slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ICMP statistics for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays ICMP statistics for all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

ICMP statistics include information about received and sent ICMP packets.

Examples

# Display ICMP statistics.

<Sysname> display icmp statistics

Input: bad formats 0 bad checksum 0

echo 175 destination unreachable 0

source quench 0 redirects 0

echo replies 201 parameter problem 0

timestamp 0 information requests 0

mask requests 0 mask replies 0

time exceeded 0 invalid type 0

router advert 0 router solicit 0

broadcast/multicast echo requests ignored 0

broadcast/multicast timestamp requests ignored 0

Output: echo 0 destination unreachable 0

source quench 0 redirects 0

echo replies 175 parameter problem 0

timestamp 0 information replies 0

mask requests 0 mask replies 0

time exceeded 0 bad address 0

packet error 1442 router advert 3

display ip statistics

Use display ip statistics to display IP packet statistics.

Syntax

In standalone mode:

display ip statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display ip statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IP packet statistics for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

IP statistics include information about received and sent packets, fragments, and reassembly.

Examples

# Display IP packet statistics.

<Sysname> display ip statistics

Input: sum 7120 local 112

bad protocol 0 bad format 0

bad checksum 0 bad options 0

dropped 0

Output: forwarding 0 local 27

dropped 0 no route 2

compress fails 0

Reassembling: fragments 0 reassembled 0

dropped 0 timeouts 0

Fragment: fragmented 0 couldn't fragment 0

output frags 0

Forwarded Frags: sum 0

Table 1 Command output

Field	Description
Input	Statistics about received packets: · sum—Total number of packets received. · local—Total number of packets destined for the device. · bad protocol—Total number of unknown protocol packets. · bad format—Total number of packets with incorrect format. · bad checksum—Total number of packets with incorrect checksum. · bad options—Total number of packets with incorrect option.
Reassembling	Statistics about reassembling: · fragments—Total number of fragments that need reassembling. · reassembled—Total number of packets that are reassembled. · dropped—Total number of dropped fragments that fail the reassembling. · timeouts—Total number of reassembly timeouts.
Fragment	Statistics about fragments: · fragmented—Total number of packets successfully fragmented. · couldn't fragment—Total number of packets that failed to be fragmented. · output—Total number of fragments sent.
Forwarded Frags	Statistics about forwarded fragments: sum—Total number of fragments that are directly forwarded.

‌

Related commands

display ip interface

reset ip statistics

display rawip

Use display rawip to display brief information about RawIP connections.

Syntax

In standalone mode:

display rawip [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display rawip [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays brief information about RawIP connections for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

Brief RawIP connection information includes local and peer addresses, protocol, and PCB.

Examples

# (In standalone mode.) Display brief information about RawIP connections.

<Sysname> display rawip

Local Addr Foreign Addr Protocol Slot CPU PCB

0.0.0.0 0.0.0.0 1 1 0 0x0000000000000009

0.0.0.0 0.0.0.0 1 1 0 0x0000000000000008

0.0.0.0 0.0.0.0 1 5 0 0x0000000000000002

Table 2 Command output

Field	Description
Local Addr	Local IP address.
Foreign Addr	Peer IP address.
Protocol	Protocol number.
PCB	Protocol control block.

‌

display rawip verbose

Use display rawip verbose to display detailed information about RawIP connections.

Syntax

In standalone mode:

display rawip verbose [ slot slot-number [ cpu cpu-number ] [ pcb pcb-index ] ]

In IRF mode:

display rawip verbose [ chassis chassis-number slot slot-number [ cpu cpu-number ] [ pcb pcb-index ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

pcb pcb-index: Displays detailed RawIP connection information for the specified PCB. The pcb-index argument specifies the index of the PCB. The index value range is 1 to 16.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays detailed information about RawIP connections for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

The detailed information includes socket creator, state, option, type, protocol number, and the source and destination IP addresses of RawIP connections.

Examples

# (In standalone mode.) Display detailed information about RawIP connections.

<Sysname> display rawip verbose

Total RawIP socket number: 1

Connection info: src = 0.0.0.0, dst = 0.0.0.0

Location: slot 6 cpu 0

Creator: ping[320]

State: N/A

Options: N/A

Error: 0

Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 9216 / 1 / 0 / N/A

Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A

Type: 3

Protocol: 1

Inpcb flags: N/A

Inpcb extflag: N/A

Inpcb vflag: INP_IPV4

TTL: 255(minimum TTL: 0)

Send VRF: 0xffff

Receive VRF: 0xffff

Table 3 Command output

Field	Description
Total RawIP socket number	Total number of RawIP sockets.
Connection info	Connection information, including source IP address and destination IP address.
Location	Socket location.
Creator	Name of the operation that created the socket. The number in brackets is the process number of the creator.
State	Socket state: · NOFDREF—The user has closed the connection. · ISCONNECTED—The connection has been established. · ISCONNECTING—The connection is being established. · ISDISCONNECTING—The connection is being interrupted. · ISSMOOTHING—Cross-card data smoothing is in progress. · CANBIND—The socket supports the bind operation. · ASYNC—Asynchronous mode. · ISDISCONNECTED—The connection has been terminated. · PROTOREF—Indicates strong protocol reference. · ISPCBSYNCING—Cross-card PCB synchronization is in progress. · N/A—None of above state.
Options	Socket options: · SO_DEBUG—Records socket debugging information. · SO_ACCEPTCONN—Enables the server to listen connection requests. · SO_REUSEADDR—Allows the local address reuse. · SO_KEEPALIVE—Requires the protocol to test whether the connection is still alive. · SO_DONTROUTE—Bypasses the routing table query for outgoing packets because the destination is in a directly connected network. · SO_BROADCAST—Supports broadcast packets. · SO_LINGER—Closes the socket. The system can still send remaining data in the socket send buffer. · SO_OOBINLINE—Stores the out-of-band data in the input queue. · SO_REUSEPORT—Allows the local port reuse. · SO_TIMESTAMP—Records the timestamps of the incoming packets, accurate to milliseconds. This option is applicable to protocols that are not connection orientated. · SO_NOSIGPIPE—Disables the socket from sending data. As a result, a sigpipe cannot be established when a return failure occurs. · SO_FILTER—Supports setting the packet filter criterion. This option takes effect on the incoming packets. · SO_TIMESTAMPNS—Has a similar function with the timestamp, accurate to nanoseconds. · SO_SEQPACKET—Preserves the boundaries of packets sent to the socket buffer. · SO_FILLTWAMPTIME—Sets the timestamp for TWAMP. · SO_LOCAL—Local socket option. · SO_NBMAADDR—Obtains the remote NBMA address of the ADVPN tunnel. · SO_DONTDELIVER—Do not deliver the data to the application. · N/A—No options are set.
Error	Error code.
Receiving buffer (cc/hiwat/lowat/drop/state)	Displays receive buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · drop—Number of dropped packets. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states.
Sending buffer (cc/hiwat/lowat/state)	Displays send buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states.
Type	Socket type: · 1—SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams. · 2—SOCK_DGRAM. This socket uses UDP to provide datagram transmission. · 3—SOCK_RAW. This socket allows an application to change the next upper-layer protocol header. · N/A—None of the above types.
Protocol	Number of the protocol using the socket.
Inpcb flags	Flags in the Internet PCB: · INP_RECVOPTS—Receives IP options. · INP_RECVRETOPTS—Receives replied IP options. · INP_RECVDSTADDR—Receives destination IP address. · INP_HDRINCL—Provides the entire IP header. · INP_REUSEADDR—Reuses the IP address. · INP_REUSEPORT—Reuses the port number. · INP_ANONPORT—Port number not specified. · INP_RECVIF—Records the input interface of the packet. · INP_RECVTTL—Receives TTL of the packet. Only UDP and RawIP support this flag. · INP_DONTFRAG—Sets the Don't Fragment flag. · INP_ROUTER_ALERT—Receives packets with the router alert option. Only RawIP supports this flag. · INP_PROTOCOL_PACKET—Identifies a protocol packet. · INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag. · INP_RCVMACADDR—Receives the MAC address of the frame. · INP_SNDBYLSPV—Sends through MPLS. · INP_RECVTOS—Receives TOS of the packet. Only UDP and RawIP support this flag. · INP_USEICMPSRC—Uses the specified IP address as the source IP address for outgoing ICMP packets. · INP_SYNCPCB—Waits until Internet PCB is synchronized. · INP_LOCAL—Preferentially matches the INPCB with this flag on the same card. · N/A—None of the above flags.
Inpcb extflag	Extension flags in the Internet PCB: · INP_EXTRCVPVCIDX—Records the PVC index of the received packet. · INP_RCVPWID—Records the PW ID of the received packet. · INP_EXTRCVICMPERR—Receives an ICMP error packet. · INP_EXTFILTER—Filters the contents in the received packet. · INP_EXTDONTDROP—Do not drop the received packet. · INP_EXLISTEN—Adds the INPCB carrying this flag to the listen hash table. · INP_SELECTMATCHSRCBYFIB—Uses the FIB table to select a matching source. · INP_EXTPRIVATESOCKET—Associates the INPCB with the NSR private socket. · INP_EXLISTENNET—Sets this flag when the connection information is added to the network segment linked list. · N/A—None of the above flags.
Inpcb vflag	IP version flags in the Internet PCB: · INP_IPV4—IPv4 protocol. · INP_TIMEWAIT—In TIMEWAIT state. · INP_ONESBCAST—Sends broadcast packets. · INP_DROPPED—Protocol dropped flag. · INP_SOCKREF—Strong socket reference. · INP_DONTBLOCK—Do not block synchronization of the Internet PCB. · N/A—None of the above flags.
TTL	TTL value in the Internet PCB.
Send VRF	VRF from which packets are sent.
Receive VRF	VRF from which packets are received.

‌

display tcp

Use display tcp to display brief information about TCP connections.

Syntax

In standalone mode:

display tcp [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display tcp [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays brief information about TCP connections for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

Brief TCP connection information includes local IP address, local port number, peer IP address, peer port number, and TCP connection state.

Examples

# (In standalone mode.) Display brief information about TCP connections.

<Sysname> display tcp

*: TCP MD5 Connection

Local Addr:port Foreign Addr:port State Slot CPU PCB

*0.0.0.0:21 0.0.0.0:0 LISTEN 1 0 0x000000000000c387

192.168.20.200:23 192.168.20.14:1284 ESTABLISHED 1 0 0x0000000000000009

192.168.20.200:23 192.168.20.14:1283 ESTABLISHED 1 0 0x0000000000000002

Table 4 Command output

Field	Description
*	Indicates that the TCP connection uses authentication.
Local Addr:port	Local IP address and port number.
Foreign Addr:port	Peer IP address and port number.
State	TCP connection state.
PCB	PCB index.

‌

display tcp statistics

Use display tcp statistics to display TCP traffic statistics.

Syntax

In standalone mode:

display tcp statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display tcp statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays TCP traffic statistics for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

TCP traffic statistics include information about received and sent TCP packets and Syncache/syncookie.

Examples

# Display TCP traffic statistics.

<Sysname> display tcp statistics

Received packets:

Total: 4150

packets in sequence: 1366 (134675 bytes)

window probe packets: 0, window update packets: 0

checksum error: 0, offset error: 0, short error: 0

packets dropped for lack of memory: 0

packets dropped due to PAWS: 0

duplicate packets: 12 (36 bytes), partially duplicate packets: 0 (0 bytes)

out-of-order packets: 0 (0 bytes)

packets with data after window: 0 (0 bytes)

packets after close: 0

ACK packets: 3531 (795048 bytes)

duplicate ACK packets: 33, ACK packets for unsent data: 0

Sent packets:

Total: 4058

urgent packets: 0

control packets: 50

window probe packets: 3, window update packets: 11

data packets: 3862 (795012 bytes), data packets retransmitted: 0 (0 bytes)

ACK-only packets: 150 (52 delayed)

unnecessary packet retransmissions: 0

Syncache/syncookie related statistics:

entries added to syncache: 12

syncache entries retransmitted: 0

duplicate SYN packets: 0

reply failures: 0

successfully build new socket: 12

bucket overflows: 0

zone failures: 0

syncache entries removed due to RST: 0

syncache entries removed due to timed out: 0

ACK checked by syncache or syncookie failures: 0

syncache entries aborted: 0

syncache entries removed due to bad ACK: 0

syncache entries removed due to ICMP unreachable: 0

SYN cookies sent: 0

SYN cookies received: 0

SACK related statistics:

SACK recoveries: 1

SACK retransmitted segments: 0 (0 bytes)

SACK blocks (options) received: 0

SACK blocks (options) sent: 0

SACK scoreboard overflows: 0

Other statistics:

retransmitted timeout: 0, connections dropped in retransmitted timeout: 0

persist timeout: 0

keepalive timeout: 21, keepalive probe: 0

keepalive timeout, so connections disconnected: 0

fin_wait_2 timeout, so connections disconnected: 0

initiated connections: 29, accepted connections: 12, established connections:

closed connections: 50051 (dropped: 0, initiated dropped: 0)

bad connection attempt: 0

ignored RSTs in the window: 0

listen queue overflows: 0

RTT updates: 3518(attempt segment: 3537)

correct ACK header predictions: 0

correct data packet header predictions: 568

resends due to MTU discovery: 0

packets dropped due to MD5 authentication failure: 0

packets that passed MD5 authentication: 0

sent Keychain-encrypted packets: 0

packets that passed Keychain authentication: 0

packets dropped due to Keychain authentication failure: 0

packets dropped with MD5 authentication: 0

packets permitted with MD5 authentication: 0

Related commands

reset tcp statistics

display tcp verbose

Use display tcp verbose to display detailed information about TCP connections.

Syntax

In standalone mode:

display tcp verbose [ slot slot-number [ cpu cpu-number ] [ pcb pcb-index ] ]

In IRF mode:

display tcp verbose [ chassis chassis-number slot slot-number [ cpu cpu-number ] [ pcb pcb-index ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

pcb pcb-index: Displays detailed TCP connection information for the specified PCB. The index value range is 1 to 16.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays detailed information about TCP connections for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

The detailed TCP connection information includes socket creator, state, option, type, protocol number, source IP address and port number, destination IP address and port number, and connection state.

Examples

# (In standalone mode.) Display detailed information about TCP connections.

<Sysname> display tcp verbose

TCP inpcb number: 1(tcpcb number: 1)

Connection info: src = 192.168.20.200:179 , dst = 192.168.20.14:4181

Location: slot 6 cpu 0

NSR standby: N/A

Creator: bgpd[199]

State: ISCONNECTED

Options: N/A

Error: 0

Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 65700 / 1 / 0 / N/A

Sending buffer(cc/hiwat/lowat /state): 0 / 65700 / 512 / N/A

Type: 1

Protocol: 6

Inpcb flags: N/A

Inpcb extflag: N/A

Inpcb vflag: INP_IPV4

TTL: 255(minimum TTL: 0)

Connection state: ESTABLISHED

TCP options: TF_REQ_SCALE TF_REQ_TSTMP TF_SACK_PERMIT TF_NSR

NSR state: READY(M)

Send VRF: 0x0

Receive VRF: 0x0

Table 5 Command output

Field	Description
TCP inpcb number	Number of TCP IP PCBs.
Connection info	Connection information, including source IP address, source port number, destination IP address, and destination port number.
Location	Socket location.
NSR standby	ID of the IRF member device and number of the slot where the NSR standby card resides. This field displays N/A if no NSR standby card is present.
tcpcb number	Number of TCP PCBs. This field is not displayed if the state of the TCP connection is TIME_WAIT.
Creator	Name of the operation that created the socket. The number in brackets is the process number of the creator.
State	Socket state: · NOFDREF—The user has closed the connection. · ISCONNECTED—The connection has been established. · ISSMOOTHING—Cross-card data smoothing is in progress. · CANBIND—The socket supports the bind operation. · ISCONNECTING—The connection is being established. · ISDISCONNECTING—The connection is being interrupted. · ASYNC—Asynchronous mode. · ISDISCONNECTED—The connection has been terminated. · PROTOREF—Indicates strong protocol reference. · ISPCBSYNCING—Cross-card PCB synchronization is in progress. · N/A—None of above state.
Options	Socket options: · SO_DEBUG—Records socket debugging information. · SO_ACCEPTCONN—Enables the server to listen connection requests. · SO_REUSEADDR—Allows the local address reuse. · SO_KEEPALIVE—Requires the protocol to test whether the connection is still alive. · SO_DONTROUTE—Bypasses the routing table query for outgoing packets because the destination is in a directly connected network. · SO_BROADCAST—Supports broadcast packets. · SO_LINGER—Closes the socket. The system can still send remaining data in the socket send buffer. · SO_OOBINLINE—Stores the out-of-band data in the input queue. · SO_REUSEPORT—Allows the local port reuse. · SO_TIMESTAMP—Records the timestamps of the incoming packets, accurate to milliseconds. This option is applicable to protocols that are not connection orientated. · SO_NOSIGPIPE—Disables the socket from sending data. As a result, a sigpipe cannot be established when a return failure occurs. · SO_TIMESTAMPNS—Has a similar function with the timestamp, accurate to nanoseconds. · SO_KEEPALIVETIME—Sets a keepalive time. · SO_SEQPACKET—Preserves the boundaries of packets sent to the socket buffer. · SO_FILLTWAMPTIME—Sets the timestamp for TWAMP. · SO_LOCAL—Local socket option. · SO_NBMAADDR—Obtains the remote NBMA address of the ADVPN tunnel. · SO_DONTDELIVER—Do not deliver the data to the application. · N/A—No options are set.
Error	Error code.
Receiving buffer (cc/hiwat/lowat/drop/state)	Displays receive buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · drop—Number of dropped packets. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states.
Sending buffer (cc/hiwat/lowat/state)	Displays send buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states.
Type	Socket type: · 1—SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams. · 2—SOCK_DGRAM. This socket uses UDP to provide datagram transmission. · 3—SOCK_RAW. This socket allows an application to change the next upper-layer protocol header. · N/A—None of the above types.
Protocol	Number of the protocol using the socket.
Inpcb flags	Flags in the Internet PCB: · INP_RECVOPTS—Receives IP options. · INP_RECVRETOPTS—Receives replied IP options. · INP_RECVDSTADDR—Receives destination IP address. · INP_HDRINCL—Provides the entire IP header. · INP_REUSEADDR—Reuses the IP address. · INP_REUSEPORT—Reuses the port number. · INP_ANONPORT—Port number not specified. · INP_RECVIF—Records the input interface of the packet. · INP_RECVTTL—Receives TTL of the packet. Only UDP and RawIP support this flag. · INP_DONTFRAG—Sets the Don't Fragment flag. · INP_ROUTER_ALERT—Receives packets with the router alert option. Only RawIP supports this flag. · INP_PROTOCOL_PACKET—Identifies a protocol packet. · INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag. · INP_RCVMACADDR—Receives the MAC address of the frame. · INP_SNDBYLSPV—Sends through MPLS. · INP_RECVTOS—Receives TOS of the packet. Only UDP and RawIP support this flag. · INP_SYNCPCB—Waits until Internet PCB is synchronized. · INP_LOCAL—Preferentially matches the INPCB with this flag on the same card. · N/A—None of the above flags.
Inpcb extflag	Extension flags in the Internet PCB: · INP_EXTRCVPVCIDX—Records the PVC index of the received packet. · INP_RCVPWID—Records the PW ID of the received packet. · INP_EXTFILTER—Filters the contents in the received packets. · INP_SELECTMATCHSRCBYFIB—Uses the FIB table to select a matching source. · INP_EXTRCVICMPERR—Receives an ICMP error packet. · INP_EXTPRIVATESOCKET—Associates the INPCB with the NSR private socket. · INP_EXLISTENNET—Sets this flag when the connection information is added to the network segment linked list. · N/A—None of the above flags.
Inpcb vflag	IP version flags in the Internet PCB: · INP_IPV4—IPv4 protocol. · INP_TIMEWAIT—In TIMEWAIT state. · INP_ONESBCAST—Sends broadcast packets. · INP_DROPPED—Protocol dropped flag. · INP_SOCKREF—Strong socket reference. · INP_DONTBLOCK—Do not block synchronization of the Internet PCB. · N/A—None of the above flags.
TTL	TTL value in the Internet PCB.
TCP options	TCP options: · TF_ACKNOW—Immediately replies an ACK packet to the peer. · TF_DELACK—Delays sending ACK packets. · TF_SENTFIN—A FIN packet has been sent. · TF_RCVD_SCALE—Requests the receive window size scale factor. · TF_RCVD_TSTMP—A timestamp was received in the SYN packet. · TF_NEEDSYN—Sends a SYN packet. · TF_NEEDFIN—Sends a FIN packet. · TF_MORETOCOME—More data is to be added to the socket. · TF_LQ_OVERFLOW—The listening queue overflows. · TF_LASTIDLE—Idle connection. · TF_RXWIN0SENT—A reply with receive window size 0 was sent. · TF_FASTRECOVERY—Enters NewReno fast recovery mode. · TF_WASFRECOVERY—In NewReno fast recovery mode. · TF_SIGNATURE—MD5 signature. · TF_FORCEDATA—Forces to send one byte. · TF_TSO—TSO is enabled. · TF_PMTU—Supports RFC 1191. · TF_PMTUD—Starts Path MTU discovery. · TF_PASSIVE_CONN—Passive connection. · TF_APP_SEND—The application sends data. · TF_NODELAY—Disables the Nagle algorithm that buffers the sent data inside the TCP. · TF_NOOPT—No TCP options. · TF_NOPUSH—Forces TCP to delay sending any TCP data until a full sized segment is buffered in the TCP buffers. · TF_NSR—Enables TCP NSR. · TF_REQ_SCALE—Enables the TCP window scale option. · TF_REQ_TSTMP—Enables the time stamp option. · TF_SACK_PERMIT—Enables the TCP selective acknowledgement option. · TF_ENHANCED_AUTH—Enables the enhanced authentication option.
NSR state	State of the TCP connections. Between the parentheses is the role of the connection: · M—Main connection. · S—Standby connection.
Send VRF	VRF from which packets are sent.
Receive VRF	VRF from which packets are received.

‌

display tcp-proxy

Use display tcp-proxy to display brief information about TCP proxy.

Syntax

In standalone mode:

display tcp-proxy slot slot-number [ cpu cpu-number ]

In IRF mode:

display tcp-proxy chassis chassis-number slot slot-number [ cpu cpu-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

slot slot-number: Specifies a card by its slot number. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

TCP proxy splits every TCP connection that passes through it into two TCP connections to relay data packets between clients and servers. The split is transparent to the servers and clients. This feature reduces bandwidth use and improves TCP performance. It is used for services such as load balancing and SSL VPN.

Examples

# (In standalone mode.) Display brief information about TCP proxy for the specified slot.

<Sysname> display tcp-proxy slot 1

Local Addr:port Foreign Addr:port State Service type

192.168.56.25:1111 111.111.111.125:8080 ESTABLISHED LB

111.111.111.125:8080 192.168.56.25:1111 ESTABLISHED LB

Table 6 Command output

Field	Description
Local Addr:port	Local IP address and port number.
Foreign Addr:port	Peer IP address and port number.
State	TCP connection state.
Service type	Type of services that the TCP proxy is used for: · LB—Load balancing services. · SSL VPN—SSL VPN services. · APPPROXY—Application proxy services.

‌

display tcp-proxy port-info

Use display tcp-proxy port-info to display the usage of non-well known ports for TCP proxy.

Syntax

In standalone mode:

display tcp-proxy port-info slot slot-number [ cpu cpu-number ]

In IRF mode:

display tcp-proxy port-info chassis chassis-number slot slot-number [ cpu cpu-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays non-well known port usage for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

The TCP ports are divided into well-known ports (port numbers from 0 through 1023) and non-well known ports (port numbers from 1024 through 65535).

· Well known ports are for certain services, for example, port 23 for Telnet service, ports 20 and 21 for FTP service, and port 80 for HTTP service.

· Non-well known ports are available for various services. You can use the display tcp-proxy port-info command to display the usage of these ports.

Examples

# (In standalone mode.) Display the usage of non-well known ports for TCP proxy for the specified slot.

<Sysname> display tcp-proxy port-info slot 1

Index Range State

16 [1024, 1087] USABLE

17 [1088, 1151] USABLE

18 [1152, 1215] USABLE

19 [1216, 1279] USABLE

20 [1280, 1343] USABLE

...

1020 [65280, 65343] USABLE

1021 [65344, 65407] USABLE

1022 [65408, 65471] USABLE

1023 [65472, 65535] USABLE

Table 7 Command output

Field	Description
Index	Index of the port range.
Range	Start port number and end port number.
State	State of the port range: · USABLE—The ports are assignable. · ASSIGNED—Some ports are dynamically assigned and some ports are not. · ALLASSIGNED—All ports are dynamically assigned. The assigned ports can be reclaimed. · TO RECLAIM—Some ports are statically assigned. The assigned ports can be reclaimed. · RESERVED—The ports are reserved. The reserved ports cannot be dynamically assigned.

display udp

Use display udp to display brief information about UDP connections.

Syntax

In standalone mode:

display udp [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display udp [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays brief information about UDP connections for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

Brief UDP connection information includes local IP address and port number, and peer IP address and port number.

Examples

# (In standalone mode.) Display brief information about UDP connections.

<Sysname> display udp

Local Addr:port Foreign Addr:port Slot CPU PCB

0.0.0.0:69 0.0.0.0:0 1 0 0x0000000000000003

192.168.20.200:1024 192.168.20.14:69 5 0 0x0000000000000002

Table 8 Command output

Field	Description
Local Addr:port	Local IP address and port number.
Foreign Addr:port	Peer IP address and port number.
PCB	PCB index.

‌

display udp statistics

Use display udp statistics to display UDP traffic statistics.

Syntax

In standalone mode:

display udp statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display udp statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays UDP traffic statistics for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

UDP traffic statistics include information about received and sent UDP packets.

Examples

# Display UDP traffic statistics.

<Sysname> display udp statistics

Received packets:

Total: 240

checksum error: 0, no checksum: 0

shorter than header: 0, data length larger than packet: 0

no socket on port(unicast): 0

no socket on port(broadcast/multicast): 240

not delivered, input socket full: 0

Sent packets:

Total: 0

Related commands

reset udp statistics

display udp verbose

Use display udp verbose to display detailed information about UDP connections.

Syntax

In standalone mode:

display udp verbose [ slot slot-number [ cpu cpu-number ] [ pcb pcb-index ] ]

In IRF mode:

display udp verbose [ chassis chassis-number slot slot-number [ cpu cpu-number ] [ pcb pcb-index ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

pcb pcb-index: Displays detailed UDP connection information for the specified PCB. The value range for the pcb-index argument is 1 to 16.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays detailed information about UDP connections for all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

The detailed information includes socket creator, status, option, type, protocol number, source IP address and port number, and destination IP address and port number for UDP connections.

Examples

# (In standalone mode.) Display detailed UDP connection information.

<Sysname> display udp verbose

Total UDP socket number: 1

Connection info: src = 0.0.0.0:69, dst = 0.0.0.0:0

Location: slot 6 cpu 0

Creator: sock_test_mips[250]

State: N/A

Options: N/A

Error: 0

Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 41600 / 1 / 0 / N/A

Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A

Type: 2

Protocol: 17

Inpcb flags: N/A

Inpcb extflag: N/A

Inpcb vflag: INP_IPV4

TTL: 255(minimum TTL: 0)

Send VRF: 0xffff

Receive VRF: 0xffff

Table 9 Command output

Field	Description
Total UDP socket number	Total number of UDP sockets.
Connection info	Connection information, including source IP address, source port number, destination IP address, and destination port number.
Location	Socket location.
Creator	Name of the operation that created the socket. The number in brackets is the process number of the creator.
State	Socket state: · NOFDREF—The user has closed the connection. · ISCONNECTED—The connection has been established. · ISCONNECTING—The connection is being established. · ISDISCONNECTING—The connection is being interrupted. · ASYNC—Asynchronous mode. · ISDISCONNECTED—The connection has been terminated. · ISSMOOTHING—Cross-card data smoothing is in progress. · CANBIND—The socket supports the bind operation. · PROTOREF—Indicates strong protocol reference. · ISPCBSYNCING—Cross-card PCB synchronization is in progress. · N/A—None of above state.
Options	Socket options: · SO_DEBUG—Records socket debugging information. · SO_ACCEPTCONN—Enables the server to listen connection requests. · SO_REUSEADDR—Allows the local address reuse. · SO_KEEPALIVE—Requires the protocol to test whether the connection is still alive. · SO_DONTROUTE—Bypasses the routing table query for outgoing packets because the destination is in a directly connected network. · SO_BROADCAST—Supports broadcast packets. · SO_LINGER—Closes the socket. The system can still send remaining data in the socket send buffer. · SO_OOBINLINE—Stores the out-of-band data in the input queue. · SO_REUSEPORT—Allows the local port reuse. · SO_TIMESTAMP—Records the timestamps of the incoming packets, accurate to milliseconds. This option is applicable to protocols that are not connection orientated. · SO_NOSIGPIPE—Disables the socket from sending data. As a result, a sigpipe cannot be established when a return failure occurs. · SO_TIMESTAMPNS—Has a similar function with the timestamp, accurate to nanoseconds. · SO_SEQPACKET—Preserves the boundaries of packets sent to the socket buffer. · SO_FILLTWAMPTIME—Sets the timestamp for TWAMP. · SO_LOCAL—Local socket option. · SO_NBMAADDR—Obtains the remote NBMA address of the ADVPN tunnel. · SO_DONTDELIVER—Do not deliver the data to the application. · N/A—No options are set.
Error	Error code.
Receiving buffer(cc/hiwat/lowat/drop/state)	Displays receive buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · drop—Number of dropped packets. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states.
Sending buffer(cc/hiwat/lowat/state)	Displays send buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states.
Type	Socket type: · 1—SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams. · 2—SOCK_DGRAM. This socket uses UDP to provide datagram transmission. · 3—SOCK_RAW. This socket allows an application to change the next upper-layer protocol header. · N/A—None of the above types.
Protocol	Number of the protocol using the socket.
Connection info	Connection information, including source IP address, source port number, destination IP address, and destination port number.
Inpcb flags	Flags in the Internet PCB: · INP_RECVOPTS—Receives IP options. · INP_RECVRETOPTS—Receives replied IP options. · INP_RECVDSTADDR—Receives destination IP address. · INP_HDRINCL—Provides the entire IP header. · INP_REUSEADDR—Reuses the IP address. · INP_REUSEPORT—Reuses the port number. · INP_ANONPORT—Port number not specified. · INP_RECVIF—Records the input interface of the packet. · INP_RECVTTL—Receives TTL of the packet. Only UDP and RawIP support this flag. · INP_DONTFRAG—Sets the Don't Fragment flag. · INP_ROUTER_ALERT—Receives packets with the router alert option. Only RawIP supports this flag. · INP_PROTOCOL_PACKET—Identifies a protocol packet. · INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag. · INP_RCVMACADDR—Receives the MAC address of the frame. · INP_SNDBYLSPV—Sends through MPLS. · INP_RECVTOS—Receives TOS of the packet. Only UDP and RawIP support this flag. · INP_SYNCPCB—Waits until Internet PCB is synchronized. · INP_LOCAL—Preferentially matches the INPCB with this flag on the same card. · N/A—None of the above flags.
Inpcb extflag	Extension flags in the Internet PCB: · INP_EXTRCVPVCIDX—Records the PVC index of the received packet. · INP_RCVPWID—Records the PW ID of the received packet. · INP_EXTDONTDROP—Do not drop the received packet. · INP_EXLISTEN—Adds the INPCB carrying this flag to the listen hash table. · INP_EXTFILTER—Filters the contents in the received packets. · INP_SELECTMATCHSRCBYFIB—Uses the FIB table to select a matching source. · INP_EXTRCVICMPERR—Receives an ICMP error packet. · INP_EXTPRIVATESOCKET—Associates the INPCB with the NSR private socket. · INP_EXLISTENNET—Sets this flag when the connection information is added to the network segment linked list. · N/A—None of the above flags.
Inpcb vflag	IP version flags in the Internet PCB: · INP_IPV4—IPv4 protocol. · INP_TIMEWAIT—In TIMEWAIT state. · INP_ONESBCAST—Sends broadcast packets. · INP_DROPPED—Protocol dropped flag. · INP_SOCKREF—Strong socket reference. · INP_DONTBLOCK—Do not block synchronization of the Internet PCB. · N/A—None of the above flags.
TTL	TTL value in the Internet PCB.
Send VRF	VRF from which packets are sent.
Receive VRF	VRF from which packets are received.

‌

ip forward-broadcast

Use ip forward-broadcast to enable an interface to receive and forward directed broadcast packets destined for the directly connected network.

Use undo ip forward-broadcast to disable an interface from receiving and forwarding directed broadcast packets destined for the directly connected network.

Syntax

ip forward-broadcast

undo ip forward-broadcast

Default

An interface cannot forward directed broadcasts destined for the directly connected network, and can receive directed broadcasts destined for the directly connected network.

Views

Interface view

Predefined user roles

network-admin

context-admin

Parameters

acl acl-number: Specifies an ACL by its number. The interface forwards only the directed broadcasts permitted by the ACL. The value range for basic ACLs is 2000 to 2999. The value range for advanced ACLs is 3000 to 3999.

Usage guidelines

A directed broadcast packet is destined for all hosts on a specific network. In the destination IP address of the directed broadcast, the network ID identifies the target network, and the host ID is made up of all ones.

Examples

ip icmp error-interval

Use ip icmp error-interval to set the interval for tokens to arrive in the bucket and the bucket size for ICMP error messages.

Use undo ip icmp error-interval to restore the default.

Syntax

ip icmp error-interval interval [ bucketsize ]

undo ip icmp error-interval

Default

A token is placed in the bucket every 100 milliseconds, and the bucket allows a maximum of 10 tokens.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

interval: Specifies the interval for tokens to arrive in the bucket. The value range is 0 to 2147483647 milliseconds. To disable the ICMP rate limit, set the value to 0.

bucketsize: Specifies the maximum number of tokens allowed in the bucket. The value range is 1 to 200.

Usage guidelines

This command limits the rate at which ICMP error messages are sent. Use this command to avoid sending excessive ICMP error messages within a short period that might cause network congestion. A token bucket algorithm is used with one token representing one ICMP error message.

A token is placed in the bucket at intervals until the maximum number of tokens that the bucket can hold is reached.

A token is removed from the bucket when an ICMP error message is sent. When the bucket is empty, ICMP error messages are not sent until a new token is placed in the bucket.

Examples

# Set the interval to 200 milliseconds for tokens to arrive in the bucket and set the bucket size to 40 tokens for ICMP error messages.

<Sysname> system-view

[Sysname] ip icmp error-interval 200 40

ip icmp source

Use ip icmp source to specify the source address for outgoing ICMP packets.

Use undo ip icmp source to remove the specified source address for outgoing ICMP packets.

Syntax

ip icmp source [ vpn-instance vpn-instance-name ] ip-address

undo ip icmp source [ vpn-instance vpn-instance-name ]

Default

No source address is specified for outgoing ICMP packets. The default source IP addresses for different types of ICMP packets vary as follows:

· For an ICMP error message, the source IP address is the IP address of the receiving interface of the packet that triggers the ICMP error message. ICMP error messages include Time Exceeded, Port Unreachable, and Parameter Problem messages.

· For an ICMP echo request, the source IP address is the IP address of the sending interface.

· For an ICMP echo reply, the source IP address is the destination IP address of the ICMP echo request specific to this reply.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the specified address belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. The specified VPN instance must exist. If you do not specify a VPN instance, the ip-address argument specifies an IP address on the public network.

ip-address: Specifies an IP address.

Usage guidelines

It is a good practice to specify the IP address of the loopback interface as the source IP address for outgoing ping echo request and ICMP error messages. This feature helps users to locate the sending device easily.

Examples

# Specify 1.1.1.1 as the source address for outgoing ICMP packets.

<Sysname> system-view

[Sysname] ip icmp source 1.1.1.1

ip mtu

Use ip mtu to set the interface MTU for IPv4 packets. The MTU defines the largest size of an IPv4 packet that an interface can transmit without fragmentation.

Use undo ip mtu to restore the default.

Syntax

ip mtu mtu-size

undo ip mtu

Default

The interface MTU is not set.

Views

Interface view

Predefined user roles

network-admin

context-admin

Parameters

mtu-size: Specifies the MTU in bytes. The value range for the mtu-size argument is 128 to 9198.

Usage guidelines

When a packet exceeds the MTU of the sending interface, the device processes the packet in one of the following ways:

· If the packet disallows fragmentation, the device discards it.

· If the packet allows fragmentation, the device fragments it and forwards the fragments.

Fragmentation and reassembling consume system resources, so set an appropriate MTU to avoid fragmentation.

If an interface supports both the mtu and ip mtu commands, the device fragments a packet based on the MTU set by the ip mtu command.

Examples

# Set the interface MTU to 1280 bytes for GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ip mtu 1280

ip reassemble local enable

Use ip reassemble local enable to enable IPv4 local fragment reassembly.

Use undo ip reassemble local enable to disable local fragment reassembly.

Syntax

ip reassemble local enable

undo ip reassemble local enable

Default

IPv4 local fragment reassembly is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

Use this feature on a device to improve fragment reassembly efficiency. This feature enables the LPU to reassemble the IPv4 fragments of a packet if all the fragments arrive at it. If this feature is disabled, all IPv4 fragments are delivered to the active MPU for reassembly. The feature applies only to fragments received by the same LPU.

Examples

# Enable IPv4 local fragment reassembly.

<Sysname> system-view

[Sysname] ip reassemble local enable

ip redirects enable

Use ip redirects enable to enable sending ICMP redirect messages.

Use undo ip redirects enable to disable sending ICMP redirect messages.

Syntax

ip redirects enable

undo ip redirects enable

Default

Sending ICMP redirect messages is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

ICMP redirect messages simplify host management and enable hosts to gradually optimize their routing tables.

A host that has only one route destined for the default gateway sends all packets to the default gateway. The default gateway sends an ICMP redirect message to inform the host of a correct next hop when the following conditions are met:

· The receiving and sending interfaces are the same.

· The packet source IP address and the IP address of the packet receiving interface are on the same segment.

· There is no source route option in the received packet.

Examples

# Enable sending ICMP redirect messages.

<Sysname> system-view

[Sysname] ip redirects enable

ip ttl-expires enable

Use ip ttl-expires enable to enable sending ICMP time exceeded messages.

Use undo ip ttl-expires enable to disable sending ICMP time exceeded messages.

Syntax

ip ttl-expires enable

undo ip ttl-expires enable

Default

Sending ICMP time exceeded messages is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

A device sends ICMP time exceeded messages by following these rules:

· The device sends an ICMP TTL exceeded in transit message to the source when the following conditions are met:

¡ The received packet is not destined for the device.

¡ The TTL field of the packet is 1.

· When the device receives the first fragment of an IP datagram destined for the device itself, it starts a timer. If the timer expires before all the fragments of the datagram are received, the device sends an ICMP fragment reassembly time exceeded message to the source.

A device disabled from sending ICMP time exceeded messages does not send ICMP TTL exceeded in transit messages but can still send ICMP fragment reassembly time exceeded messages.

Examples

# Enable sending ICMP time exceeded messages.

<Sysname> system-view

[Sysname] ip ttl-expires enable

ip unreachables enable

Use ip unreachables enable to enable sending ICMP destination unreachable messages.

Use undo ip unreachables enable to disable sending ICMP destination unreachable messages.

Syntax

ip unreachables enable

undo ip unreachables enable

Default

Sending ICMP destination unreachable messages is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

A device sends ICMP destination unreachable messages by following these rules:

· The device sends the source an ICMP network unreachable message when the following conditions are met:

¡ The received packet does not match any route.

¡ No default route exists in the routing table.

· The device sends the source an ICMP protocol unreachable message when the following conditions are met:

¡ The received packet is destined for the device.

¡ The transport layer protocol of the packet is not supported by the device.

· The device sends the source an ICMP port unreachable message when the following conditions are met:

¡ The received UDP packet is destined for the device.

¡ The packet's port number does not match the running process.

· The device sends the source an ICMP source route failed message when the following conditions are met:

¡ The source uses Strict Source Routing to send packets.

¡ The intermediate device finds that the next hop specified by the source is not directly connected.

· The device sends the source an ICMP fragmentation needed and DF set message when the following conditions are met:

¡ The MTU of the sending interface is smaller than the packet.

¡ The packet has Don't Fragment set.

Examples

# Enable sending ICMP destination unreachable messages.

<Sysname> system-view

[Sysname] ip unreachables enable

ip virtual-reassembly centralize

Use ip virtual-reassembly centralize to enable fragment centralization for IPv4 VFR.

Use undo ip virtual-reassembly centralize to disable fragment centralization for IPv4 VFR.

Syntax

ip virtual-reassembly centralize

undo ip virtual-reassembly centralize

Default

Fragment centralization is disabled for IPv4 VFR.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

On an HA network, if an HA device enabled with IPv4 VFR does not receive all fragments of a datagram, it cannot reassemble the datagram and will discard the received fragments. To resolve this issue, you can enable this feature. Devices that do not receive the first fragment of a datagram forward the received fragments of this datagram to the device that receives the first fragment for VFR.

This feature is applicable to devices enabled with IPv4 VFR on an HA network.

For more information about HA networking, seeh igh availability configuration in High Availability Configuration Guide.

Examples

# Enable fragment centralization for IPv4 VFR.

<Sysname> system-view

[Sysname] ip virtual-reassembly centralize

Related commands

undo ip virtual-reassembly suppress

ip virtual-reassembly enable

Use ip virtual-reassembly enable to enable IPv4 virtual fragment reassembly (VFR).

Use undo ip virtual-reassembly enable to disable IPv4 virtual fragment reassembly.

Syntax

ip virtual-reassembly enable

undo ip virtual-reassembly enable

Default

IPv4 virtual fragment reassembly is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

To prevent each service module from processing packet fragments that do not arrive in order, you can enable the virtual fragment reassembly feature. This feature virtually reassembles the fragments of a datagram through fragment check, sequencing, and caching, ensuring fragments arrive at each service module in order.

VFR can detect and prevent the following types of attacks:

· Tiny fragment attack—The first fragment size is too small to hold the Layer 4 (such as TCP and UDP) header field, which is forced into the second fragment. VFR discards all tiny fragments.

· Overlapping fragment attack—Two consecutive incoming fragments are identical or overlap with each other. If an overlapping fragment is detected, VFR discards all fragments within a fragment chain.

· Fragment flooding attack—The maximum number of concurrent preassemblies or the number of fragments per datagram exceeds the upper limits. VFR discards subsequent fragments if the upper limit is reached.

The enabling status of VFR can be managed at CLI or the enabling status of a service module that can call VFR. VRF is enabled in either of the following conditions:

· A service module that can call it is enabled.

· The ip virtual-reassembly enable command is executed.

If fragment reassembly is required, but a service module cannot call it, execute this command at CLI.

Examples

# Enable IPv4 virtual fragment reassembly

<Sysname> system-view

[Sysname] ip virtual-reassembly enable

ip virtual-reassembly suppress

Use ip virtual-reassembly suppress to disable IPv4 VFR.

Use undo ip virtual-reassembly suppress to enable IPv4 VFR.

Syntax

ip virtual-reassembly suppress

undo ip virtual-reassembly suppress

Default

IPv4 VFR is enabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

IMPORTANT:

Use this feature according to the demands of VFR.

IPv4 VFR checks, sequences, and caches fragments upon fragment receiving to ensure that these fragments will be assembled in the correct order. By default, IPv4 VFR is enabled.

On an HA network, if an HA device does not receive all fragments of a datagram, it cannot reassemble the datagram and will discard the received fragments. For the devices to permit the received fragments to pass, you can disable IPv4 VFR.

With IPv4 VFR disabled, ASPF and connection limit do not take effect on the received IPv4 fragments and the fragments will be forwarded directly.

For more information about HA networking, seehigh availability configuration in High Availability Configuration Guide.

Examples

# Disable IPv4 VFR.

<Sysname> system-view

[Sysname] ip virtual-reassembly suppress

ipv6 virtual-reassembly centralize

Use ipv6 virtual-reassembly centralize to enable fragment centralization for IPv6 VFR.

Use undo ipv6 virtual-reassembly centralize to disable fragment centralization for IPv6 VFR.

Syntax

ipv6 virtual-reassembly centralize

undo ipv6 virtual-reassembly centralize

Default

Fragment centralization is disabled for IPv6 VFR.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

On an HA network, if an HA device enabled with IPv6 VFR does not receive all fragments of a datagram, it cannot reassemble the datagram and will discard all the received fragments. To resolve this issue, you can enable this feature. Devices that do not receive the first fragment of a datagram forward the received fragments of this datagram to the device that receives the first fragment for VFR.

This feature is applicable to devices enabled with IPv6 VFR on an HA network.

For more information about HA networking, seehigh availability configuration in High Availability Configuration Guide.

Examples

# Enable fragment centralization for IPv6 VFR.

<Sysname> system-view

[Sysname] ipv6 virtual-reassembly centralize

Related commands

undo ipv6 virtual-reassembly suppress

ipv6 virtual-reassembly suppress

Use ipv6 virtual-reassembly suppress to disable IPv6 VFR.

Use undo ipv6 virtual-reassembly suppress to enable IPv6 VFR.

Syntax

ipv6 virtual-reassembly suppress

undo ipv6 virtual-reassembly suppress

Default

IPv6 VFR is enabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

IMPORTANT:

Use this feature according to the demands of VFR.

IPv6 VFR checks, sequences, and caches fragments upon fragment receiving to ensure that these fragments will be assembled in the correct order. By default, IPv6 VFR is enabled.

In an HA network, if an HA device does not receive all fragments of a datagram, it cannot reassemble the datagram and will discard the received fragments. For the devices to permit the received fragments to pass, you can disable IPv6 VFR.

With IPv6 VFR disabled, ASPF and connection limit do not take effect on the received IPv6 fragments and the fragments will be forwarded directly.

For more information about HA networking, seehigh availability configuration in High Availability Configuration Guide.

Examples

# Disable IPv6 VFR.

<Sysname> system-view

[Sysname] ipv6 virtual-reassembly suppress

reset ip statistics

Use reset ip statistics to clear IP traffic statistics.

Syntax

In standalone mode:

reset ip statistics [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

reset ip statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

User view

Predefined user roles

network-admin

context-admin

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears IP traffic statistics for all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears IP traffic statistics for all cards. (In IRF mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

Use this command to clear history IP traffic statistics before you collect IP traffic statistics for a time period.

Examples

# Clear IP traffic statistics.

<Sysname> reset ip statistics

Related commands

display ip interface

display ip statistics

reset tcp statistics

Use reset tcp statistics to clear TCP traffic statistics.

Syntax

reset tcp statistics

Views

User view

Predefined user roles

network-admin

context-admin

Examples

# Clear TCP traffic statistics.

<Sysname> reset tcp statistics

Related commands

display tcp statistics

reset udp statistics

Use reset udp statistics to clear UDP traffic statistics.

Syntax

reset udp statistics

Views

User view

Predefined user roles

network-admin

context-admin

Examples

# Clear UDP traffic statistics.

<Sysname> reset udp statistics

Related commands

display udp statistics

statistics l3-packet enable

Use statistics l3-packet enable to enable Layer 3 packet statistics collection.

Use undo statistics l3-packet enable to disable Layer 3 packet statistics collection.

Syntax

statistics l3-packet enable [ inbound | outbound ]

undo statistics l3-packet enable [ inbound | outbound ]

Default

Layer 3 packet statistics collection is disabled.

Views

Interface view

Predefined user roles

network-admin

context-admin

Parameters

inbound: Enables statistics collection for incoming Layer 3 packets.

outbound: Enables statistics collection for outgoing Layer 3 packets.

Usage guidelines

With this feature enabled on an interface, the device counts incoming and outgoing IP packets on the interface. To display the collected statistics, use the display ip interface command. To display the receiving and sending rates of IP packets on the interface, use the display interface command.

When the interface is processing a large number of packets, enabling this feature will cause high CPU usage and degrade the forwarding performance. If the statistics are not necessary, disable this feature to ensure the device performance.

To enable or disable statistics collection for both incoming and outgoing Layer 3 packets, do not specify the inbound or outbound keyword.

Examples

# Enable Layer 3 packet statistics collection for both incoming and outgoing Layer 3 packets on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] statistics l3-packet enable

Related commands

display interface (Interface Command Reference)

display ip interface

t cp default-mss

Use tcp default-mss to set the default TCP maximum segment size (MSS).

Use undo tcp default-mss to restore the default.

Syntax

tcp default-mss mss-value

undo tcp default-mss

Default

The default TCP MSS is 512 bytes.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

mss-value: Sets the default TCP MSS, in bytes. The value range for this argument is 536 to 1460.

Usage guidelines

After a TCP connection is established, the device segments TCP packets based on the TCP MSS before sending them out. Typically, the TCP MSS equals the MTU value on the outgoing interface for the packet minus 40. If the outgoing interface and the connection initiator reside on different cards or member devices, the initiator cannot obtain the MTU of the outgoing interface. In this situation, the initiator will use the default TCP MSS for segmentation.

Increase the default TCP MSS to a higher value as needed to avoid the following issues:

· Degraded TCP performance that occurs when the device breaks up a TCP packet into too many segments.

· The TCP SYN packet replied from the connection responder has a TCP checksum error.

Examples

# Set the default TCP MSS to 998.

<Sysname> system-view

[Sysname] tcp default-mss 998

tcp mss

Use tcp mss to set the TCP MSS on an interface.

Use undo tcp mss to restore the default.

Syntax

tcp mss value

undo tcp mss

Default

The TCP MSS is not set.

Views

Interface view

Predefined user roles

network-admin

context-admin

Parameters

value: Specifies the TCP MSS, in bytes. The minimum value is 128 bytes. The maximum value equals the maximum MTU that the interface supports minus 40.

Usage guidelines

The MSS option informs the receiver of the largest segment that the sender can accept. Each end announces its MSS during TCP connection establishment. If the size of a TCP segment is smaller than the MSS of the receiver, TCP sends the TCP segment without fragmentation. If not, TCP fragments the segment according to the receiver's MSS.

If you set the TCP MSS on an interface, the size of each TCP segment received or sent on the interface cannot exceed the MSS value.

This configuration takes effect only on TCP connections that are established after the configuration and not on the TCP connections that already exist.

This configuration is effective only on IP packets. If MPLS is enabled on the interface, do not set the TCP MSS on the interface.

Examples

# Set the TCP MSS to 300 bytes on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] tcp mss 300

tcp path-mtu-discovery

Use tcp path-mtu-discovery to enable TCP path MTU discovery.

Use undo tcp path-mtu-discovery to disable TCP path MTU discovery.

Syntax

tcp path-mtu-discovery [ aging age-time | no-aging ]

undo tcp path-mtu-discovery

Default

TCP path MTU discovery is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

aging age-time: Specifies the aging time for the path MTU, in the range of 10 to 30 minutes. The default aging time is 10 minutes.

no-aging: Does not age out the path MTU.

Usage guidelines

After you enable TCP path MTU discovery, all new TCP connections detect the path MTU. The device uses the path MTU to calculate the MSS to avoid IP fragmentation.

After you disable TCP path MTU discovery, the system stops all path MTU timers. The TCP connections established later do not detect the path MTU, but the TCP connections previously established still can detect the path MTU.

Examples

# Enable TCP path MTU discovery and set the path MTU aging time to 20 minutes.

<Sysname> system-view

[Sysname] tcp path-mtu-discovery aging 20

tcp syn-cookie enable

Use tcp syn-cookie enable to enable SYN Cookie to protect the device from SYN flood attacks.

Use undo tcp syn-cookie enable to disable SYN Cookie.

Syntax

tcp syn-cookie enable

undo tcp syn-cookie enable

Default

SYN Cookie is disabled.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

A TCP connection is established through a three-way handshake:

1. The sender sends a SYN packet to the server.

2. The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED state, and replies with a SYN ACK packet to the sender.

3. The sender receives the SYN ACK packet and replies with an ACK packet. Then, a TCP connection is established.

An attacker can exploit this mechanism to mount SYN flood attacks. The attacker sends a large number of SYN packets, but they do not respond to the SYN ACK packets from the server. As a result, the server establishes a large number of TCP semi-connections and cannot handle normal services.

SYN Cookie can protect the server from SYN flood attacks. When the server receives a SYN packet, it responds to the request with a SYN ACK packet without establishing a TCP semi-connection.

The server establishes a TCP connection and enters ESTABLISHED state only when it receives an ACK packet from the sender.

Examples

# Enable SYN Cookie.

<Sysname> system-view

[Sysname] tcp syn-cookie enable

tcp timer fin-timeout

Use tcp timer fin-timeout to set the TCP FIN wait timer.

Use undo tcp timer fin-timeout to restore the default.

Syntax

tcp timer fin-timeout time-value

undo tcp timer fin-timeout

Default

The TCP FIN wait timer is 675 seconds.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

time-value: Specifies the TCP FIN wait timer in the range of 76 to 3600 seconds.

Usage guidelines

TCP starts the FIN wait timer when the state of a TCP connection changes to FIN_WAIT_2. If no FIN packet is received within the timer interval, the TCP connection is terminated.

If a FIN packet is received, TCP changes the connection state to TIME_WAIT. If a non-FIN packet is received, TCP restarts the timer and tears down the connection when the timer expires.

Examples

# Set the TCP FIN wait timer to 800 seconds.

<Sysname> system-view

[Sysname] tcp timer fin-timeout 800

tcp timer syn-timeout

Use tcp timer syn-timeout to set the TCP SYN wait timer.

Use undo tcp timer syn-timeout to restore the default.

Syntax

tcp timer syn-timeout time-value

undo tcp timer syn-timeout

Default

The TCP SYN wait timer is 75 seconds.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

time-value: Specifies the TCP SYN wait timer in the range of 2 to 600 seconds.

Usage guidelines

TCP starts the SYN wait timer after sending a SYN packet. Within the SYN wait timer if no response is received or the upper limit on TCP connection tries is reached, TCP fails to establish the connection.

Examples

# Set the TCP SYN wait timer to 80 seconds.

<Sysname> system-view

[Sysname] tcp timer syn-timeout 80

tcp timestamps enable

Use tcp timestamps enable to enable carrying the TCP timestamp option in outgoing TCP packets.

Use undo tcp timestamps enable to disable carrying the TCP timestamp option in outgoing TCP packets.

Syntax

tcp timestamps enable

undo tcp timestamps enable

Default

The device adds the TCP timestamp option in outgoing TCP packets.

Views

System view

Predefined user roles

network-admin

context-admin

Usage guidelines

The TCP timestamp option in TCP packets is used to calculate the RTT between two communicating devices. In some networks, it is required to prevent the intermediate devices from obtaining the TCP timestamps in packets passing through. Then you can disable carrying the TCP timestamp option in outgoing packets on a device at either end.

This command takes effect on TCP connections established only after the execution of the command.

Examples

# Enable carrying the TCP timestamp option in outgoing TCP packets.

<Sysname> system-view

[Sysname] undo tcp timestamps enable

tcp window

Use tcp window to set the size of the TCP receive/send buffer.

Use undo tcp window to restore the default.

Syntax

tcp window window-size

undo tcp window

Default

The size of the TCP receive/send buffer is 63 KB.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

window-size: Specifies the size of the TCP receive/send buffer, in the range of 1 to 64 KB.

Examples

# Set the size of the TCP receive/send buffer to 3 KB.

<Sysname> system-view

[Sysname] tcp window 3

11-Layer 3—IP Services Command Reference

ip icmp source

reset ip statistics

statistics l3-packet enable

tcp timestamps enable

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

Company Information

News & Events

Contact Us