- Table of Contents
-
- 07-Layer 3—IP Services Configuration Guide
- 00-Preface
- 01-ARP configuration
- 02-IP addressing configuration
- 03-DHCP configuration
- 04-DNS configuration
- 05-NAT configuration
- 06-NAT66 configuration
- 07-IP forwarding basics configuration
- 08-Fast forwarding configuration
- 09-Multi-CPU packet distribution configuration
- 10-Adjacency table configuration
- 11-IRDP configuration
- 12-IP performance optimization configuration
- 13-UDP helper configuration
- 14-IPv6 basics configuration
- 15-DHCPv6 configuration
- 16-IPv6 fast forwarding configuration
- 17-AFT configuration
- 18-Tunneling configuration
- 19-GRE configuration
- 20-ADVPN configuration
- 21-WAAS configuration
- 22-Lighttpd service configuration
- 23-Web caching configuration
- 24-STUN configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
12-IP performance optimization configuration | 193.87 KB |
Contents
IP performance optimization tasks at a glance
About forwarding broadcasts destined for the directly connected network
Setting the interface MTU for IPv4 packets
Enabling Layer 3 packet statistics collection
Enabling IPv4 local fragment reassembly
Enabling IPv4 virtual fragment reassembly
Enabling fragment centralization for IPv4 VFR
Enabling fragment centralization for IPv6 VFR
Configuring the DF bit for IP packets
Enabling sending ICMP error messages
About sending ICMP error messages
Enabling sending ICMP redirect messages
Enabling sending ICMP time exceeded messages
Enable sending ICMP destination unreachable messages
Configuring rate limit for ICMP error messages
Specifying the source address for ICMP packets
Disabling sending a specific type of ICMP messages
Disabling receiving a specific type of ICMP messages
Setting TCP MSS for an interface
Configuring TCP MSS automatic adjustment
Configuring TCP path MTU discovery
Enabling carrying the TCP timestamp option in outgoing TCP packets
Configuring TCP congestion control algorithm for TCP proxy
Configuring TCP connection attack prevention
Display and maintenance commands for IP performance optimization
Optimizing IP performance
IP performance optimization tasks at a glance
All IP performance optimization tasks are optional.
1. Configuring features for IP packets
¡ Setting the interface MTU for IPv4 packets
¡ Enabling Layer 3 packet statistics collection
¡ Enabling IPv4 local fragment reassembly
This feature is applicable in IRF networks.
¡ Enabling IPv4 virtual fragment reassembly
¡ Enabling fragment centralization for IPv4 VFR
¡ Enabling fragment centralization for IPv6 VFR
¡ Configuring the DF bit for IP packets
2. Configuring features for ICMP messages
¡ Enabling sending ICMP error messages
¡ Configuring rate limit for ICMP error messages
¡ Specifying the source address for ICMP packets
¡ Disabling sending a specific type of ICMP messages
¡ Disabling receiving a specific type of ICMP messages
3. Configuring features for TCP packets
¡ Setting TCP MSS for an interface
¡ Configuring TCP MSS automatic adjustment
¡ Configuring TCP path MTU discovery
¡ Enabling carrying the TCP timestamp option in outgoing TCP packets
¡ Configuring TCP congestion control algorithm for TCP proxy
¡ Configuring TCP connection attack prevention
Enabling an interface to receive and forward directed broadcasts destined for the directly connected network
About forwarding broadcasts destined for the directly connected network
A directed broadcast packet is destined for all hosts on a specific network. In the destination IP address of the directed broadcast, the network ID identifies the target network, and the host ID is made up of all ones.
If an interface is allowed to receive and forward directed broadcasts destined for the directly connected network, hackers can exploit this vulnerability to attack the target network. In some scenarios, however, an interface must receive and send such directed broadcast packets to support the following features:
· UDP helper—Converts the directed broadcasts to unicasts and forwards them to a specific server.
· Wake on LAN—Sends the directed broadcasts to wake up the hosts on the target network.
You can configure this function to enable the interface to receive and forward directed broadcast packets that are destined for directly connected network.
Procedure
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable the interface to receive and forward directed broadcasts destined for the directly connected network.
ip forward-broadcast
By default, an interface cannot forward directed broadcasts destined for the directly connected network. The interface can receive directed broadcasts destined for the directly connected network.
Example: Enabling an interface to forward directed broadcasts destined for the directly connected network
Network configuration
As shown in Figure 1, the default gateway of the host is the IP address 1.1.1.2/24 of GigabitEthernet 1/0/1 of Router A. Configure a static route destined for the host on Router B. Router B can receive directed broadcasts from the host to IP address 2.2.2.255.
Procedure
1. Configure Router A:
# Specify IP addresses for GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
<RouterA> system-view
[RouterA] interface gigabitethernet 1/0/1
[RouterA-GigabitEthernet1/0/1] ip address 1.1.1.2 24
[RouterA-GigabitEthernet1/0/1] quit
[RouterA] interface gigabitethernet 1/0/2
[RouterA-GigabitEthernet1/0/2] ip address 2.2.2.2 24
# Enable GigabitEthernet 1/0/2 to forward directed broadcasts destined for the directly connected network.
[RouterA-GigabitEthernet1/0/2] ip forward-broadcast
2. Configure Router B:
# Configure a static route to the host.
<RouterB> system-view
[RouterB] ip route-static 1.1.1.1 24 2.2.2.2
# Specify an IP address for GigabitEthernet 1/0/2.
[RouterB] interface gigabitethernet 1/0/2
[RouterB-GigabitEthernet1/0/2] ip address 2.2.2.1 24
# Enable GigabitEthernet 1/0/2 to receive directed broadcasts directed for the directly connected network.
[RouterB-GigabitEthernet1/0/2] ip forward-broadcast
Verifying the configuration
After the configurations are completed, if you ping the subnet-directed broadcast address 2.2.2.255 on the host, GigabitEthernet 1/0/2 of Router B can receive the ping packets. If you delete the ip forward-broadcast configuration on any router, GigabitEthernet 1/0/2 of Router B cannot receive the ping packets.
Setting the interface MTU for IPv4 packets
About this task
The interface MTU for IPv4 packets defines the largest size of an IPv4 packet that an interface can transmit without fragmentation. When a packet exceeds the MTU of the sending interface, the device processes the packet in one of the following ways:
· If the packet disallows fragmentation, the device discards it.
· If the packet allows fragmentation, the device fragments it and forwards the fragments.
Fragmentation and reassembling consume system resources, so set the MTU based on the network environment to avoid fragmentation.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set the interface MTU for IPv4 packets.
ip mtu mtu-size
By default, the interface MTU is not set.
Enabling Layer 3 packet statistics collection
About this task
With this feature enabled on an interface, the device counts incoming and outgoing IP packets on the interface. To display the collected statistics, execute the display ip statistics command. To display the receiving and sending rates of IP packets on the interface, execute the display interface command.
Restrictions and guidelines
When the interface is processing a large number of packets, Layer 3 packet statistics collection will cause high CPU usage and degrade the forwarding performance. If the statistics are not necessary, disable this feature to ensure the device performance.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable Layer 3 packet statistics collection.
statistics l3-packet enable [ inbound | outbound ]
By default, Layer 3 packet statistics collection is disabled.
Enabling IPv4 local fragment reassembly
About this task
Use this feature on a multichassis IRF fabric to improve fragment reassembly efficiency. This feature enables a subordinate to reassemble the IPv4 fragments of a packet if all the fragments arrive at it. If this feature is disabled, all IPv4 fragments are delivered to the master device for reassembly. The feature applies only to fragments destined for the same subordinate.
Hardware and feature compatibility
The following compatibility matrixes show the support of hardware platforms for this feature:
Hardware |
Feature compatibility |
MSR610 |
Yes |
MSR810, MSR810-W, MSR810-W-DB, MSR810-LM, MSR810-W-LM, MSR810-10-PoE, MSR810-LM-HK, MSR810-W-LM-HK, MSR810-LM-CNDE-SJK, MSR810-CNDE-SJK, MSR810-EI, MSR810-LM-EA, MSR810-LM-EI |
Yes |
MSR810-LMS, MSR810-LUS |
Yes |
MSR810-SI, MSR810-LM-SI |
Yes |
MSR810-LMS-EA, MSR810-LME |
Yes |
MSR1004S-5G, MSR1004S-5G-CN |
Yes |
MSR1104S-W, MSR1104S-W-CAT6, MSR1104S-5G-CN, MSR1104S-W-5G-CN |
No |
MSR2600-6-X1, MSR2600-15-X1, MSR2600-15-X1-T |
Yes |
MSR2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28, MSR3600-51 |
Yes |
MSR3600-28-SI, MSR3600-51-SI |
Yes |
MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP |
Yes |
MSR3600-28-G-DP, MSR3600-51-G-DP |
Yes |
MSR3610-I-DP, MSR3610-IE-DP, MSR3610-IE-ES, MSR3610-IE-EAD, MSR-EAD-AK770, MSR3610-I-IG, MSR3610-IE-IG |
Yes |
MSR3610-X1, MSR3610-X1-DP, MSR3610-X1-DC, MSR3610-X1-DP-DC, MSR3620-X1, MSR3640-X1 |
Yes |
MSR3610, MSR3620, MSR3620-DP, MSR3640, MSR3660 |
Yes |
MSR3610-G, MSR3620-G |
Yes |
MSR3640-G |
Yes |
MSR3640-X1-HI |
Yes |
Hardware |
Feature compatibility |
MSR810-W-WiNet, MSR810-LM-WiNet |
Yes |
MSR830-4LM-WiNet |
Yes |
MSR830-5BEI-WiNet, MSR830-6EI-WiNet, MSR830-10BEI-WiNet |
Yes |
MSR830-6BHI-WiNet, MSR830-10BHI-WiNet |
Yes |
MSR2600-6-WiNet |
Yes |
MSR2600-10-X1-WiNet |
Yes |
MSR2630-WiNet |
Yes |
MSR3600-28-WiNet |
Yes |
MSR3610-X1-WiNet |
Yes |
MSR3610-WiNet, MSR3620-10-WiNet, MSR3620-DP-WiNet, MSR3620-WiNet, MSR3660-WiNet |
Yes |
Hardware |
Feature compatibility |
MSR860-6EI-XS |
Yes |
MSR860-6HI-XS |
Yes |
MSR2630-XS |
Yes |
MSR3600-28-XS |
Yes |
MSR3610-XS |
Yes |
MSR3620-XS |
Yes |
MSR3610-I-XS |
Yes |
MSR3610-IE-XS |
Yes |
MSR3620-X1-XS |
Yes |
MSR3640-XS |
Yes |
MSR3660-XS |
Yes |
Hardware |
Feature compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
Yes |
MSR830-10EI-GL |
Yes |
MSR830-6HI-GL |
Yes |
MSR830-10HI-GL |
Yes |
MSR1004S-5G-GL |
Yes |
MSR2600-6-X1-GL |
|
MSR3600-28-SI-GL |
Yes |
Procedure
1. Enter system view.
system-view
2. Enable IPv4 local fragment reassembly.
ip reassemble local enable
By default, IPv4 local fragment reassembly is disabled.
Enabling IPv4 virtual fragment reassembly
About this task
To prevent each service module from processing packet fragments that do not arrive in order, you can enable the virtual fragment reassembly (VFR) feature. This feature virtually reassembles the fragments of a datagram through fragment check, sequencing, and caching, ensuring fragments arrive at each service module in order.
VFR can detect and prevent the following types of attacks:
· Tiny fragment attack—The first fragment size is too small to hold the Layer 4 (such as TCP and UDP) header field, which is forced into the second fragment. VFR discards all tiny fragments.
· Overlapping fragment attack—Two consecutive incoming fragments are identical or overlap with each other. If an overlapping fragment is detected, VFR discards all fragments within a fragment chain.
· Fragment flooding attack—The maximum number of concurrent preassemblies or the number of fragments per datagram exceeds the upper limits. VFR discards subsequent fragments if the upper limit is reached.
Restrictions and guidelines
The enabling status of VFR can be managed at CLI or the enabling status of a service module that can call VFR. VRF is enabled in either of the following conditions:
· A service module that can call it is enabled.
· The ip virtual-reassembly enable command is executed.
If fragment reassembly is required, but a service module cannot call it, execute this command at CLI.
The ip virtual-reassembly suppress command can forcibly disable VFR regardless of the method that you used to enable VFR.
Procedure
1. Enter system view.
system-view
2. Enable IPv4 virtual fragment reassembly.
ip virtual-reassembly enable
By default, IPv4 virtual fragment reassembly is disabled.
Enabling fragment centralization for IPv4 VFR
About this task
On an HA network, if an HA device enabled with IPv4 VFR does not receive all fragments of a datagram, it cannot reassemble the datagram and will discard the received fragments. To resolve this issue, you can enable this feature. Devices that do not receive the first fragment of a datagram forward the received fragments of this datagram to the device that receives the first fragment for VFR.
Restrictions and guidelines
This feature is applicable to devices enabled with IPv4 VFR on an HA network.
For more information about HA networking, see RBM-based hot backup configuration in High Availability Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable fragment centralization for IPv4 VFR.
ip virtual-reassembly centralize
By default, fragment centralization is disabled for IPv4 VFR.
Forcibly disabling IPv4 VFR
About this task
IPv4 VFR checks, sequences, and caches fragments upon fragment receiving to ensure that these fragments will be assembled in the correct order.
On an HA network, if an HA device does not receive all fragments of a datagram, it cannot reassemble the datagram and will discard the received fragments. For the devices to permit the received fragments to pass, you can forcibly disable IPv4 VFR.
After you enable VFR through service calling or CLI, you can use the ip virtual-reassembly suppress command to forcibly disable VFR.
With IPv4 VFR forcibly disabled, ASPF and connection limit do not take effect on the received IPv4 fragments and the fragments will be forwarded directly.
Restrictions and guidelines
Use this feature according to the demands of VFR.
For more information about HA networking, see RBM-based hot backup configuration in High Availability Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Forcibly disable IPv4 VFR.
ip virtual-reassembly suppress
By default, forcibly disabling IPv4 VFR is disabled.
Enabling fragment centralization for IPv6 VFR
About this task
On an HA network, if an HA device enabled with IPv6 VFR does not receive all fragments of a datagram, it cannot reassemble the datagram and will discard all the received fragments. To resolve this issue, you can enable this feature. Devices that do not receive the first fragment of a datagram forward the received fragments of this datagram to the device that receives the first fragment for VFR.
Restrictions and guidelines
This feature is applicable to devices enabled with IPv6 VFR on an HA network.
For more information about HA networking, see RBM-based hot backup configuration in High Availability Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable fragment centralization for IPv6 VFR.
ipv6 virtual-reassembly centralize
By default, fragment centralization is disabled for IPv6 VFR.
Forcibly disabling IPv6 VFR
About this task
IPv6 VFR checks, sequences, and caches fragments upon fragment receiving to ensure that these fragments will be assembled in the correct order.
On an HA network, if an HA device does not receive all fragments of a datagram, it cannot reassemble the datagram and will discard the received fragments. For the devices to permit the received fragments to pass, you can forcibly disable IPv6 VFR.
With IPv6 VFR forcibly disabled, ASPF and connection limit do not take effect on the received IPv6 fragments and the fragments will be forwarded directly.
Restrictions and guidelines
Use this feature according to the demands of VFR.
For more information about HA networking, see RBM-based hot backup configuration in High Availability Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Forcibly disable IPv6 VFR.
ipv6 virtual-reassembly suppress
By default, forcibly disabling IPv6 VFR is disabled.
Configuring the DF bit for IP packets
About this task
This task configures the Don't Fragment (DF) bit for the IP packets to be forwarded:
· set—Sets the DF bit in the IP packets to 1 to prevent the devices on the path from fragmenting the IP packets. If the path MTU is less than the size of the IP packets and DF bit is set, communication interruption occurs. The devices on the path will drop the IP packets and reply ICMP error messages to the IP packet sender.
· clear—Sets the DF bit in the IP packets to 0. The devices can fragment the IP packets before forwarding them.
This feature does not apply to IP packets generated by the local device.
Procedure
1. Enter system view.
system-view
2. Configure the DF bit for IP packets.
ip df-bit { clear | set }
By default, the DF bit value of IP packets is retained as it is.
Enabling sending ICMP error messages
About sending ICMP error messages
ICMP messages are used by network layer and transport layer protocols to communicate updates and errors with other devices, facilitating network management.
Sending excessive ICMP messages increases network traffic. The device performance degrades if it receives a lot of malicious ICMP messages that cause it to respond with ICMP error messages. To prevent such problems, the sending of ICMP error messages is disabled by default. You can enable sending ICMP error messages of different types as needed.
ICMP error messages include redirect messages, time exceeded messages, and destination unreachable messages.
Enabling sending ICMP redirect messages
About this task
A host that has only one default route sends all packets to the default gateway. The default gateway sends an ICMP redirect message to inform the host of a correct next hop when the following conditions are met:
· The receiving and sending interfaces are the same.
· The packet source IP address and the IP address of the packet receiving interface are on the same segment.
· There is no source route option in the received packet.
ICMP redirect messages simplify host management and enable hosts to gradually optimize their routing table.
Procedure
1. Enter system view.
system-view
2. Enable sending ICMP redirect messages.
ip redirects enable
By default, the sending of ICMP redirect messages is disabled.
Enabling sending ICMP time exceeded messages
About this task
A device sends ICMP time exceeded messages by following these rules:
· The device sends the source an ICMP TTL exceeded in transit message when the following conditions are met:
¡ The received packet is not destined for the device.
¡ The TTL field of the packet is 1.
· When the device receives the first fragment of an IP datagram destined for it, it starts a timer. If the timer expires before all the fragments of the datagram are received, the device sends an ICMP fragment reassembly time exceeded message to the source.
Restrictions and guidelines
If the ICMP time exceeded message sending is disabled, the device does not send ICMP TTL exceeded in transit messages. However, it can still send ICMP fragment reassembly time exceeded messages.
Procedure
1. Enter system view.
system-view
2. Enable sending ICMP time exceeded messages.
ip ttl-expires enable
By default, the sending of ICMP time exceeded messages is disabled.
Enable sending ICMP destination unreachable messages
About this task
A device sends ICMP destination unreachable messages by following these rules:
· The device sends the source an ICMP network unreachable message when the following conditions are met:
¡ The packet does not match any route.
¡ No default route exists in the routing table.
· The device sends the source an ICMP protocol unreachable message when the following conditions are met:
¡ The packet is destined for the device.
¡ The transport layer protocol of the packet is not supported by the device.
· The device sends the source an ICMP port unreachable message when the following conditions are met:
¡ The UDP packet is destined for the device.
¡ The packet's port number does not match the corresponding process.
· The device sends the source an ICMP source route failed message when the following conditions are met:
¡ The source uses Strict Source Routing to send packets.
¡ The intermediate device finds that the next hop specified by the source is not directly connected.
· The device sends the source an ICMP fragmentation needed and DF set message when the following conditions are met:
¡ The MTU of the sending interface is smaller than the packet.
¡ The packet has DF set.
Restrictions and guidelines
If a DHCP-enabled device receives an ICMP echo reply without sending any ICMP echo requests, the device does not send any ICMP protocol unreachable messages to the source. To enable DHCP, use the dhcp enable command. For more information about this command, see Layer 3—IP Services Command Reference.
Procedure
1. Enter system view.
system-view
2. Enable sending ICMP destination unreachable messages.
ip unreachables enable
By default, the sending of ICMP destination unreachable messages is disabled.
Configuring rate limit for ICMP error messages
About this task
To avoid sending excessive ICMP error messages within a short period that might cause network congestion, you can limit the rate at which ICMP error messages are sent. A token bucket algorithm is used with one token representing one ICMP error message.
A token is placed in the bucket at intervals until the maximum number of tokens that the bucket can hold is reached.
A token is removed from the bucket when an ICMP error message is sent. When the bucket is empty, ICMP error messages are not sent until a new token is placed in the bucket.
Procedure
1. Enter system view.
system-view
2. Set the interval for tokens to arrive in the bucket and the bucket size for ICMP error messages.
ip icmp error-interval interval [ bucketsize ]
By default, a token is placed in the bucket at intervals of 100 milliseconds and the bucket allows a maximum of 10 tokens.
To disable the ICMP rate limit, set the interval to 0 milliseconds.
Specifying the source address for ICMP packets
About this task
Specifying the source IP address for outgoing ping echo requests and ICMP error messages helps users to locate the sending device easily. As a best practice, specify the IP address of the loopback interface as the source IP address.
Restrictions and guidelines
If you specify an IP address in the ping command, ping echo requests use the specified address as the source IP address rather than the IP address specified by the ip icmp source command.
Procedure
1. Enter system view.
system-view
2. Specify the source address for outgoing ICMP packets.
ip icmp source [ vpn-instance vpn-instance-name ] ip-address
By default, no source address is specified for outgoing ICMP packets. The default source IP addresses for different types of ICMP packets vary as follows:
¡ For an ICMP error message, the source IP address is the IP address of the receiving interface of the packet that triggers the ICMP error message. ICMP error messages include Time Exceeded, Port Unreachable, and Parameter Problem messages.
¡ For an ICMP echo request, the source IP address is the IP address of the sending interface.
¡ For an ICMP echo reply, the source IP address is the destination IP address of the ICMP echo request specific to this reply.
Disabling sending a specific type of ICMP messages
About this task
By default, the device sends all types of ICMP messages except Destination Unreachable, Time Exceeded, and Redirect messages. Attackers might obtain information from specific types of ICMP messages, causing security issues.
For security purposes, you can perform this task disable sending ICMP messages of specific types.
Restrictions and guidelines
Disabling sending ICMP messages of a specific type might affect network operation. Please use this feature with caution.
To enable sending Destination Unreachable, Time Exceeded, or Redirect messages, you can perform one of the following tasks:
· Execute the ip icmp send enable command.
· Execute one of the following commands as needed:
¡ ip unreachables enable
¡ ip ttl-expires enable
¡ ip redirects enable
Procedure
1. Enter system view.
system-view
2. Disable the device from sending a specific type of ICMP messages.
undo ip icmp { name icmp-name | type icmp-type code icmp-code } send enable
By default, the device sends all types of ICMP messages except Destination Unreachable, Time Exceeded, and Redirect messages.
Disabling receiving a specific type of ICMP messages
About this task
By default, the device receives all types of ICMP messages. Such a setting might affect device performance if a large number of ICMP responses are received within a short time. To resolve this issue, you can perform this task to disable the device from receiving a specific type of ICMP messages.
Restrictions and guidelines
Disabling receiving ICMP messages of a specific type might affect network operation. Please use this feature with caution.
Procedure
1. Enter system view.
system-view
2. Disable the device from receiving a specific type of ICMP messages.
undo ip icmp { name icmp-name | type icmp-type code icmp-code } receive enable
By default, the device receives all types of ICMP messages.
Setting TCP MSS for an interface
About this task
The maximum segment size (MSS) option informs the receiver of the largest segment that the sender can accept. Each end announces its MSS during TCP connection establishment. If the size of a TCP segment is smaller than the MSS of the receiver, TCP sends the TCP segment without fragmentation. If not, it fragments the segment according to the receiver's MSS.
Restrictions and guidelines
· If you set the TCP MSS on an interface, the size of each TCP segment received or sent on the interface cannot exceed the MSS value.
· This configuration takes effect only for TCP connections established after the configuration rather than the TCP connections that already exist.
· This configuration is effective only for IP packets. If MPLS is enabled on the interface, do not set the TCP MSS on the interface.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set the TCP MSS for the interface.
tcp mss value
By default, the TCP MSS is not set.
Setting the default TCP MSS
About this task
After a TCP connection is established, the device segments TCP packets based on the TCP MSS before sending them out. Generally, the TCP MSS equals the IP MTU value of the packet sending interface minus 40.
You can execute this command to set a high default TCP MSS to avoid the following issues that are caused by a small TCP MSS:
· The device breaks up a TCP packet into too many segments.
· The TCP SYN packet replied from the connection responder has a TCP checksum error.
Procedure
1. Enter system view.
system-view
2. Set the default TCP MSS.
tcp default-mss mss-value
By default, the TCP MSS value is 512.
Configuring TCP MSS automatic adjustment
About this task
In environments such as GRE, SSL VPN, or IPsec VPN, the device must add new headers to TCP packets for VPN services. If the size of these new TCP packets exceeds the negotiated TCP MSS, multiple intermediate devices might fragment these packets, resulting in low forwarding efficiency. An appropriate TCP MSS is essential for data transmission. However, manual TCP MSS configuration for all VPN services is an effort, because the APPENDLEN value varies by VPN service type.
To resolve this issue, enable automatic TCP MSS adjustment on VPN intermediate devices. With this feature enabled, the device can automatically adjust the TCP MSS according to the VPN service type, ensuring that TCP segments are re-fragmented along the path to the destination.
After you enable automatic TCP MSS adjustment, the minimum value of the following MSSs takes effect during TCP connection establishment:
· The MSS value carried by the TCP packets.
· The MSS value calculated based on the VPN service type and the IPv4 MTU. The calculation formula is as follows:
MSS = interface MTU – IP header length – TCP header length – APPENDLEN
APPENDLEN represents the total length of fields added to a TCP packet for VPN services.
To set the IPv4 MTU of an interface, use the ip mtu command.
· The interface MSS set by the tcp mss command.
· The global MSS set by the tcp auto-adjust-mss command.
After you disable automatic TCP MSS adjustment, the minimum value of the following MSSs takes effect during TCP connection establishment:
· The MSS value carried by the TCP packets.
· The interface MSS set by using the tcp mss command.
Hardware and feature compatibility
The following compatibility matrixes show the support of hardware platforms for this feature:
Hardware |
Feature compatibility |
MSR610 |
No |
MSR810, MSR810-W, MSR810-W-DB, MSR810-LM, MSR810-W-LM, MSR810-10-PoE, MSR810-LM-HK, MSR810-W-LM-HK, MSR810-LM-CNDE-SJK, MSR810-CNDE-SJK, MSR810-EI, MSR810-LM-EA, MSR810-LM-EI |
Yes |
MSR810-LMS, MSR810-LUS |
No |
MSR810-SI, MSR810-LM-SI |
No |
MSR810-LMS-EA, MSR810-LME |
No |
MSR1004S-5G, MSR1004S-5G-CN |
No |
MSR1104S-W, MSR1104S-W-CAT6, MSR1104S-5G-CN, MSR1104S-W-5G-CN |
Yes |
MSR2600-6-X1, MSR2600-15-X1, MSR2600-15-X1-T |
Yes |
MSR2600-10-X1 |
Yes |
MSR 2630 |
Yes |
MSR3600-28, MSR3600-51 |
Yes |
MSR3600-28-SI, MSR3600-51-SI |
No |
MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP |
Yes |
MSR3600-28-G-DP, MSR3600-51-G-DP |
Yes |
MSR3610-I-DP, MSR3610-IE-DP, MSR3610-IE-ES, MSR3610-IE-EAD, MSR-EAD-AK770, MSR3610-I-IG, MSR3610-IE-IG |
Yes |
MSR3610-X1, MSR3610-X1-DP, MSR3610-X1-DC, MSR3610-X1-DP-DC, MSR3620-X1, MSR3640-X1 |
Yes |
MSR3610, MSR3620, MSR3620-DP, MSR3640, MSR3660 |
Yes |
MSR3610-G, MSR3620-G |
Yes |
MSR3640-G |
Yes |
MSR3640-X1-HI |
Yes |
Hardware |
Feature compatibility |
MSR810-W-WiNet, MSR810-LM-WiNet |
No |
MSR830-4LM-WiNet |
No |
MSR830-5BEI-WiNet, MSR830-6EI-WiNet, MSR830-10BEI-WiNet |
No |
MSR830-6BHI-WiNet, MSR830-10BHI-WiNet |
No |
MSR2600-6-WiNet |
Yes |
MSR2600-10-X1-WiNet |
Yes |
MSR2630-WiNet |
Yes |
MSR3600-28-WiNet |
Yes |
MSR3610-X1-WiNet |
Yes |
MSR3610-WiNet, MSR3620-10-WiNet, MSR3620-DP-WiNet, MSR3620-WiNet, MSR3660-WiNet |
Yes |
Hardware |
Feature compatibility |
MSR860-6EI-XS |
No |
MSR860-6HI-XS |
No |
MSR2630-XS |
Yes |
MSR3600-28-XS |
Yes |
MSR3610-XS |
Yes |
MSR3620-XS |
Yes |
MSR3610-I-XS |
Yes |
MSR3610-IE-XS |
Yes |
MSR3620-X1-XS |
Yes |
MSR3640-XS |
Yes |
MSR3660-XS |
Yes |
Hardware |
Feature compatibility |
MSR810-LM-GL |
Yes |
MSR810-W-LM-GL |
Yes |
MSR830-6EI-GL |
No |
MSR830-10EI-GL |
No |
MSR830-6HI-GL |
No |
MSR830-10HI-GL |
No |
MSR1004S-5G-GL |
No |
MSR2600-6-X1-GL |
Yes |
MSR3600-28-SI-GL |
Restrictions and guidelines
Enabling automatic TCP MSS adjustment has an impact on session establishment and forwarding performance, because the device needs to make an additional TCP MSS decision during packet forwarding. To ensure high forwarding performance, you can disable this feature.
This feature takes effect only on TCP connections that are established after the configuration and not on the TCP connections that already exist.
Procedure
1. Enter system view.
system-view
2. Enable TCP MSS automatic adjustment.
tcp auto-adjust-mss enable
By default, TCP MSS automatic adjustment is disabled.
3. (Optional.) Set the global TCP MSS.
tcp auto-adjust-mss value
By default, the global TCP MSS is 1460 bytes.
Configuring TCP path MTU discovery
About this task
TCP path MTU discovery (in RFC 1191) discovers the path MTU between the source and destination ends of a TCP connection. The device uses the path MTU to calculate the MSS to avoid IP fragmentation. The path MTU uses an aging mechanism to ensure that the source device can increase the path MTU when the minimum link MTU on the path increases.
TCP path MTU discovery works as follows:
1. A TCP source device sends a packet with the Don't Fragment (DF) bit set.
2. A router discards the packet that exceeds the MTU of the outgoing interface and returns an ICMP error message. The error message contains the MTU of the outgoing interface.
3. Upon receiving the ICMP message, the TCP source device calculates the current path MTU of the TCP connection.
4. The TCP source device sends subsequent TCP segments that are smaller than the MSS (MSS = path MTU – IP header length – TCP header length).
If the TCP source device still receives ICMP error messages when the MSS is smaller than 32 bytes, the TCP source device will fragment packets.
An ICMP error message received from a router that does not support RFC 1191 has the MTU of the outgoing interface set to 0. Upon receiving the ICMP message, the TCP source device selects the path MTU smaller than the current path MTU from the MTU table as described in RFC 1191. Based on the selected path MTU, the TCP source device calculates the TCP MSS. The MTU table contains MTUs of 68, 296, 508, 1006, 1280, 1492, 2002, 4352, 8166, 17914, 32000, and 65535 bytes. Because the minimum TCP MSS specified by the system is 32 bytes, the actual minimum MTU is 72 bytes.
The aging mechanism of the path MTU is as follows:
· When the TCP source device receives an ICMP error message, it reduces the path MTU and starts an aging timer for the path MTU.
· After the aging timer expires, the source device uses a larger MSS in the MTU table, as described in RFC 1191.
· If no ICMP error message is received within two minutes, the source device increases the MSS again until the MSS negotiated during TCP three-way handshake is reached.
Prerequisites
Make sure all devices on a TCP connection are enabled to send ICMP error messages by using the ip unreachables enable command.
Procedure
1. Enter system view.
system-view
2. Enable TCP path MTU discovery.
tcp path-mtu-discovery [ aging age-time | no-aging ]
By default, TCP path MTU discovery is disabled.
Enabling SYN Cookie
About this task
A TCP connection is established through a three-way handshake. An attacker can exploit this mechanism to mount SYN Flood attacks. The attacker sends a large number of SYN packets, but does not respond to the SYN ACK packets from the server. As a result, the server establishes a large number of TCP semi-connections and can no longer handle normal services.
SYN Cookie can protect the server from SYN Flood attacks. When the server receives a SYN packet, it responds with a SYN ACK packet without establishing a TCP semi-connection. The server establishes a TCP connection and enters ESTABLISHED state only when it receives an ACK packet from the client.
Procedure
1. Enter system view.
system-view
2. Enable SYN Cookie.
tcp syn-cookie enable
By default, SYN Cookie is disabled.
Setting the TCP buffer size
1. Enter system view.
system-view
2. Set the size of TCP receive/send buffer.
tcp window window-size
The default buffer size is 63 KB.
Setting TCP timers
About this task
You can set the following TCP timers:
· SYN wait timer—TCP starts the SYN wait timer after sending a SYN packet. Within the SYN wait timer if no response is received or the upper limit on TCP connection tries is reached, TCP fails to establish the connection.
· FIN wait timer—TCP starts the FIN wait timer when TCP changes the connection state to FIN_WAIT_2. If no FIN packet is received within the timer interval, TCP terminates the connection. If a FIN packet is received, TCP changes the connection state to TIME_WAIT. If a non-FIN packet is received, TCP restarts the timer, and tears down the connection when the timer expires.
Procedure
1. Enter system view.
system-view
2. Set the TCP SYN wait timer.
tcp timer syn-timeout time-value
By default, the TCP SYN wait timer is 75 seconds.
3. Set the TCP FIN wait timer.
tcp timer fin-timeout time-value
By default, the TCP FIN wait timer is 675 seconds.
Enabling carrying the TCP timestamp option in outgoing TCP packets
About this task
The TCP timestamp option in TCP packets is used to calculate the RTT between two communicating devices. In some networks, it is required to prevent the intermediate devices from obtaining the TCP timestamps in packets passing through. Then you can disable carrying the TCP timestamp option in outgoing packets on a device at either end.
Procedure
1. Enter system view.
system-view
2. Enable carrying the TCP timestamp option in outgoing TCP packets.
tcp timestamps enable
By default, the device adds the TCP timestamp option in outgoing TCP packets.
Configuring TCP congestion control algorithm for TCP proxy
About this task
When you perform this task, you can configure one of the following TCP congestion control algorithms:
· Reno—Use this algorithm in scenarios with low latency and low bandwidth. In scenarios with high latency and high bandwidth, the speed of data transmission takes a long time to reach the maximum and thus the bandwidth utilization rate is low.
Reno is an early TCP congestion control algorithm that increases the number of congestion windows on receipt of ACK messages.
· BIC—Use this algorithm in scenarios with high bandwidth and low packet loss ratio.
BIC can make good use of remaining bandwidth resources and improve throughput, because this algorithm does not slow down packet sending as long as no packet loss occurs. However, the transmission latency of this algorithm is high. This algorithm will reduce the number of congestion windows when transmission errors cause packet loss.
· BBR—Use this algorithm in scenarios with high bandwidth, high latency, and packet loss.
BBR does not use packet loss as a congestion signal. In a scenario with high packet loss ratio, this algorithm can ensure high throughput and reduce transmission latency effectively. BBRv2 improves intra-protocol fairness by balancing aggressiveness.
Restrictions and guidelines
This task does not take effect on the modules that support TCP congestion control algorithm configuration. The TCP congestion control algorithm used by such a module depends on its configuration. For example, you can use the waas tfo congestion-method command to specify a TCP congestion control algorithm for the WAN side in the WAAS module.
The modules that do not support TCP congestion control algorithm configuration use the same algorithm as the TCP proxy module.
Procedure
1. Enter system view.
system-view
2. Specify a TCP congestion control algorithm for TCP proxy.
tcp-proxy congestion-method { bbrv1 | bbrv2 | bic | reno }
By default, the TCP congestion control algorithm is Reno for TCP proxy.
Configuring TCP connection attack prevention
About this task
This feature enables the device to count the error packets received by each established TCP connection. If the number of error packets received by a TCP connection within a statistics collection period (one second) exceeds the threshold, the device determines that the TCP connection is attacked and disconnects the TCP connection. If you enable logging for TCP connection attack prevention, the device generates a log about the attacked TCP connection.
Procedure
1. Enter system view.
system-view
2. Enable attack prevention for TCP connections.
tcp abnormal-packet-defend [ log | threshold threshold-value ]*
By default, attack prevention is disabled for TCP connections.
Display and maintenance commands for IP performance optimization
|
NOTE: Support for the display tcp-proxy and display tcp-proxy port-info commands varies by device model. For more information, see the command reference. |
Execute display commands in any view and reset commands in user view.
Task |
Command |
Display ICMP statistics. |
display icmp statistics display icmp statistics [ slot slot-number ] |
Display IP packet statistics. |
In standalone mode: display ip statistics In IRF mode: display ip statistics [ slot slot-number ] |
Display brief information about RawIP connections. |
In standalone mode: display rawip In IRF mode: display rawip [ slot slot-number ] |
Display detailed information about RawIP connections. |
In standalone mode: display rawip verbose [ pcb pcb-index ] In IRF mode: display rawip verbose [ slot slot-number [ pcb pcb-index ] ] |
Display brief information about TCP connections. |
In standalone mode: display tcp In IRF mode: display tcp [ slot slot-number ] |
Display TCP traffic statistics. |
In standalone mode: display tcp statistics In IRF mode: display tcp statistics [ slot slot-number ] |
Display detailed information about TCP connections. |
In standalone mode: display tcp verbose [ pcb pcb-index ] In IRF mode: display tcp verbose [ slot slot-number [ pcb pcb-index ] ] |
Display brief information about TCP proxy. |
In standalone mode: display tcp-proxy In IRF mode: display tcp-proxy slot slot-number |
Display the usage of non-well known ports for TCP proxy. |
In standalone mode: display tcp-proxy port-info In IRF mode: display tcp-proxy port-info slot slot-number |
Display brief information about UDP connections. |
In standalone mode: display udp In IRF mode: display udp [ slot slot-number ] |
Display UDP traffic statistics. |
In standalone mode: display udp statistics In IRF mode: display udp statistics [ slot slot-number ] |
Display detailed information about UDP connections. |
In standalone mode: display udp verbose [ pcb pcb-index ] In IRF mode: display udp verbose [ slot slot-number [ pcb pcb-index ] ] |
Display information about enabled INET services. |
In standalone mode: display inet open-service In IRF mode: display inet open-service [ slot slot-number ] |
Clear IP packet statistics. |
In standalone mode: reset ip statistics In IRF mode: reset ip statistics [ slot slot-number ] |
Clear TCP traffic statistics. |
reset tcp statistics |
Clear UDP traffic statistics. |
reset udp statistics |