The undo ip verify source-address command disables an interface from checking validity of source IP addresses of received packets.

By default, an interface does not check validity of source IP addresses of received packets.

Format

ip verify source-address

undo ip verify source-address

Parameters

None

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Configuring source IP address verification enables an interface to check validity of source IP addresses of received packets. Packets with invalid addresses are discarded, which improves the network security.

The following IP addresses are illegal source addresses:

  • Addresses with all 0s or 1s
  • Multicast addresses (class D addresses)
  • Class E addresses
  • Loopback addresses that are not generated on local hosts (in 127.x.x.x format)
  • Broadcast addresses of classes A, B, and C
  • Subnet broadcast addresses that are on the same network segment as the address of the inbound interface

The interface only check validity of source IP addresses of the packets that need to be forwarded to the CPU, and does not check validity of source IP addresses of the packets that will be directly forwarded according to the FIB table.

If the mask in the IP address of the received packet is of 31 bits, the receiver considers it as a valid source address without checking the broadcast address of the subnet.

Run the display this command in the interface view to check configuration of checking validity of source IP addresses.

Example

# Enable VLANIF100 to check validity of source IP addresses of received packets.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] ip verify source-address
# Enable GE1/0/1 to check validity of source IP addresses of received packets.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo portswitch
[HUAWEI-GigabitEthernet1/0/1] ip verify source-address
Related Topics

ipv4 destination-unreachable drop

Function

The ipv4 destination-unreachable drop command enables the function of discarding IP packets that match no routing entry.

The undo ipv4 destination-unreachable drop command disables the function of discarding IP packets that match no routing entry.

By default, the function of discarding IP packets that match no routing entry is enabled.

Format

ipv4 destination-unreachable drop

undo ipv4 destination-unreachable drop

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the switch receives an IP packet that matches no routing entry in the local routing table, it sends the packet to the CPU. If a lot of IP packets match no routing entry because of an attack or incorrect network configuration, the CPU is busy. To prevent this problem, run the ipv4 destination-unreachable drop command to configure the switch to discard these packets.

Precautions

If you run the ipv4 destination-unreachable drop command, the switch does not respond to ICMP error packets when a route fails to match the routing policies. To enable the switch to respond to these ICMP packets, you need to run the undo ipv4 destination-unreachable drop command.

For the cards excluding X series cards, when both the ipv4 destination-unreachable drop command and the traffic policy command are run, both the drop action and the redirection action take effect. The ICMP redirection packets are discarded because the drop action has a higher priority than the redirection action. This leads to a redirection failure for ICMP packets. To make the redirection action for ICMP packets effective, run the undo ipv4 destination-unreachable drop command to disable the drop action. However, disabling the drop action will degrade the attack defense performance of the system. You must configure the two actions properly according to the network requirements.

For the EH1D2X48SEC0 card on the S9700, if the resource allocation mode is set to enhanced-ipv4 or ipv4-ipv6 6:1 using the assign resource-mode command, the ipv4 destination-unreachable drop command does not take effect.

Example

# Enable the function of discarding IP packets that match no routing entry.

<HUAWEI> system-view
[HUAWEI] ipv4 destination-unreachable drop

ipv4 fragment enable

Function

The ipv4 fragment enable command enables fragmentation for outgoing forwarding-plain IP packets.

The undo ipv4 fragment enable command disables fragmentation for outgoing forwarding-plain IP packets.

By default, fragmentation for outgoing forwarding-plain IP packets is disabled.

NOTE:

This command takes effect only on the X series cards.

Format

ipv4 fragment enable

undo ipv4 fragment enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, only packets on the control plane can be fragmented according to the MTU on an interface. Packets on the forwarding plane can be forwarded normally without limited by the MTU. When the remote device or intermediate forwarding device receives IP packets, if it checks the packet length and discards packets whose length is longer than the MTU on the interface, network communication is interrupted. For the X series cards, you can run the ipv4 fragment enable command to enable fragmentation for outgoing forwarding-plane IP packets so that packets on the forwarding plane are fragmented based on the MTU on the interface.

Precautions

Before configuring the ipv4 fragment enable command, set a proper MTU. If the MTU is small, there may be many fragments of IP packets, causing the Layer 3 forwarding performance of IP packets to deteriorate.

Example

# Enable fragmentation for outgoing IP packets.

<HUAWEI> system-view
[HUAWEI] ipv4 fragment enable

ipv6 destination-unreachable drop

Function

The ipv6 destination-unreachable drop command enables the switch to discard the packets that do not match IPv6 routing entries.

The undo ipv6 destination-unreachable drop command disables the switch from discarding the packets that do not match IPv6 routing entries.

By default, the device discards the packets that do not match IPv6 routing entries.

Format

ipv6 destination-unreachable drop

undo ipv6 destination-unreachable drop

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Generally, the device sends the IPv6 packets that do not match routing entries to the CPU for processing. If many IPv6 packets do not match routing entries because of an attack or improper network configurations, the CPU is busy. To prevent this situation, run the ipv6 destination-unreachable drop command to configure the switch to discard these packets.

Precautions

If the ipv6 destination-unreachable drop command is used and a traffic policy with the redirect action is configured, both the drop action and the redirect action take effect. Because the drop action has a higher priority than the redirect action, ICMPv6 Redirect packets are discarded. This leads to a redirection failure. To make the redirect action take effect, run the undo ipv6 destination-unreachable drop command to disable the drop action. However, disabling the drop action will degrade the attack defense performance of the system. You must configure the two actions properly according to network requirements.

After the ipv6 destination-unreachable drop command is used, the switch does not respond to the ICMPv6 Error packets caused when IPv6 packets do not match routing entries until the drop action is disabled.

For the EH1D2X48SEC0 and ET1D2X48SEC0 cards on the S9700, if the resource allocation mode is set to enhanced-ipv4 or ipv4-ipv6 6:1 using the assign resource-mode command, the ipv6 destination-unreachable drop command does not take effect.

Example

# Configure the switch to discard the packets that do not match IPv6 routing entries.

<HUAWEI> system-view
[HUAWEI] undo ipv6 destination-unreachable drop

load-balance (system view)

Function

The load-balance command enables the per-packet load balancing mode for IP packet forwarding.

The undo load-balance command restores the load balancing mode for IP packet forwarding to the default configuration.

By default, flow-based load balancing is used.

Format

load-balance { flow | packet } [ all | slot slot-id ]

undo load-balance packet [ all | slot slot-id ]

Parameters

Parameter Description Value
flow Indicates flow-based load balancing. -
packet Indicates packet-based load balancing. -
all

Indicates that the configuration is applied to all LPUs.

 -
slot slot-id

Indicates that the configuration is applied to the LPU in a specified slot.

The value is an integer, and the value range depends on the device configuration.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If flow-based load balancing is used, the hash algorithm is used to calculate a value for selecting a link to forward packets. The value is calculated based on the protocol type, source IP address, destination IP address, source port number, and destination port number.

If packet-based load balancing is used, packets are forwarded through different links. Packet-based load balancing can be implemented only for packets forwarded by the CPU such as protocol packets.

Precautions

The load-balance command takes effect for packets both delivered by the local device and processed by the CPU.

The load-balance command can also be used for MPLS packets.

If an LPU is not in position, the undo load-balance packet [ all | slot slot-id ] command cannot be used to delete the configurations of this LPU.

Example

# Configure packet-based load balancing for IP packet forwarding.

<HUAWEI> system-view
[HUAWEI] load-balance packet

reset ip socket monitor

Function

The reset ip socket monitor command clears information in a socket monitor.

Format

reset ip socket monitor [ task-id task-id socket-id socket-id ]

Parameters

Parameter Description Value
task-id task-id Clears information about the task with a specified ID in the socket monitor. The value must be an existing task ID.
socket-id socket-id Clears information about the socket with a specified ID in the socket monitor. The value must be an existing socket ID.

Views

User view

Default Level

3: Management level

Usage Guidelines

A socket monitor monitors and records each connection. A RawLink monitor also monitors interfaces. The socket monitor records specific protocol events that occur during operations and logs information in the disk space.

You can specify the task ID and socket ID for deleting information about the socket monitor that meets the filtering condition.

Example

# Clear information in a socket monitor.

<HUAWEI> reset ip socket monitor
Related Topics

reset ip socket pktsort

Function

The reset ip socket pktsort command resets statistics on the dual receive buffer of the socket.

Format

reset ip socket pktsort task-id task-id socket-id socket-id

Parameters

Parameter Description Value
task-id task-id Specifies the ID of a task. The value must be an existing task ID.
socket-id socket-id Specifies the ID of a socket. The value must be an existing socket ID.

Views

User view

Default Level

3: Management level

Usage Guidelines

This command clears statistics on the dual receive buffer of the socket and restarts the count. Therefore, confirm your action before running the command.

Example

# Reset statistics on the dual receive buffer of the socket with the task ID of 2 and the socket ID of 6.

<HUAWEI> reset ip socket pktsort task-id 2 socket-id 6

reset ip statistics

Function

The reset ip statistics command clears IP traffic statistics on an interface.

Format

reset ip statistics [ interface interface-type interface-number ]

Parameters

Parameter Description Value
interface interface-type interface-number Specifies the type and ID of an interface. If no optional parameter is specified, all the IP statistics will be deleted. -

Views

User view

Default Level

3: Management level

Usage Guidelines

To collect IP traffic statistics on an interface in a period of time, you must clear the existing traffic statistics and collect IP statistics after a period of time. Run the display ip statistics command to display information.

If no parameter is specified, the command clears IP traffic statistics on all boards.

Example

# Clear IP statistics on all interfaces.

<HUAWEI> reset ip statistics
# Clear IP statistics on VLANIF10.
<HUAWEI> reset ip statistics interface vlanif 10

reset rawip statistics

Function

The reset rawip statistics command clears RawIP packet statistics.

Format

reset rawip statistics

Parameters

None

Views

User view

Default Level

3: Management level

Usage Guidelines

You need to clear the existing statistics about RawIP packets before using the display rawip statistics command to view the statistics about RawIP packets in a specified period.

The reset rawip statistics command clears RawIP packet statistics. Confirm your action before running this command.

Example

# Clear RawIP packet statistics.

<HUAWEI> reset rawip statistics

reset tcp statistics

Function

The reset tcp statistics command deletes TCP traffic statistics.

Format

reset tcp statistics

Parameters

None

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To delete TCP packet statistics, run the reset tcp statistics command. To view TCP packet statistics, run the display tcp statistics [ verbose ] command. The command output contains the number of sent packets, the number of received packets, or the number of TCP packets for each protocol (verbose). You can run the reset tcp statistics command to delete existing statistics and then run the display tcp statistics command to collect statistics. The statistics help you check whether TCP packet counts are correct or help you diagnose faults.

Precautions

The reset tcp statistics command deletes TCP traffic statistics. Confirm your action before running this command.

Example

# Delete TCP traffic statistics.

<HUAWEI> reset tcp statistics

reset udp statistics

Function

The reset udp statistics command deletes UDP traffic statistics.

Format

reset udp statistics

Parameters

None

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To delete UDP packet statistics, run the reset udp statistics command. To view UDP packet statistics, run the display udp statistics [ verbose ] command. The command output contains the number of sent packets, the number of received packets, or the number of UDP packets for each protocol (verbose). You can run the reset udp statistics command to delete existing statistics and then run the display udp statistics command to collect statistics. The statistics help you check whether UDP packet counts are correct or help you diagnose faults.

Precautions

The reset udp statistics command deletes UDP traffic statistics. Confirm your action before running this command.

Example

# Delete UDP traffic statistics.

<HUAWEI> reset udp statistics

set priority

Function

The set priority command sets the 802.1p priority or DSCP priority of packets.

The undo set priority command cancels the settings of the 802.1p priority or DSCP priority of packets.

By default, the 802.1p priority or DSCP priority of packets is not set.

Format

set priority 8021p 8021p-number

undo set priority 8021p

set priority dscp dscp-number [ if-match acl acl-number ]

undo set priority dscp [ if-match acl acl-number ]

Parameters

Parameter

Description

Value

8021p 8021p-number

Specifies the 802.1p priority of packets.

The value is an integer that ranges from 0 to 7. A larger value indicates a higher priority.

dscp dscp-number

Specifies the DSCP priority of packets. This parameter takes effect only for IPv4 packets.

The value is an integer that ranges from 0 to 63.

if-match acl acl-number

Specifies the number of an ACL.

The value is an integer that ranges from 3000 to 3999.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can run the set priority command to set the 802.1p priority or DSCP priority of packets sent by the switch.

To change the DSCP priority of protocol packets that meet specified characteristics and are sent by the switch, you can use an ACL to match these packets.

Precautions

If the packet priority has been specified in the protocol, the set priority 8021p command does not take effect.

If you use ACLs to match packets whose DSCP priority is to be changed, you can specify up to eight ACLs, each of which supports a maximum of 32 rules. The following fields can be matched:

  • ICMP packets: source IP address, destination IP address, protocol number, icmp-type, icmp-code, fragment, precedence, tos, dscp, ttl-expired, vpn-instance, and time-range

  • TCP packets: source IP address, destination IP address, protocol number, source port, destination port, tcp-flag, fragment, precedence, tos, dscp, ttl-expired, vpn-instance, and time-range

  • UDP packets: source IP address, destination IP address, protocol number, source port, destination port, fragment, precedence, tos, dscp, ttl-expired, vpn-instance, and time-range

  • Other protocol packets: source IP address, destination IP address, protocol number, fragment, precedence, tos, dscp, ttl-expired, vpn-instance, and time-range

The switch cannot use ACL-based matching to change the DSCP priority of the following protocol packets:

  • Protocol packets that are not sent from the protocol stack, such as fast ICMP reply packets and NetStream packets

  • Protocol packets whose priority can be configured using a command (for example, you can run the tos command to set the priority of NQA packets)

Example

# Set the DSCP priority to 10.

<HUAWEI> system-view
[HUAWEI] set priority dscp 10
Related Topics

snmp-agent trap enable feature-name ip

Function

The snmp-agent trap enable feature-name ip command enables the trap function for the IP module.

The undo snmp-agent trap enable feature-name ip command disables the trap function for the IP module.

By default, the trap function is disabled for the IP module.

Format

snmp-agent trap enable feature-name ip [ trap-name hwifipaddresschange ]

undo snmp-agent trap enable feature-name ip [ trap-name hwifipaddresschange ]

Parameters

Parameter Description Value
trap-name Enables the traps of IP events of specified types. -
hwifipaddresschange Indicates that IP address of the interface changes. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the trap function is enabled, the device generates traps during running and sends traps to the NMS through SNMP. When the trap function is not enabled, the device does not generate traps and the SNMP module does not send traps to the NMS.

You can specify trap-name to enable the trap function for one or more events.If you do not specify trap-name, all traps of the IP module will be enabled.

Example

# Enables IP address of the interface changes trap of IP module.

<HUAWEI> system-view
[HUAWEI] snmp-agent trap enable feature-name ip trap-name hwifipaddresschange

snmp-agent trap enable feature-name tcp

Function

The snmp-agent trap enable feature-name tcp command enables the trap function for the TCP module.

The undo snmp-agent trap enable feature-name tcp command disables the trap function for the TCP module.

By default, the trap function is disabled for the TCP module.

Format

snmp-agent trap enable feature-name tcp [ trap-name hwtcpmd5authenfail ]

undo snmp-agent trap enable feature-name tcp [ trap-name hwtcpmd5authenfail ]

Parameters

Parameter Description Value
trap-name Enables the traps of TCP events of specified types. -
hwtcpmd5authenfail Indicates that the TCP MD5 authentication fails. It is an excessive trap. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the trap function is enabled, the device generates traps during running and sends traps to the NMS through SNMP. When the trap function is not enabled, the device does not generate traps and the SNMP module does not send traps to the NMS.

You can specify trap-name to enable the trap function for one or more events.If you do not specify trap-name, all traps of the TCP module will be enabled.

Example

# Enables the TCP MD5 authentication fails trap of TCP module.

<HUAWEI> system-view
[HUAWEI] snmp-agent trap enable feature-name tcp trap-name hwtcpmd5authenfail

tcp min-mss

Function

The tcp min-mss command sets the minimum value of maximum segment size (MSS) for a TCP connection.

The undo tcp min-mss command restores the default minimum value of the MSS for a TCP connection.

The default minimum MSS value for a TCP connection is 216 bytes.

Format

tcp min-mss mss-value

undo tcp min-mss

Parameters

Parameter Description Value
mss-value Specifies the minimum MSS value for a TCP connection. The value ranges from 32 byte to 1500 bytes. By default, the value is 216 bytes.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To establish a TCP connection, the MSS value is negotiated, which indicates the maximum length of packets that the local device can receive. The TCP client on a network may send a request packet for establishing a TCP connection carrying a small MSS value. For example, the MSS value is 1. After the TCP server receives the request packet carrying the MSS value, the TCP connection is established. The TCP client then may send large numbers of requests to the server by an application, causing the TCP server to generate large numbers of reply packets. This may burden the TCP server or network, causing denial of service (DoS) attacks. To resolve this problem, run the tcp min-mss command to set the minimum MSS value for a TCP connection. This configuration prevents a server from receiving packets carrying a small MSS value.

Precautions

The minimum MSS value configured using this command is not the negotiation parameter value carried in the MSS option. The negotiation parameter value carried in the MSS option of packets sent by the local device is calculated based on the MTU value.

The minimum MSS value configured using the tcp min-mss command must be less than the maximum MSS value configured using the tcp max-mss command.

If the tcp min-mss command is run more than once in the same view, the latest configuration overrides the previous one.

Configure the parameters under the guidance of the technical personnel.

Example

# Set the minimum MSS value for a TCP connection to 512 bytes.

<HUAWEI> system-view
[HUAWEI] tcp min-mss 512
Related Topics

tcp max-mss

Function

The tcp max-mss command configures the maximum Maximum Segment Size (MSS) value for a TCP connection.

The undo tcp max-mss command deletes the maximum MSS value of a TCP connection.

By default, the maximum MSS value is not configured for TCP connections.

Format

tcp max-mss mss-value

undo tcp max-mss

Parameters

Parameter Description Value
mss-value Specifies the maximum MSS value for a TCP connection. The value is an integer ranging from 32 to 9600, in bytes.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To establish a TCP connection, the MSS value is negotiated, which indicates the maximum length of packets that the local device can receive. This length is the TCP payload length, excluding that of the TCP header. If the path MTU is unavailable on one end of a TCP connection, this end cannot adjust the TCP packet size based on the MTU. As a result, this end may send TCP packets that are longer than the MTUs on intermediate devices, which will discard these packets. To prevent this problem, run the tcp max-mss command on either end of a TCP connection to set the maximum MSS value of TCP packets. Then the MSS value negotiated by both ends will not exceed this maximum MSS value, and accordingly TCP packets sent from both ends will not be longer than this maximum MSS value and can travel through the intermediate network.

Precautions

The maximum MSS value configured using the tcp max-mss command must be greater than the minimum MSS value configured using the tcp min-mss command.

Example

# Set the maximum MSS value for a TCP connection to 1024 bytes.

<HUAWEI> system-view
[HUAWEI] tcp max-mss 1024
Related Topics

tcp timer fin-timeout

Function

The tcp timer fin-timeout command configures the value of the TCP FIN-Wait timer.

The undo tcp timer fin-timeout command restores the default value of the TCP FIN-Wait timer.

By default, the value of the TCP FIN-Wait timer is 675s.

Format

tcp timer fin-timeout interval

undo tcp timer fin-timeout

Parameters

Parameter Description Value
interval Specifies the value of the TCP FIN-Wait timer. The value is an integer that ranges from 76 to 3600, in seconds. The default value is 675s.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When a TCP connection changes from FIN_WAIT_1 to FIN_WAIT_2, the TCP FIN-Wait timer is started. If no response packet is received after the TCP FIN-Wait timer expires, the TCP connection is closed.

If you run this command in the same view for multiple times, only the last configuration takes effect.

You are advised to configure this parameter under the supervision of technical support personnel.

Example

# Set the value of the TCP FIN-Wait timer to 400s.

<HUAWEI> system-view
[HUAWEI] tcp timer fin-timeout 400

tcp timer syn-timeout

Function

The tcp timer syn-timeout command configures the value of the TCP SYN-Wait timer.

The undo tcp timer syn-timeout command restores the default value of the TCP SYN-Wait timer.

By default, the value of the TCP SYN-Wait timer is 75s.

Format

tcp timer syn-timeout interval

undo tcp timer syn-timeout

Parameters

Parameter Description Value
interval Specifies the value of the TCP SYN-Wait timer. The value is an integer ranging from 2 to 600, in seconds. The default value is 75s.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When an SYN packet is sent, the TCP SYN-Wait timer is started. If no response packet is received after the TCP SYN-Wait timer expires, the TCP connection is closed.

If you run this command in the same view for multiple times, only the last configuration takes effect.

You are advised to configure this parameter under the supervision of technical support personnel.

Example

# Set the value of the TCP SYN-Wait timer to 100s.

<HUAWEI> system-view
[HUAWEI] tcp timer syn-timeout 100

tcp window

Function

The tcp window command configures the size of the receive or send buffer of a connection-oriented socket.

The undo tcp window command restores the default size of the receive or send buffer of a connection-oriented socket.

By default, the size of the receive or send buffer of a connection-oriented socket is 8k bytes.

Format

tcp window window-size

undo tcp window

Parameters

Parameter Description Value
window-size Specifies the size of the receive or send buffer of a connection-oriented socket. The value is an integer that ranges from 1 to 32, in k bytes. The default value is 8k bytes.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If you run this command in the same view for multiple times, only the last configuration takes effect.

You are advised to configure this parameter under the supervision of technical support personnel.

Example

# Set the size of the receive or send buffer of a connection-oriented socket to 3K bytes.

<HUAWEI> system-view
[HUAWEI] tcp window 3
Translation
简体中文
Download
Updated: 2019-10-18

Document ID: EDOC1000178288

Views: 29222

Downloads: 109

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next
Enterprise APP

Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.