07-Layer 3—IP Services Configuration Guide

HomeSupportConfigure & DeployConfiguration GuidesH3C MSR610[810][830][1000S][2600][3600] Routers Configuration Guides(V7)-R6749-6W10007-Layer 3—IP Services Configuration Guide
12-IP performance optimization configuration
Title Size Download
12-IP performance optimization configuration 193.87 KB

Contents

Optimizing IP performance· 1

IP performance optimization tasks at a glance· 1

Enabling an interface to receive and forward directed broadcasts destined for the directly connected network  2

About forwarding broadcasts destined for the directly connected network· 2

Procedure· 2

Example: Enabling an interface to forward directed broadcasts destined for the directly connected network  2

Setting the interface MTU for IPv4 packets· 3

Enabling Layer 3 packet statistics collection· 4

Enabling IPv4 local fragment reassembly· 4

Enabling IPv4 virtual fragment reassembly· 6

Enabling fragment centralization for IPv4 VFR· 7

Forcibly disabling IPv4 VFR· 7

Enabling fragment centralization for IPv6 VFR· 8

Forcibly disabling IPv6 VFR· 8

Configuring the DF bit for IP packets· 9

Enabling sending ICMP error messages· 9

About sending ICMP error messages· 9

Enabling sending ICMP redirect messages· 9

Enabling sending ICMP time exceeded messages· 10

Enable sending ICMP destination unreachable messages· 10

Configuring rate limit for ICMP error messages· 11

Specifying the source address for ICMP packets· 12

Disabling sending a specific type of ICMP messages· 12

Disabling receiving a specific type of ICMP messages· 13

Setting TCP MSS for an interface· 13

Setting the default TCP MSS· 14

Configuring TCP MSS automatic adjustment 14

Configuring TCP path MTU discovery· 17

Enabling SYN Cookie· 18

Setting the TCP buffer size· 18

Setting TCP timers· 18

Enabling carrying the TCP timestamp option in outgoing TCP packets· 19

Configuring TCP congestion control algorithm for TCP proxy· 19

Configuring TCP connection attack prevention· 20

Display and maintenance commands for IP performance optimization· 20

 


Optimizing IP performance

 

IP performance optimization tasks at a glance

All IP performance optimization tasks are optional.

1.     Configuring features for IP packets

¡     Enabling an interface to receive and forward directed broadcasts destined for the directly connected network

¡     Setting the interface MTU for IPv4 packets

¡     Enabling Layer 3 packet statistics collection

¡     Enabling IPv4 local fragment reassembly

This feature is applicable in IRF networks.

¡     Enabling IPv4 virtual fragment reassembly

¡     Enabling fragment centralization for IPv4 VFR

¡     Forcibly disabling IPv4 VFR

¡     Enabling fragment centralization for IPv6 VFR

¡     Forcibly disabling IPv6 VFR

¡     Configuring the DF bit for IP packets

2.     Configuring features for ICMP messages

¡     Enabling sending ICMP error messages

¡     Configuring rate limit for ICMP error messages

¡     Specifying the source address for ICMP packets

¡     Disabling sending a specific type of ICMP messages

¡     Disabling receiving a specific type of ICMP messages

3.     Configuring features for TCP packets

¡     Setting TCP MSS for an interface

¡     Setting the default TCP MSS

¡     Configuring TCP MSS automatic adjustment

¡     Configuring TCP path MTU discovery

¡     Enabling SYN Cookie

¡     Setting the TCP buffer size

¡     Setting TCP timers

¡     Enabling carrying the TCP timestamp option in outgoing TCP packets

¡     Configuring TCP congestion control algorithm for TCP proxy

¡     Configuring TCP connection attack prevention

Enabling an interface to receive and forward directed broadcasts destined for the directly connected network

About forwarding broadcasts destined for the directly connected network

A directed broadcast packet is destined for all hosts on a specific network. In the destination IP address of the directed broadcast, the network ID identifies the target network, and the host ID is made up of all ones.

If an interface is allowed to receive and forward directed broadcasts destined for the directly connected network, hackers can exploit this vulnerability to attack the target network. In some scenarios, however, an interface must receive and send such directed broadcast packets to support the following features:

·     UDP helper—Converts the directed broadcasts to unicasts and forwards them to a specific server.

·     Wake on LAN—Sends the directed broadcasts to wake up the hosts on the target network.

You can configure this function to enable the interface to receive and forward directed broadcast packets that are destined for directly connected network.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable the interface to receive and forward directed broadcasts destined for the directly connected network.

ip forward-broadcast

By default, an interface cannot forward directed broadcasts destined for the directly connected network. The interface can receive directed broadcasts destined for the directly connected network.

Example: Enabling an interface to forward directed broadcasts destined for the directly connected network

Network configuration

As shown in Figure 1, the default gateway of the host is the IP address 1.1.1.2/24 of GigabitEthernet 1/0/1 of Router A. Configure a static route destined for the host on Router B. Router B can receive directed broadcasts from the host to IP address 2.2.2.255.

Figure 1 Network diagram

 

Procedure

1.     Configure Router A:

# Specify IP addresses for GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.

<RouterA> system-view

[RouterA] interface gigabitethernet 1/0/1

[RouterA-GigabitEthernet1/0/1] ip address 1.1.1.2 24

[RouterA-GigabitEthernet1/0/1] quit

[RouterA] interface gigabitethernet 1/0/2

[RouterA-GigabitEthernet1/0/2] ip address 2.2.2.2 24

# Enable GigabitEthernet 1/0/2 to forward directed broadcasts destined for the directly connected network.

[RouterA-GigabitEthernet1/0/2] ip forward-broadcast

2.     Configure Router B:

# Configure a static route to the host.

<RouterB> system-view

[RouterB] ip route-static 1.1.1.1 24 2.2.2.2

# Specify an IP address for GigabitEthernet 1/0/2.

[RouterB] interface gigabitethernet 1/0/2

[RouterB-GigabitEthernet1/0/2] ip address 2.2.2.1 24

# Enable GigabitEthernet 1/0/2 to receive directed broadcasts directed for the directly connected network.

[RouterB-GigabitEthernet1/0/2] ip forward-broadcast

Verifying the configuration

After the configurations are completed, if you ping the subnet-directed broadcast address 2.2.2.255 on the host, GigabitEthernet 1/0/2 of Router B can receive the ping packets. If you delete the ip forward-broadcast configuration on any router, GigabitEthernet 1/0/2 of Router B cannot receive the ping packets.

Setting the interface MTU for IPv4 packets

About this task

The interface MTU for IPv4 packets defines the largest size of an IPv4 packet that an interface can transmit without fragmentation. When a packet exceeds the MTU of the sending interface, the device processes the packet in one of the following ways:

·     If the packet disallows fragmentation, the device discards it.

·     If the packet allows fragmentation, the device fragments it and forwards the fragments.

Fragmentation and reassembling consume system resources, so set the MTU based on the network environment to avoid fragmentation.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Set the interface MTU for IPv4 packets.

ip mtu mtu-size

By default, the interface MTU is not set.

Enabling Layer 3 packet statistics collection

About this task

With this feature enabled on an interface, the device counts incoming and outgoing IP packets on the interface. To display the collected statistics, execute the display ip statistics command. To display the receiving and sending rates of IP packets on the interface, execute the display interface command.

Restrictions and guidelines

When the interface is processing a large number of packets, Layer 3 packet statistics collection will cause high CPU usage and degrade the forwarding performance. If the statistics are not necessary, disable this feature to ensure the device performance.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable Layer 3 packet statistics collection.

statistics l3-packet enable [ inbound | outbound ]

By default, Layer 3 packet statistics collection is disabled.

Enabling IPv4 local fragment reassembly

About this task

Use this feature on a multichassis IRF fabric to improve fragment reassembly efficiency. This feature enables a subordinate to reassemble the IPv4 fragments of a packet if all the fragments arrive at it. If this feature is disabled, all IPv4 fragments are delivered to the master device for reassembly. The feature applies only to fragments destined for the same subordinate.

Hardware and feature compatibility

The following compatibility matrixes show the support of hardware platforms for this feature:

 

Hardware

Feature compatibility

MSR610

Yes

MSR810, MSR810-W, MSR810-W-DB, MSR810-LM, MSR810-W-LM, MSR810-10-PoE, MSR810-LM-HK, MSR810-W-LM-HK, MSR810-LM-CNDE-SJK, MSR810-CNDE-SJK, MSR810-EI, MSR810-LM-EA, MSR810-LM-EI

Yes

MSR810-LMS, MSR810-LUS

Yes

MSR810-SI, MSR810-LM-SI

Yes

MSR810-LMS-EA, MSR810-LME

Yes

MSR1004S-5G, MSR1004S-5G-CN

Yes

MSR1104S-W, MSR1104S-W-CAT6, MSR1104S-5G-CN, MSR1104S-W-5G-CN

No

MSR2600-6-X1, MSR2600-15-X1, MSR2600-15-X1-T

Yes

MSR2600-10-X1

Yes

MSR 2630

Yes

MSR3600-28, MSR3600-51

Yes

MSR3600-28-SI, MSR3600-51-SI

Yes

MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP

Yes

MSR3600-28-G-DP, MSR3600-51-G-DP

Yes

MSR3610-I-DP, MSR3610-IE-DP, MSR3610-IE-ES, MSR3610-IE-EAD, MSR-EAD-AK770, MSR3610-I-IG, MSR3610-IE-IG

Yes

MSR3610-X1, MSR3610-X1-DP, MSR3610-X1-DC, MSR3610-X1-DP-DC, MSR3620-X1, MSR3640-X1

Yes

MSR3610, MSR3620, MSR3620-DP, MSR3640, MSR3660

Yes

MSR3610-G, MSR3620-G

Yes

MSR3640-G

Yes

MSR3640-X1-HI

Yes

Hardware

Feature compatibility

MSR810-W-WiNet, MSR810-LM-WiNet

Yes

MSR830-4LM-WiNet

Yes

MSR830-5BEI-WiNet, MSR830-6EI-WiNet, MSR830-10BEI-WiNet

Yes

MSR830-6BHI-WiNet, MSR830-10BHI-WiNet

Yes

MSR2600-6-WiNet

Yes

MSR2600-10-X1-WiNet

Yes

MSR2630-WiNet

Yes

MSR3600-28-WiNet

Yes

MSR3610-X1-WiNet

Yes

MSR3610-WiNet, MSR3620-10-WiNet, MSR3620-DP-WiNet, MSR3620-WiNet, MSR3660-WiNet

Yes

Hardware

Feature compatibility

MSR860-6EI-XS

Yes

MSR860-6HI-XS

Yes

MSR2630-XS

Yes

MSR3600-28-XS

Yes

MSR3610-XS

Yes

MSR3620-XS

Yes

MSR3610-I-XS

Yes

MSR3610-IE-XS

Yes

MSR3620-X1-XS

Yes

MSR3640-XS

Yes

MSR3660-XS

Yes

Hardware

Feature compatibility

MSR810-LM-GL

Yes

MSR810-W-LM-GL

Yes

MSR830-6EI-GL

Yes

MSR830-10EI-GL

Yes

MSR830-6HI-GL

Yes

MSR830-10HI-GL

Yes

MSR1004S-5G-GL

Yes

MSR2600-6-X1-GL

Yes

MSR3600-28-SI-GL

Yes

Procedure

1.     Enter system view.

system-view

2.     Enable IPv4 local fragment reassembly.

ip reassemble local enable

By default, IPv4 local fragment reassembly is disabled.

Enabling IPv4 virtual fragment reassembly

About this task

To prevent each service module from processing packet fragments that do not arrive in order, you can enable the virtual fragment reassembly (VFR) feature. This feature virtually reassembles the fragments of a datagram through fragment check, sequencing, and caching, ensuring fragments arrive at each service module in order.

VFR can detect and prevent the following types of attacks:

·     Tiny fragment attack—The first fragment size is too small to hold the Layer 4 (such as TCP and UDP) header field, which is forced into the second fragment. VFR discards all tiny fragments.

·     Overlapping fragment attack—Two consecutive incoming fragments are identical or overlap with each other. If an overlapping fragment is detected, VFR discards all fragments within a fragment chain.

·     Fragment flooding attack—The maximum number of concurrent preassemblies or the number of fragments per datagram exceeds the upper limits. VFR discards subsequent fragments if the upper limit is reached.

Restrictions and guidelines

The enabling status of VFR can be managed at CLI or the enabling status of a service module that can call VFR. VRF is enabled in either of the following conditions:

·     A service module that can call it is enabled.

·     The ip virtual-reassembly enable command is executed.

If fragment reassembly is required, but a service module cannot call it, execute this command at CLI.

The ip virtual-reassembly suppress command can forcibly disable VFR regardless of the method that you used to enable VFR.

Procedure

1.     Enter system view.

system-view

2.     Enable IPv4 virtual fragment reassembly.

ip virtual-reassembly enable

By default, IPv4 virtual fragment reassembly is disabled.

Enabling fragment centralization for IPv4 VFR

About this task

On an HA network, if an HA device enabled with IPv4 VFR does not receive all fragments of a datagram, it cannot reassemble the datagram and will discard the received fragments. To resolve this issue, you can enable this feature. Devices that do not receive the first fragment of a datagram forward the received fragments of this datagram to the device that receives the first fragment for VFR.

Restrictions and guidelines

This feature is applicable to devices enabled with IPv4 VFR on an HA network.

For more information about HA networking, see RBM-based hot backup configuration in High Availability Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enable fragment centralization for IPv4 VFR.

ip virtual-reassembly centralize

By default, fragment centralization is disabled for IPv4 VFR.

Forcibly disabling IPv4 VFR

About this task

IPv4 VFR checks, sequences, and caches fragments upon fragment receiving to ensure that these fragments will be assembled in the correct order.

On an HA network, if an HA device does not receive all fragments of a datagram, it cannot reassemble the datagram and will discard the received fragments. For the devices to permit the received fragments to pass, you can forcibly disable IPv4 VFR.

After you enable VFR through service calling or CLI, you can use the ip virtual-reassembly suppress command to forcibly disable VFR.

With IPv4 VFR forcibly disabled, ASPF and connection limit do not take effect on the received IPv4 fragments and the fragments will be forwarded directly.

Restrictions and guidelines

Use this feature according to the demands of VFR.

For more information about HA networking, see RBM-based hot backup configuration in High Availability Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Forcibly disable IPv4 VFR.

ip virtual-reassembly suppress

By default, forcibly disabling IPv4 VFR is disabled.

Enabling fragment centralization for IPv6 VFR

About this task

On an HA network, if an HA device enabled with IPv6 VFR does not receive all fragments of a datagram, it cannot reassemble the datagram and will discard all the received fragments. To resolve this issue, you can enable this feature. Devices that do not receive the first fragment of a datagram forward the received fragments of this datagram to the device that receives the first fragment for VFR.

Restrictions and guidelines

This feature is applicable to devices enabled with IPv6 VFR on an HA network.

For more information about HA networking, see RBM-based hot backup configuration in High Availability Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enable fragment centralization for IPv6 VFR.

ipv6 virtual-reassembly centralize

By default, fragment centralization is disabled for IPv6 VFR.

Forcibly disabling IPv6 VFR

About this task

IPv6 VFR checks, sequences, and caches fragments upon fragment receiving to ensure that these fragments will be assembled in the correct order.

On an HA network, if an HA device does not receive all fragments of a datagram, it cannot reassemble the datagram and will discard the received fragments. For the devices to permit the received fragments to pass, you can forcibly disable IPv6 VFR.

With IPv6 VFR forcibly disabled, ASPF and connection limit do not take effect on the received IPv6 fragments and the fragments will be forwarded directly.

Restrictions and guidelines

Use this feature according to the demands of VFR.

For more information about HA networking, see RBM-based hot backup configuration in High Availability Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Forcibly disable IPv6 VFR.

ipv6 virtual-reassembly suppress

By default, forcibly disabling IPv6 VFR is disabled.

Configuring the DF bit for IP packets

About this task

This task configures the Don't Fragment (DF) bit for the IP packets to be forwarded:

·     set—Sets the DF bit in the IP packets to 1 to prevent the devices on the path from fragmenting the IP packets. If the path MTU is less than the size of the IP packets and DF bit is set, communication interruption occurs. The devices on the path will drop the IP packets and reply ICMP error messages to the IP packet sender.

·     clear—Sets the DF bit in the IP packets to 0. The devices can fragment the IP packets before forwarding them.

This feature does not apply to IP packets generated by the local device.

Procedure

1.     Enter system view.

system-view

2.     Configure the DF bit for IP packets.

ip df-bit { clear | set }

By default, the DF bit value of IP packets is retained as it is.

Enabling sending ICMP error messages

About sending ICMP error messages

ICMP messages are used by network layer and transport layer protocols to communicate updates and errors with other devices, facilitating network management.

Sending excessive ICMP messages increases network traffic. The device performance degrades if it receives a lot of malicious ICMP messages that cause it to respond with ICMP error messages. To prevent such problems, the sending of ICMP error messages is disabled by default. You can enable sending ICMP error messages of different types as needed.

ICMP error messages include redirect messages, time exceeded messages, and destination unreachable messages.

Enabling sending ICMP redirect messages

About this task

A host that has only one default route sends all packets to the default gateway. The default gateway sends an ICMP redirect message to inform the host of a correct next hop when the following conditions are met:

·     The receiving and sending interfaces are the same.

·     The packet source IP address and the IP address of the packet receiving interface are on the same segment.

·     There is no source route option in the received packet.

ICMP redirect messages simplify host management and enable hosts to gradually optimize their routing table.

Procedure

1.     Enter system view.

system-view

2.     Enable sending ICMP redirect messages.

ip redirects enable

By default, the sending of ICMP redirect messages is disabled.

Enabling sending ICMP time exceeded messages

About this task

A device sends ICMP time exceeded messages by following these rules:

·     The device sends the source an ICMP TTL exceeded in transit message when the following conditions are met:

¡     The received packet is not destined for the device.

¡     The TTL field of the packet is 1.

·     When the device receives the first fragment of an IP datagram destined for it, it starts a timer. If the timer expires before all the fragments of the datagram are received, the device sends an ICMP fragment reassembly time exceeded message to the source.

Restrictions and guidelines

If the ICMP time exceeded message sending is disabled, the device does not send ICMP TTL exceeded in transit messages. However, it can still send ICMP fragment reassembly time exceeded messages.

Procedure

1.     Enter system view.

system-view

2.     Enable sending ICMP time exceeded messages.

ip ttl-expires enable

By default, the sending of ICMP time exceeded messages is disabled.

Enable sending ICMP destination unreachable messages

About this task

A device sends ICMP destination unreachable messages by following these rules:

·     The device sends the source an ICMP network unreachable message when the following conditions are met:

¡     The packet does not match any route.

¡     No default route exists in the routing table.

·     The device sends the source an ICMP protocol unreachable message when the following conditions are met:

¡     The packet is destined for the device.

¡     The transport layer protocol of the packet is not supported by the device.

·     The device sends the source an ICMP port unreachable message when the following conditions are met:

¡     The UDP packet is destined for the device.

¡     The packet's port number does not match the corresponding process.

·     The device sends the source an ICMP source route failed message when the following conditions are met:

¡     The source uses Strict Source Routing to send packets.

¡     The intermediate device finds that the next hop specified by the source is not directly connected.

·     The device sends the source an ICMP fragmentation needed and DF set message when the following conditions are met:

¡     The MTU of the sending interface is smaller than the packet.

¡     The packet has DF set.

Restrictions and guidelines

If a DHCP-enabled device receives an ICMP echo reply without sending any ICMP echo requests, the device does not send any ICMP protocol unreachable messages to the source. To enable DHCP, use the dhcp enable command. For more information about this command, see Layer 3—IP Services Command Reference.

Procedure

1.     Enter system view.

system-view

2.     Enable sending ICMP destination unreachable messages.

ip unreachables enable

By default, the sending of ICMP destination unreachable messages is disabled.

Configuring rate limit for ICMP error messages

About this task

To avoid sending excessive ICMP error messages within a short period that might cause network congestion, you can limit the rate at which ICMP error messages are sent. A token bucket algorithm is used with one token representing one ICMP error message.

A token is placed in the bucket at intervals until the maximum number of tokens that the bucket can hold is reached.

A token is removed from the bucket when an ICMP error message is sent. When the bucket is empty, ICMP error messages are not sent until a new token is placed in the bucket.

Procedure

1.     Enter system view.

system-view

2.     Set the interval for tokens to arrive in the bucket and the bucket size for ICMP error messages.

ip icmp error-interval interval [ bucketsize ]

By default, a token is placed in the bucket at intervals of 100 milliseconds and the bucket allows a maximum of 10 tokens.

To disable the ICMP rate limit, set the interval to 0 milliseconds.

Specifying the source address for ICMP packets

About this task

Specifying the source IP address for outgoing ping echo requests and ICMP error messages helps users to locate the sending device easily. As a best practice, specify the IP address of the loopback interface as the source IP address.

Restrictions and guidelines

If you specify an IP address in the ping command, ping echo requests use the specified address as the source IP address rather than the IP address specified by the ip icmp source command.

Procedure

1.     Enter system view.

system-view

2.     Specify the source address for outgoing ICMP packets.

ip icmp source [ vpn-instance vpn-instance-name ] ip-address

By default, no source address is specified for outgoing ICMP packets. The default source IP addresses for different types of ICMP packets vary as follows:

¡     For an ICMP error message, the source IP address is the IP address of the receiving interface of the packet that triggers the ICMP error message. ICMP error messages include Time Exceeded, Port Unreachable, and Parameter Problem messages.

¡     For an ICMP echo request, the source IP address is the IP address of the sending interface.

¡     For an ICMP echo reply, the source IP address is the destination IP address of the ICMP echo request specific to this reply.

Disabling sending a specific type of ICMP messages

About this task

By default, the device sends all types of ICMP messages except Destination Unreachable, Time Exceeded, and Redirect messages. Attackers might obtain information from specific types of ICMP messages, causing security issues.

For security purposes, you can perform this task disable sending ICMP messages of specific types.

Restrictions and guidelines

Disabling sending ICMP messages of a specific type might affect network operation. Please use this feature with caution.

To enable sending Destination Unreachable, Time Exceeded, or Redirect messages, you can perform one of the following tasks:

·     Execute the ip icmp send enable command.

·     Execute one of the following commands as needed:

¡     ip unreachables enable

¡     ip ttl-expires enable

¡     ip redirects enable

Procedure

1.     Enter system view.

system-view

2.     Disable the device from sending a specific type of ICMP messages.

undo ip icmp { name icmp-name | type icmp-type code icmp-code } send enable

By default, the device sends all types of ICMP messages except Destination Unreachable, Time Exceeded, and Redirect messages.

Disabling receiving a specific type of ICMP messages

About this task

By default, the device receives all types of ICMP messages. Such a setting might affect device performance if a large number of ICMP responses are received within a short time. To resolve this issue, you can perform this task to disable the device from receiving a specific type of ICMP messages.

Restrictions and guidelines

Disabling receiving ICMP messages of a specific type might affect network operation. Please use this feature with caution.

Procedure

1.     Enter system view.

system-view

2.     Disable the device from receiving a specific type of ICMP messages.

undo ip icmp { name icmp-name | type icmp-type code icmp-code } receive enable

By default, the device receives all types of ICMP messages.

Setting TCP MSS for an interface

About this task

The maximum segment size (MSS) option informs the receiver of the largest segment that the sender can accept. Each end announces its MSS during TCP connection establishment. If the size of a TCP segment is smaller than the MSS of the receiver, TCP sends the TCP segment without fragmentation. If not, it fragments the segment according to the receiver's MSS.

Restrictions and guidelines

·     If you set the TCP MSS on an interface, the size of each TCP segment received or sent on the interface cannot exceed the MSS value.

·     This configuration takes effect only for TCP connections established after the configuration rather than the TCP connections that already exist.

·     This configuration is effective only for IP packets. If MPLS is enabled on the interface, do not set the TCP MSS on the interface.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Set the TCP MSS for the interface.

tcp mss value

By default, the TCP MSS is not set.

Setting the default TCP MSS

About this task

After a TCP connection is established, the device segments TCP packets based on the TCP MSS before sending them out. Generally, the TCP MSS equals the IP MTU value of the packet sending interface minus 40.

You can execute this command to set a high default TCP MSS to avoid the following issues that are caused by a small TCP MSS:

·     The device breaks up a TCP packet into too many segments.

·     The TCP SYN packet replied from the connection responder has a TCP checksum error.

Procedure

1.     Enter system view.

system-view

2.     Set the default TCP MSS.

tcp default-mss mss-value

By default, the TCP MSS value is 512.

Configuring TCP MSS automatic adjustment

About this task

In environments such as GRE, SSL VPN, or IPsec VPN, the device must add new headers to TCP packets for VPN services. If the size of these new TCP packets exceeds the negotiated TCP MSS, multiple intermediate devices might fragment these packets, resulting in low forwarding efficiency. An appropriate TCP MSS is essential for data transmission. However, manual TCP MSS configuration for all VPN services is an effort, because the APPENDLEN value varies by VPN service type.

To resolve this issue, enable automatic TCP MSS adjustment on VPN intermediate devices. With this feature enabled, the device can automatically adjust the TCP MSS according to the VPN service type, ensuring that TCP segments are re-fragmented along the path to the destination.

After you enable automatic TCP MSS adjustment, the minimum value of the following MSSs takes effect during TCP connection establishment:

·     The MSS value carried by the TCP packets.

·     The MSS value calculated based on the VPN service type and the IPv4 MTU. The calculation formula is as follows:

MSS = interface MTU – IP header length – TCP header length – APPENDLEN

APPENDLEN represents the total length of fields added to a TCP packet for VPN services.

To set the IPv4 MTU of an interface, use the ip mtu command.

·     The interface MSS set by the tcp mss command.

·     The global MSS set by the tcp auto-adjust-mss command.

After you disable automatic TCP MSS adjustment, the minimum value of the following MSSs takes effect during TCP connection establishment:

·     The MSS value carried by the TCP packets.

·     The interface MSS set by using the tcp mss command.

Hardware and feature compatibility

The following compatibility matrixes show the support of hardware platforms for this feature:

 

Hardware

Feature compatibility

MSR610

No

MSR810, MSR810-W, MSR810-W-DB, MSR810-LM, MSR810-W-LM, MSR810-10-PoE, MSR810-LM-HK, MSR810-W-LM-HK, MSR810-LM-CNDE-SJK, MSR810-CNDE-SJK, MSR810-EI, MSR810-LM-EA, MSR810-LM-EI

Yes

MSR810-LMS, MSR810-LUS

No

MSR810-SI, MSR810-LM-SI

No

MSR810-LMS-EA, MSR810-LME

No

MSR1004S-5G, MSR1004S-5G-CN

No

MSR1104S-W, MSR1104S-W-CAT6, MSR1104S-5G-CN, MSR1104S-W-5G-CN

Yes

MSR2600-6-X1, MSR2600-15-X1, MSR2600-15-X1-T

Yes

MSR2600-10-X1

Yes

MSR 2630

Yes

MSR3600-28, MSR3600-51

Yes

MSR3600-28-SI, MSR3600-51-SI

No

MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP

Yes

MSR3600-28-G-DP, MSR3600-51-G-DP

Yes

MSR3610-I-DP, MSR3610-IE-DP, MSR3610-IE-ES, MSR3610-IE-EAD, MSR-EAD-AK770, MSR3610-I-IG, MSR3610-IE-IG

Yes

MSR3610-X1, MSR3610-X1-DP, MSR3610-X1-DC, MSR3610-X1-DP-DC, MSR3620-X1, MSR3640-X1

Yes

MSR3610, MSR3620, MSR3620-DP, MSR3640, MSR3660

Yes

MSR3610-G, MSR3620-G

Yes

MSR3640-G

Yes

MSR3640-X1-HI

Yes

Hardware

Feature compatibility

MSR810-W-WiNet, MSR810-LM-WiNet

No

MSR830-4LM-WiNet

No

MSR830-5BEI-WiNet, MSR830-6EI-WiNet, MSR830-10BEI-WiNet

No

MSR830-6BHI-WiNet, MSR830-10BHI-WiNet

No

MSR2600-6-WiNet

Yes

MSR2600-10-X1-WiNet

Yes

MSR2630-WiNet

Yes

MSR3600-28-WiNet

Yes

MSR3610-X1-WiNet

Yes

MSR3610-WiNet, MSR3620-10-WiNet, MSR3620-DP-WiNet, MSR3620-WiNet, MSR3660-WiNet

Yes

Hardware

Feature compatibility

MSR860-6EI-XS

No

MSR860-6HI-XS

No

MSR2630-XS

Yes

MSR3600-28-XS

Yes

MSR3610-XS

Yes

MSR3620-XS

Yes

MSR3610-I-XS

Yes

MSR3610-IE-XS

Yes

MSR3620-X1-XS

Yes

MSR3640-XS

Yes

MSR3660-XS

Yes

Hardware

Feature compatibility

MSR810-LM-GL

Yes

MSR810-W-LM-GL

Yes

MSR830-6EI-GL

No

MSR830-10EI-GL

No

MSR830-6HI-GL

No

MSR830-10HI-GL

No

MSR1004S-5G-GL

No

MSR2600-6-X1-GL

Yes

MSR3600-28-SI-GL

No

Restrictions and guidelines

Enabling automatic TCP MSS adjustment has an impact on session establishment and forwarding performance, because the device needs to make an additional TCP MSS decision during packet forwarding. To ensure high forwarding performance, you can disable this feature.

This feature takes effect only on TCP connections that are established after the configuration and not on the TCP connections that already exist.

Procedure

1.     Enter system view.

system-view

2.     Enable TCP MSS automatic adjustment.

tcp auto-adjust-mss enable

By default, TCP MSS automatic adjustment is disabled.

3.     (Optional.) Set the global TCP MSS.

tcp auto-adjust-mss value

By default, the global TCP MSS is 1460 bytes.

Configuring TCP path MTU discovery

About this task

TCP path MTU discovery (in RFC 1191) discovers the path MTU between the source and destination ends of a TCP connection. The device uses the path MTU to calculate the MSS to avoid IP fragmentation. The path MTU uses an aging mechanism to ensure that the source device can increase the path MTU when the minimum link MTU on the path increases.

TCP path MTU discovery works as follows:

1.     A TCP source device sends a packet with the Don't Fragment (DF) bit set.

2.     A router discards the packet that exceeds the MTU of the outgoing interface and returns an ICMP error message. The error message contains the MTU of the outgoing interface.

3.     Upon receiving the ICMP message, the TCP source device calculates the current path MTU of the TCP connection.

4.     The TCP source device sends subsequent TCP segments that are smaller than the MSS (MSS = path MTU – IP header length – TCP header length).

If the TCP source device still receives ICMP error messages when the MSS is smaller than 32 bytes, the TCP source device will fragment packets.

An ICMP error message received from a router that does not support RFC 1191 has the MTU of the outgoing interface set to 0. Upon receiving the ICMP message, the TCP source device selects the path MTU smaller than the current path MTU from the MTU table as described in RFC 1191. Based on the selected path MTU, the TCP source device calculates the TCP MSS. The MTU table contains MTUs of 68, 296, 508, 1006, 1280, 1492, 2002, 4352, 8166, 17914, 32000, and 65535 bytes. Because the minimum TCP MSS specified by the system is 32 bytes, the actual minimum MTU is 72 bytes.

The aging mechanism of the path MTU is as follows:

·     When the TCP source device receives an ICMP error message, it reduces the path MTU and starts an aging timer for the path MTU.

·     After the aging timer expires, the source device uses a larger MSS in the MTU table, as described in RFC 1191.

·     If no ICMP error message is received within two minutes, the source device increases the MSS again until the MSS negotiated during TCP three-way handshake is reached.

Prerequisites

Make sure all devices on a TCP connection are enabled to send ICMP error messages by using the ip unreachables enable command.

Procedure

1.     Enter system view.

system-view

2.     Enable TCP path MTU discovery.

tcp path-mtu-discovery [ aging age-time | no-aging ]

By default, TCP path MTU discovery is disabled.

Enabling SYN Cookie

About this task

A TCP connection is established through a three-way handshake. An attacker can exploit this mechanism to mount SYN Flood attacks. The attacker sends a large number of SYN packets, but does not respond to the SYN ACK packets from the server. As a result, the server establishes a large number of TCP semi-connections and can no longer handle normal services.

SYN Cookie can protect the server from SYN Flood attacks. When the server receives a SYN packet, it responds with a SYN ACK packet without establishing a TCP semi-connection. The server establishes a TCP connection and enters ESTABLISHED state only when it receives an ACK packet from the client.

Procedure

1.     Enter system view.

system-view

2.     Enable SYN Cookie.

tcp syn-cookie enable

By default, SYN Cookie is disabled.

Setting the TCP buffer size

1.     Enter system view.

system-view

2.     Set the size of TCP receive/send buffer.

tcp window window-size

The default buffer size is 63 KB.

Setting TCP timers

About this task

You can set the following TCP timers:

·     SYN wait timer—TCP starts the SYN wait timer after sending a SYN packet. Within the SYN wait timer if no response is received or the upper limit on TCP connection tries is reached, TCP fails to establish the connection.

·     FIN wait timer—TCP starts the FIN wait timer when TCP changes the connection state to FIN_WAIT_2. If no FIN packet is received within the timer interval, TCP terminates the connection. If a FIN packet is received, TCP changes the connection state to TIME_WAIT. If a non-FIN packet is received, TCP restarts the timer, and tears down the connection when the timer expires.

Procedure

1.     Enter system view.

system-view

2.     Set the TCP SYN wait timer.

tcp timer syn-timeout time-value

By default, the TCP SYN wait timer is 75 seconds.

3.     Set the TCP FIN wait timer.

tcp timer fin-timeout time-value

By default, the TCP FIN wait timer is 675 seconds.

Enabling carrying the TCP timestamp option in outgoing TCP packets

About this task

The TCP timestamp option in TCP packets is used to calculate the RTT between two communicating devices. In some networks, it is required to prevent the intermediate devices from obtaining the TCP timestamps in packets passing through. Then you can disable carrying the TCP timestamp option in outgoing packets on a device at either end.

Procedure

1.     Enter system view.

system-view

2.     Enable carrying the TCP timestamp option in outgoing TCP packets.

tcp timestamps enable

By default, the device adds the TCP timestamp option in outgoing TCP packets.

Configuring TCP congestion control algorithm for TCP proxy

About this task

When you perform this task, you can configure one of the following TCP congestion control algorithms:

·     Reno—Use this algorithm in scenarios with low latency and low bandwidth. In scenarios with high latency and high bandwidth, the speed of data transmission takes a long time to reach the maximum and thus the bandwidth utilization rate is low.

Reno is an early TCP congestion control algorithm that increases the number of congestion windows on receipt of ACK messages.

·     BICUse this algorithm in scenarios with high bandwidth and low packet loss ratio.

BIC can make good use of remaining bandwidth resources and improve throughput, because this algorithm does not slow down packet sending as long as no packet loss occurs. However, the transmission latency of this algorithm is high. This algorithm will reduce the number of congestion windows when transmission errors cause packet loss.

·     BBR—Use this algorithm in scenarios with high bandwidth, high latency, and packet loss.

BBR does not use packet loss as a congestion signal. In a scenario with high packet loss ratio, this algorithm can ensure high throughput and reduce transmission latency effectively. BBRv2 improves intra-protocol fairness by balancing aggressiveness.

Restrictions and guidelines

This task does not take effect on the modules that support TCP congestion control algorithm configuration. The TCP congestion control algorithm used by such a module depends on its configuration. For example, you can use the waas tfo congestion-method command to specify a TCP congestion control algorithm for the WAN side in the WAAS module.

The modules that do not support TCP congestion control algorithm configuration use the same algorithm as the TCP proxy module.

Procedure

1.     Enter system view.

system-view

2.     Specify a TCP congestion control algorithm for TCP proxy.

tcp-proxy congestion-method { bbrv1 | bbrv2 | bic | reno }

By default, the TCP congestion control algorithm is Reno for TCP proxy.

Configuring TCP connection attack prevention

About this task

This feature enables the device to count the error packets received by each established TCP connection. If the number of error packets received by a TCP connection within a statistics collection period (one second) exceeds the threshold, the device determines that the TCP connection is attacked and disconnects the TCP connection. If you enable logging for TCP connection attack prevention, the device generates a log about the attacked TCP connection.

Procedure

1.     Enter system view.

system-view

2.     Enable attack prevention for TCP connections.

tcp abnormal-packet-defend [ log | threshold threshold-value ]*

By default, attack prevention is disabled for TCP connections.

Display and maintenance commands for IP performance optimization

 

NOTE:

Support for the display tcp-proxy and display tcp-proxy port-info commands varies by device model. For more information, see the command reference.

 

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display ICMP statistics.

In standalone mode:

display icmp statistics

In IRF mode:

display icmp statistics [ slot slot-number ]

Display IP packet statistics.

In standalone mode:

display ip statistics

In IRF mode:

display ip statistics [ slot slot-number ]

Display brief information about RawIP connections.

In standalone mode:

display rawip

In IRF mode:

display rawip [ slot slot-number ]

Display detailed information about RawIP connections.

In standalone mode:

display rawip verbose [ pcb pcb-index ]

In IRF mode:

display rawip verbose [ slot slot-number [ pcb pcb-index ] ]

Display brief information about TCP connections.

In standalone mode:

display tcp

In IRF mode:

display tcp [ slot slot-number ]

Display TCP traffic statistics.

In standalone mode:

display tcp statistics

In IRF mode:

display tcp statistics [ slot slot-number ]

Display detailed information about TCP connections.

In standalone mode:

display tcp verbose [ pcb pcb-index ]

In IRF mode:

display tcp verbose [ slot slot-number [ pcb pcb-index ] ]

Display brief information about TCP proxy.

In standalone mode:

display tcp-proxy

In IRF mode:

display tcp-proxy slot slot-number

Display the usage of non-well known ports for TCP proxy.

In standalone mode:

display tcp-proxy port-info

In IRF mode:

display tcp-proxy port-info slot slot-number

Display brief information about UDP connections.

In standalone mode:

display udp

In IRF mode:

display udp [ slot slot-number ]

 Display UDP traffic statistics.

In standalone mode:

display udp statistics

In IRF mode:

display udp statistics [ slot slot-number ]

Display detailed information about UDP connections.

In standalone mode:

display udp verbose [ pcb pcb-index ]

In IRF mode:

display udp verbose [ slot slot-number [ pcb pcb-index ] ]

Display information about enabled INET services.

In standalone mode:

display inet open-service

In IRF mode:

display inet open-service [ slot slot-number ]

Clear IP packet statistics.

In standalone mode:

reset ip statistics

In IRF mode:

reset ip statistics [ slot slot-number ]

Clear TCP traffic statistics.

reset tcp statistics

Clear UDP traffic statistics.

reset udp statistics

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网