slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IP packet statistics for all member devices.

Usage guidelines

IP statistics include information about received and sent packets, fragments, and reassembly.

Examples

# Display IP packet statistics.

<Sysname> display ip statistics

Input: sum 7120 local 112

bad protocol 0 bad format 0

bad checksum 0 bad options 0

Output: forwarding 0 local 27

dropped 0 no route 2

compress fails 0

Fragment:input 0 output 0

dropped 0

fragmented 0 couldn't fragment 0

Reassembling:sum 0 timeouts 0

Table 2 Command output

Field	Description
Input	Statistics about received packets: · sum—Total number of packets received. · local—Total number of packets destined for the device. · bad protocol—Total number of unknown protocol packets. · bad format—Total number of packets with incorrect format. · bad checksum—Total number of packets with incorrect checksum. · bad options—Total number of packets with incorrect option.
Output	Statistics about sent packets: · forwarding—Total number of packets forwarded. · local—Total number of packets locally sent. · dropped—Total number of packets discarded. · no route—Total number of packets for which no route is available. · compress fails—Total number of packets failed to be compressed.
Fragment	Statistics about fragments: · input—Total number of fragments received. · output—Total number of fragments sent. · dropped—Total number of fragments dropped. · fragmented—Total number of packets successfully fragmented. · couldn't fragment—Total number of packets failed to be fragmented.
Reassembling	Statistics about reassembly: · sum—Total number of packets reassembled. · timeouts—Total number of reassembly timeouts.

‌

Related commands

display ip interface

reset ip statistics

statistics l3-packet enable

Field	Description
Local Addr	Local IP address.
Foreign Addr	Peer IP address.
Protocol	Protocol number.
PCB	Protocol control block.

display rawip verbose

Use display rawip verbose to display detailed information about RawIP connections.

Syntax

display rawip verbose [ slot slot-number [ pcb pcb-index ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pcb pcb-index: Displays detailed RawIP connection information for the specified PCB. The pcb-index argument specifies the index of the PCB. The index value is a hexadecimal string in the range of 1 to 16.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays detailed information about RawIP connections for all member devices.

Usage guidelines

The detailed information includes socket creator, state, option, type, protocol number, and the source and destination IP addresses of RawIP connections.

Examples

# Display detailed information about RawIP connections.

<Sysname> display rawip verbose

Total RawIP socket number: 1

Connection info: src = 0.0.0.0, dst = 0.0.0.0

Location: slot 1

Creator: ping[320]

State: N/A

Options: N/A

Error: 0

Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 9216 / 1 / 0 / N/A

Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A

Type: 3

Protocol: 1

Inpcb flags: N/A

Inpcb extflag: INP_EXTRCVICMPERR INP_EXTFILTER

Inpcb vflag: INP_IPV4

TTL: 255(minimum TTL: 0)

Send VRF: 0xffff

Receive VRF: 0xffff

Table 4 Command output

Field	Description
Total RawIP socket number	Total number of RawIP sockets.
Connection info	Connection information, including source IP address and destination IP address.
Location	Socket location.
Creator	Name of the operation that created the socket. The number in brackets is the process number of the creator.
State	Socket state: · NOFDREF—The user has closed the connection. · ISCONNECTED—The connection has been established. · ISCONNECTING—The connection is being established. · ISDISCONNECTING—The connection is being interrupted. · ASYNC—Asynchronous mode. · ISDISCONNECTED—The connection has been terminated. · ISSMOOTHING—Cross-card data smoothing is in progress. · CANBIND—The socket supports the bind operation. · PROTOREF—Indicates strong protocol reference. · ISPCBSYNCING—Cross-card PCB synchronization is in progress. · N/A—None of above state.
Options	Socket options: · SO_DEBUG—Records socket debugging information. · SO_ACCEPTCONN—Enables the server to listen connection requests. · SO_REUSEADDR—Allows the local address reuse. · SO_KEEPALIVE—Requires the protocol to test whether the connection is still alive. · SO_DONTROUTE—Bypasses the routing table query for outgoing packets because the destination is in a directly connected network. · SO_BROADCAST—Supports broadcast packets. · SO_LINGER—Closes the socket. The system can still send remaining data in the socket send buffer. · SO_OOBINLINE—Stores the out-of-band data in the input queue. · SO_REUSEPORT—Allows the local port reuse. · SO_TIMESTAMP—Records the timestamps of the incoming packets, accurate to milliseconds. This option is applicable to protocols that are not connection orientated. · SO_NOSIGPIPE—Disables the socket from sending data. As a result, a sigpipe cannot be established when a return failure occurs. · SO_FILTER—Supports setting the packet filter criterion. This option takes effect on the incoming packets. · SO_TIMESTAMPNS—Has a similar function with the timestamp, accurate to nanoseconds. · SO_SEQPACKET—Preserves the boundaries of packets sent to the socket buffer. · SO_FILLTWAMPTIME—Sets the timestamp for TWAMP. · SO_LOCAL—Local socket option. · SO_DONTDELIVER—Do not deliver the data to the application. · SO_UCM—Sets the IPoE enabling status. ‌This option is not supported in the current software version. · SO_RAWSLOT—Raw slot. · SO_LEASEDUSERID—Obtains a usable lease. · N/A—No options are set.
Error	Error code.
Receiving buffer (cc/hiwat/lowat/drop/state)	Displays receive buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · drop—Number of dropped packets. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ CANTREDUCESIZE—Unable to shorten the receiving buffer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states.
Sending buffer (cc/hiwat/lowat/state)	Displays send buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states.
Type	Socket type: · 1—SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams. · 2—SOCK_DGRAM. This socket uses UDP to provide datagram transmission. · 3—SOCK_RAW. This socket allows an application to change the next upper-layer protocol header. · N/A—None of the above types.
Protocol	Number of the protocol using the socket.
Inpcb flags	Flags in the Internet PCB: · INP_RECVOPTS—Receives IP options. · INP_RECVRETOPTS—Receives replied IP options. · INP_RECVDSTADDR—Receives destination IP address. · INP_HDRINCL—Provides the entire IP header. · INP_REUSEADDR—Reuses the IP address. · INP_REUSEPORT—Reuses the port number. · INP_ANONPORT—Port number not specified. · INP_RECVIF—Records the input interface of the packet. · INP_RECVTTL—Receives TTL of the packet. Only UDP and RawIP support this flag. · INP_DONTFRAG—Sets the Don't Fragment flag. · INP_ROUTER_ALERT—Receives packets with the router alert option. Only RawIP supports this flag. · INP_PROTOCOL_PACKET—Identifies a protocol packet. · INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag. · INP_RCVMACADDR—Receives the MAC address of the frame. · INP_SNDBYLSPV—Sends through MPLS. · INP_RECVTOS—Receives TOS of the packet. Only UDP and RawIP support this flag. · INP_USEICMPSRC—Uses the specified IP address as the source IP address for outgoing ICMP packets. · INP_SYNCPCB—Waits until Internet PCB is synchronized. · INP_LOCAL—Preferentially matches the INPCB with this flag on the same card. · N/A—None of the above flags.
Inpcb extflag	Extension flags in the Internet PCB: · INP_EXTRCVPVCIDX—Records the PVC index of the received packet. · INP_RCVPWID—Records the PW ID of the received packet. · INP_EXTRCVICMPERR—Receives an ICMP error packet. · INP_EXTFILTER—Filters the contents in the received packet. · INP_EXTDONTDROP—Do not drop the received packet. · INP_EXLISTEN—Adds the INPCB carrying this flag to the listen hash table. · INP_SELECTMATCHSRCBYFIB—Uses the FIB table to select a matching source. · INP_EXTPRIVATESOCKET—Associates the INPCB with the NSR private socket. · INP_EXTNOCACHEPKT—Do not cache packets. · INP_EXTRCVVLANDOT1P—Obtains the Dot1p value of the VLAN tag in the received packet. · INP_EXTSNDDATAIF—Sets the output interface of data. · INP_EXTFREEBIND—The socket is not bound to an address or port. · INP_EXTRCVUPID—Obtains the UP ID from the received packet in the UCM control-/user-plane separated (CUPS) network. · INP_EXTINNERPROXY—Receives packets forwarded by the proxy. · INP_EXLISTENNET—Sets this flag when the connection information is added to the network segment linked list. · N/A—None of the above flags.
Inpcb vflag	IP version flags in the Internet PCB: · INP_IPV4—IPv4 protocol. · INP_TIMEWAIT—In TIMEWAIT state. · INP_ONESBCAST—Sends broadcast packets. · INP_DROPPED—Protocol dropped flag. · INP_SOCKREF—Strong socket reference. · INP_DONTBLOCK—Do not block synchronization of the Internet PCB. · N/A—None of the above flags.
TTL	TTL value in the Internet PCB.
Send VRF	VRF from which packets are sent.
Receive VRF	VRF from which packets are received.

‌

display tcp

Use display tcp to display brief information about TCP connections.

Syntax

display tcp [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays brief information about TCP connections for all member devices.

Usage guidelines

Brief TCP connection information includes local IP address, local port number, peer IP address, peer port number, and TCP connection state.

Examples

# Display brief information about TCP connections.

<Sysname> display tcp

*: TCP connection with authentication

Local Addr:port Foreign Addr:port State Slot Cpu PCB

*0.0.0.0:21 0.0.0.0:0 LISTEN 1 0 0x000000000000c387

192.168.20.200:23 192.168.20.14:1284 ESTABLISHED 1 0 0x0000000000000009

192.168.20.200:23 192.168.20.14:1283 ESTABLISHED 1 0 0x0000000000000002

Table 5 Command output

Field	Description
*	Indicates that the TCP connection uses authentication.
Local Addr:port	Local IP address and port number.
Foreign Addr:port	Peer IP address and port number.
State	TCP connection state: · CLOSED—The server receives a disconnection request's reply from the client. · LISTEN—The server is waiting for connection requests. · SYN_SENT—The client is waiting for the server to reply to the connection request. · SYN_RCVD—The server receives a connection request. · ESTABLISHED—The server and client have established connections and can transmit data bidirectionally. · CLOSE_WAIT—The server receives a disconnection request from the client. · FIN_WAIT_1—The client is waiting for the server to reply to a disconnection request. · CLOSING—The server and client are waiting for peer's disconnection reply when receiving disconnection requests from each other. · LAST_ACK—The server is waiting for the client to reply to a disconnection request. · FIN_WAIT_2—The client receives a disconnection reply from the server. · TIME_WAIT—The client receives a disconnection request from the server.
PCB	PCB index.

‌

display tcp statistics

Use display tcp statistics to display TCP traffic statistics.

Syntax

display tcp statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays TCP traffic statistics for all member devices.

Usage guidelines

TCP traffic statistics include information about received and sent TCP packets and Syncache/syncookie.

Examples

# Display TCP traffic statistics.

<Sysname> display tcp statistics

Received packets:

Total: 4150

packets in sequence: 1366 (134675 bytes)

window probe packets: 0, window update packets: 0

checksum error: 0, offset error: 0, short error: 0

packets dropped for lack of memory: 0

packets dropped due to PAWS: 0

duplicate packets: 12 (36 bytes), partially duplicate packets: 0 (0 bytes)

out-of-order packets: 0 (0 bytes)

packets with data after window: 0 (0 bytes)

packets after close: 0

ACK packets: 3531 (795048 bytes)

duplicate ACK packets: 33, ACK packets for unsent data: 0

Sent packets:

Total: 4058

urgent packets: 0

control packets: 50

window probe packets: 3, window update packets: 11

data packets: 3862 (795012 bytes), data packets retransmitted: 0 (0 bytes)

ACK-only packets: 150 (52 delayed)

unnecessary packet retransmissions: 0

Syncache/syncookie related statistics:

entries added to syncache: 12

syncache entries retransmitted: 0

duplicate SYN packets: 0

reply failures: 0

successfully build new socket: 12

bucket overflows: 0

zone failures: 0

syncache entries removed due to RST: 0

syncache entries removed due to timed out: 0

ACK checked by syncache or syncookie failures: 0

syncache entries aborted: 0

syncache entries removed due to bad ACK: 0

syncache entries removed due to ICMP unreachable: 0

SYN cookies sent: 0

SYN cookies received: 0

SACK related statistics:

SACK recoveries: 1

SACK retransmitted segments: 0 (0 bytes)

SACK blocks (options) received: 0

SACK blocks (options) sent: 0

SACK scoreboard overflows: 0

Other statistics:

retransmitted timeout: 0, connections dropped in retransmitted timeout: 0

persist timeout: 0

keepalive timeout: 21, keepalive probe: 0

keepalive timeout, so connections disconnected: 0

fin_wait_2 timeout, so connections disconnected: 0

initiated connections: 29, accepted connections: 12, established connections:

closed connections: 50051 (dropped: 0, initiated dropped: 0)

bad connection attempt: 0

ignored RSTs in the window: 0

listen queue overflows: 0

RTT updates: 3518(attempt segment: 3537)

correct ACK header predictions: 0

correct data packet header predictions: 568

resends due to MTU discovery: 0

packets dropped due to MD5 authentication failure: 0

packets that passed MD5 authentication: 0

sent Keychain-encrypted packets: 0

packets that passed Keychain authentication: 0

packets dropped due to Keychain authentication failure: 0

Related commands

reset tcp statistics

display tcp verbose

Use display tcp verbose to display detailed information about TCP connections.

Syntax

display tcp verbose [ slot slot-number [ pcb pcb-index ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pcb pcb-index: Displays detailed TCP connection information for the specified PCB. The index value is a hexadecimal string in the range of 1 to 16.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays detailed information about TCP connections for all member devices.

Usage guidelines

The detailed TCP connection information includes socket creator, state, option, type, protocol number, source IP address and port number, destination IP address and port number, and connection state.

Examples

# Display detailed information about TCP connections.

<Sysname> display tcp verbose

TCP inpcb number: 1(tcpcb number: 1)

Connection info: src = 192.168.20.200:179 , dst = 192.168.20.14:4181

Location: slot 1

NSR standby: N/A

Creator: ping[320]

State: ISCONNECTED

Options: N/A

Error: 0

Receiving buffer(cc/hiwat/lowat/state): 0 / 65700 / 1 / N/A

Sending buffer(cc/hiwat/lowat/state): 0 / 65700 / 512 / N/A

Type: 1

Protocol: 6

Inpcb flags: N/A

Inpcb extflag: N/A

Inpcb vflag: INP_IPV4

TTL: 255(minimum TTL: 0)

Connection state: ESTABLISHED

TCP options: TF_REQ_SCALE TF_REQ_TSTMP TF_SACK_PERMIT TF_NSR

NSR state: READY(M)

Send VRF: 0x0

Receive VRF: 0x0

Error count in abnormal-packet-defend period: 0

Checksum errors: 0

Duplicate packets: 0

Part-Duplicate packets: 0

Out-of-order packets: 0

Duplicate ACK packets: 0

Out-of-order ACK packets: 0

Packets with data out of window: 0

MD5 authentication errors: 0

Keychain authentication errors: 0

Timestamp errors: 0

Maximum Segment Size (MSS): 512

Window Scale (wscale): 0

Retransmission Timeout (rto): 3000000.0ms

Retransmission Count/Total: 0/0

Round-trip Time (rtt/rtvar): 0.0ms/12000000.0ms

Delayed Ack Timeout (ato): 100000.0ms

Congestion Window (cwnd): 1073725440

TCP Throughput: 0.00 Mbps

sendpps/sendkbps/recvpps/recvkbps/: 0/0.000/0/0.000

iss/unack/next/max/wnd: 0/0/0/0/0

irs/undeliver/next/adv/wnd: 0/0/0/0/0

NSR Info:

Total Recv/Send Count(history Recv/history Send): 41/43(41/43)

EnableMsg Recv/Send Count(history Recv/history Send): 1/2(1/2)

DisableMsg Recv/Send Count(history Recv/history Send): 0/1(0/1)

SlotchangeMsg Recv/Send Count(history Recv/history Send): 0/1(0/1)

ReadyMsg Recv/Send Count(history Recv/history Send): 2/1(2/1)

PullMsg Recv/Send Count(history Recv/history Send): 2/1(2/1)

BriefdataMsg Recv/Send Count(history Recv/history Send): 1/2(1/2)

PktMsg Recv/Send Count(history Recv/history Send): 35/35(35/35)

CmdMsg Recv/Send Count(history Recv/history Send): 0/0(0/0)

Recent Recv/Send Seq: 41/43

Recent Recv/Send Time: 11:14:44:469624 May 23 2022/11:14:44:467624 May 23 2022

Option Value:

rcvsb_timeo/sndsb_timeo/pd_type/pd_len: 0/0/0/0

so_linger: 1

ka_idle/ka_intval/ka_count: 0/0/0

so_accept_filter_str: filter1

Md5 Password:123

Tcp Key Chain: key123

Out Interface/NextHop/Local Address: 0/0.0.0.0/0.0.0.0

Filter Offset/Length/Value/Mask: 0/0/00 00 00 00 00 00 00 00 /00 00 0 00 00 00 00 00

Ip Tos/McastTTL/McastLoop/ Mcast Interface Index: 192/0/0/0

Acl Index/MacIndex: 4294967295/4294967295

Mpls Flag/Label: 0/4294967295

Kernel Event ID: 0

Send Mac: 0000-0000-0000

Bier TTL/Entropy/TunnelID: 0/0/0

Ip Option Hdr: 0x01 02 03

Table 6 Command output

Field	Description
TCP inpcb number	Number of TCP IP PCBs.
Connection info	Connection information, including source IP address, source port number, destination IP address, and destination port number.
Location	Socket location.
NSR standby	IRF member ID and slot number where the NSR standby resides. If no NSR standby exists, this field displays N/A.
tcpcb number	Number of TCP PCBs. This field is not displayed if the state of the TCP connection is TIME_WAIT.
Creator	Name of the operation that created the socket. The number in brackets is the process number of the creator.
State	Socket state: · NOFDREF—The user has closed the connection. · ISCONNECTED—The connection has been established. · ISCONNECTING—The connection is being established. · ISDISCONNECTING—The connection is being interrupted. · ASYNC—Asynchronous mode. · ISDISCONNECTED—The connection has been terminated. · ISSMOOTHING—Cross-card data smoothing is in progress. · CANBIND—The socket supports the bind operation. · PROTOREF—Indicates strong protocol reference. · ISPCBSYNCING—Cross-card PCB synchronization is in progress. · N/A—None of above state.
Options	Socket options: · SO_DEBUG—Records socket debugging information. · SO_ACCEPTCONN—Enables the server to listen connection requests. · SO_REUSEADDR—Allows the local address reuse. · SO_KEEPALIVE—Requires the protocol to test whether the connection is still alive. · SO_DONTROUTE—Bypasses the routing table query for outgoing packets because the destination is in a directly connected network. · SO_BROADCAST—Supports broadcast packets. · SO_LINGER—Closes the socket. The system can still send remaining data in the socket send buffer. · SO_OOBINLINE—Stores the out-of-band data in the input queue. · SO_REUSEPORT—Allows the local port reuse. · SO_TIMESTAMP—Records the timestamps of the incoming packets, accurate to milliseconds. This option is applicable to protocols that are not connection orientated. · SO_NOSIGPIPE—Disables the socket from sending data. As a result, a sigpipe cannot be established when a return failure occurs. · SO_TIMESTAMPNS—Has a similar function with the timestamp, accurate to nanoseconds. · SO_KEEPALIVETIME—Sets a keepalive time. · SO_SEQPACKET—Preserves the boundaries of packets sent to the socket buffer. · SO_USCBINDEX—Obtains the user profile index from the received packets. · SO_FILLTWAMPTIME—Sets the timestamp for TWAMP. · SO_LOCAL—Local socket option. · SO_DONTDELIVER—Do not deliver the data to the application. · SO_UCM—Sets the IPoE enabling status. ‌This option is not supported in the current software version. · SO_RAWSLOT—Raw slot. · SO_LEASEDUSERID—Obtains a usable lease. · N/A—No options are set.
Error	Error code.
Receiving buffer (cc/hiwat/lowat/state)	Displays receive buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states.
Sending buffer (cc/hiwat/lowat/state)	Displays send buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states.
Type	Socket type: · 1—SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams. · 2—SOCK_DGRAM. This socket uses UDP to provide datagram transmission. · 3—SOCK_RAW. This socket allows an application to change the next upper-layer protocol header. · N/A—None of the above types.
Protocol	Number of the protocol using the socket.
Inpcb flags	Flags in the Internet PCB: · INP_RECVOPTS—Receives IP options. · INP_RECVRETOPTS—Receives replied IP options. · INP_RECVDSTADDR—Receives destination IP address. · INP_HDRINCL—Provides the entire IP header. · INP_REUSEADDR—Reuses the IP address. · INP_REUSEPORT—Reuses the port number. · INP_ANONPORT—Port number not specified. · INP_RECVIF—Records the input interface of the packet. · INP_RECVTTL—Receives TTL of the packet. Only UDP and RawIP support this flag. · INP_DONTFRAG—Sets the Don't Fragment flag. · INP_ROUTER_ALERT—Receives packets with the router alert option. Only RawIP supports this flag. · INP_PROTOCOL_PACKET—Identifies a protocol packet. · INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag. · INP_RCVMACADDR—Receives the MAC address of the frame. · INP_SNDBYLSPV—Sends through MPLS. · INP_RECVTOS—Receives TOS of the packet. Only UDP and RawIP support this flag. · INP_SYNCPCB—Waits until Internet PCB is synchronized. · INP_LOCAL—Preferentially matches the INPCB with this flag on the same card. · N/A—None of the above flags.
Inpcb extflag	Extension flags in the Internet PCB: · INP_EXTRCVPVCIDX—Records the PVC index of the received packet. · INP_RCVPWID—Records the PW ID of the received packet. · INP_EXTDONTDROP—Does not drop the received packet. · INP_EXTFILTER—Filters the contents in the received packets. · INP_SELECTMATCHSRCBYFIB—Uses the FIB table to select a matching source. · INP_EXTRCVICMPERR—Receives an ICMP error packet. · INP_EXTPRIVATESOCKET—Associates the INPCB with the NSR private socket. · INP_EXTNOCACHEPKT—Do not cache packets. · INP_EXTRCVVLANDOT1P—Obtains the Dot1p value of the VLAN tag in the received packet. · INP_EXTSNDDATAIF—Sets the output interface of data. · INP_EXTFREEBIND—The socket is not bound to an address or port. · INP_EXTRCVUPID—Obtains the UP ID from the received packet in the UCM control-/user-plane separated (CUPS) network. · INP_EXTINNERPROXY—Receives packets forwarded by the proxy. · INP_EXLISTENNET—Sets this flag when the connection information is added to the network segment linked list. · N/A—None of the above flags.
Inpcb vflag	IP version flags in the Internet PCB: · INP_IPV4—IPv4 protocol. · INP_TIMEWAIT—In TIMEWAIT state. · INP_ONESBCAST—Sends broadcast packets. · INP_DROPPED—Protocol dropped flag. · INP_SOCKREF—Strong socket reference. · INP_DONTBLOCK—Do not block synchronization of the Internet PCB. · N/A—None of the above flags.
TTL	TTL value in the Internet PCB.
Connection state	TCP connection state: · CLOSED—The server receives a disconnection request's reply from the client. · LISTEN—The server is waiting for connection requests. · SYN_SENT—The client is waiting for the server to reply to the connection request. · SYN_RCVD—The server receives a connection request. · ESTABLISHED—The server and client have established connections and can transmit data bidirectionally. · CLOSE_WAIT—The server receives a disconnection request from the client. · FIN_WAIT_1—The client is waiting for the server to reply to a disconnection request. · CLOSING—The server and client are waiting for peer's disconnection reply when receiving disconnection requests from each other. · LAST_ACK—The server is waiting for the client to reply to a disconnection request. · FIN_WAIT_2—The client receives a disconnection reply from the server. · TIME_WAIT—The client receives a disconnection request from the server.
TCP options	TCP options: · TF_DELACK—Delays sending ACK packets. · TF_SENTFIN—A FIN packet has been sent. · TF_RCVD_SCALE—Requests the receive window size scale factor. · TF_RCVD_TSTMP—A timestamp was received in the SYN packet. · TF_NEEDSYN—Sends a SYN packet. · TF_NEEDFIN—Sends a FIN packet. · TF_MORETOCOME—More data is to be added to the socket. · TF_LQ_OVERFLOW—The listening queue overflows. · TF_LASTIDLE—Idle connection. · TF_RXWIN0SENT—A reply with receive window size 0 was sent. · TF_FASTRECOVERY—Enters NewReno fast recovery mode. · TF_WASFRECOVERY—In NewReno fast recovery mode. · TF_SIGNATURE—MD5 signature. · TF_FORCEDATA—Forces to send one byte. · TF_TSO—TSO is enabled. · TF_PMTU—Supports RFC 1191. · TF_PMTUD—Starts Path MTU discovery. · TF_PASSIVE_CONN—Passive connection. · TF_APP_SEND—The application sends data. · TF_NODELAY—Disables the Nagle algorithm that buffers the sent data inside the TCP. · TF_NOOPT—No TCP options. · TF_NOPUSH—Forces TCP to delay sending any TCP data until a full sized segment is buffered in the TCP buffers. · TF_NSR—Enables TCP NSR. · TF_REQ_SCALE—Enables the TCP window scale option. · TF_REQ_TSTMP—Enables the time stamp option. · TF_SACK_PERMIT—Enables the TCP selective acknowledgement option. · TF_ENHANCED_AUTH—Enables the enhanced authentication option.
NSR state	NSR state of the TCP connection: · CLOSED—Closed (initial) state. · CLOSING—The connection is to be closed. · ENABLED—The connection backup is enabled. · OPEN—The connection synchronization has started. · PENDING—The connection backup is not ready. · READY—The connection backup is ready. · SMOOTH—The connection data is being smoothed. Between the parentheses is the role of the connection: · M—Main connection. · S—Standby connection.
Send VRF	VRF from which packets are sent.
Receive VRF	VRF from which packets are received.
Error count in abnormal-packet-defend period	Number of error packets received in one abnormal-packet-defend period if attack prevention is enabled for TCP connections.
Checksum errors	Number of received packets with checksum errors.
Duplicate packets	Number of received duplicate packets.
Part-Duplicate packets	Number of received partially duplicate packets.
Out-of-order packets	Number of received out-of-order packets.
Duplicate ACK packets	Number of received duplicate ACK packets.
Out-of-order ACK packets	Number of received out-of-order ACK packets.
Packets with data out of window	Number of received packets whose serial number is out of the sliding window range.
MD5 authentication errors	Number of packets with failed MD5 authentication.
Keychain authentication errors	Number of packets with failed Keychain authentication.
Timestamp errors	Number of packets with timestamp errors.
Maximum Segment Size (MSS)	Maximum segment size.
Window Scale (wscale)	Window scale.
Retransmission Timeout (rto)	Retransmission timeout in milliseconds.
Retransmission Count/Total	Current number retransmissions/total number of retransmissions.
Round-trip Time (rtt/rtvar)	Average round-trip time in milliseconds.
Delayed Ack Timeout (ato)	Delayed acknowledgement timeout in milliseconds.
Congestion Window (cwnd)	Sequence number of the packet at the congestion window.
TCP Throughput	TCP throughput in Mbps.
sendpps/sendbps/recvpps/recvbps	· sendpps—Number of packets sent per second. · sendbps—Bytes sent per second. · recvpps—Number of packets received per second. · recvbps—Bytes received per second.
Iss/unack/next/max/wnd	· Iss—Local initial sequence number. · unack—Sequence number of sent packet that has not been acknowledged. · next—Sequence number for next sending. · max—Maximum sequence number for sending. · wnd—Sequence number of the packet at the sending window.
Irs/undeliver/next/adv/wnd	· Irs—Peer initial sequence number. · undeliver—Sequence number of the packet that has not been reported. · next—Sequence number for next sending. · adv—Size of the receiving buffer. · wnd—Sequence number of the packet at the notification receiving window.
Total Recv/Send Count	Total number of received/sent packets through the LIPC connection between TCP NSR active and standby connections.
EnableMsg Recv/Send Count	Number of received/sent EnableMsg messages through the LIPC connection between TCP NSR active and standby connections.
DisableMsg Recv/Send Count	Number of received/sent DisableMsg messages through the LIPC connection between TCP NSR active and standby connections.
SlotchangeMsg Recv/Send Count	Number of received/sent SlotchangeMsg messages through the LIPC connection between TCP NSR active and standby connections.
ReadyMsg Recv/Send Count	Number of received/sent ReadyMsg messages through the LIPC connection between TCP NSR active and standby connections.
PullMsg Recv/Send Count	Number of received/sent PullMsg messages through the LIPC connection between TCP NSR active and standby connections.
BriefdataMsg Recv/Send Count	Number of received/sent BriefdataMsg messages through the LIPC connection between TCP NSR active and standby connections.
PktMsg Recv/Send Count	Number of received/sent PktMsg messages through the LIPC connection between TCP NSR active and standby connections.
CmdMsg Recv/Send Count	Number of received/sent CmdMsg messages through the LIPC connection between TCP NSR active and standby connections.
history Recv/history Send	Number of received/sent history messages through the LIPC connection between TCP NSR active and standby connections.
Recent Recv/Send Seq	Sequence number of the message received/sent most recently between TCP NSR active and standby connections.
Recent Recv/Send Time	Absolute time of the most recent message receiving/sending between TCP NSR active and standby connections.
rcvsb_timeo/sndsb_timeo/pd_type/pd_len	· rcvsb_timeo—Socket receiving buffer timeout. · sndsb_timeo—Socket sending buffer timeout in jiffies. · pd_type—Socket private data type. · pd_len—Socket private data length in bytes.
so_linger	Socket linger value.
ka_idle/ka_interval/ka_cout	· ka_idle—Socket keepalive idle timeout. · ka_interval—Socket keepalive interval. · ka_cout—Socket keepalive count.
so_accept_filter_str	Name of the socket packet receiving filter.
Md5 Password	TCP MD5 password.
Tcp Key Chain	TCP keychain name.
Out Interface/NextHop/Local Address	· Out Interface—Outgoing interface. · NextHop. · Local Address.
Filter Offset/Length/Value/Mask	Pcb filter offset, length, value, and mask.
Ip Tos/McastTTL/McastLoop/Mcast Interface Index:	· Ip Tos—IP TOS value. · McastTTL—Multicast TTL. · McastLoop—Multicast loop. · Mcast Interface Index—Multicast interface index.
Acl Index/MacIndex	· Acl Index—ACL filtering parameters. · MacIndex—Layer 2 ACL parameters.
Mpls Flag/Label	‌MPLS flag and MPLS label.
Send Mac	Peer MAC address specified for packet sending of upper-layer applications.
Bier TTL/Entropy/TunnelID	· Bier TTL. · Entropy—BIER grouping flag. · TunnelID—BIER tunnel ID.
Ip Option Hdr	IP options required in a TCP packet.

‌

display udp

Use display udp to display brief information about UDP connections.

Syntax

display udp [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays brief information about UDP connections for all member devices.

Usage guidelines

Brief UDP connection information includes local IP address and port number, and peer IP address and port number.

Examples

# Display brief information about UDP connections.

<Sysname> display udp

Local Addr:port Foreign Addr:port Slot Cpu PCB

0.0.0.0:69 0.0.0.0:0 1 0 0x0000000000000003

192.168.20.200:1024 192.168.20.14:69 5 0 0x0000000000000002

Table 7 Command output

Field	Description
Local Addr:port	Local IP address and port number.
Foreign Addr:port	Peer IP address and port number.
PCB	PCB index.

‌

display udp statistics

Use display udp statistics to display UDP traffic statistics.

Syntax

display udp statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays UDP traffic statistics for all member devices.

Usage guidelines

UDP traffic statistics include information about received and sent UDP packets.

Examples

# Display UDP traffic statistics.

<Sysname> display udp statistics

Received packets:

Total: 240

checksum error: 0, no checksum: 0

shorter than header: 0, data length larger than packet: 0

no socket on port(unicast): 0

no socket on port(broadcast/multicast): 240

not delivered, input socket full: 0

Sent packets:

Total: 0

Related commands

reset udp statistics

display udp verbose

Use display udp verbose to display detailed information about UDP connections.

Syntax

display udp verbose [ slot slot-number [ pcb pcb-index ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

pcb pcb-index: Displays detailed UDP connection information for the specified PCB. The index value is a hexadecimal string in the range of 1 to 16.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays detailed information about UDP connections for all member devices.

Usage guidelines

The detailed information includes socket creator, status, option, type, protocol number, source IP address and port number, and destination IP address and port number for UDP connections.

Examples

# Display detailed UDP connection information.

<Sysname> display udp verbose

Total UDP socket number: 1

Connection info: src = 0.0.0.0:69, dst = 0.0.0.0:0

Location: slot 1

Creator: sock_test_mips[250]

State: N/A

Options: N/A

Error: 0

Receiving buffer(cc/hiwat/lowat/drop/state): 0 / 41600 / 1 / 0 / N/A

Sending buffer(cc/hiwat/lowat/state): 0 / 9216 / 512 / N/A

Type: 2

Protocol: 17

Inpcb flags: N/A

Inpcb extflag: N/A

Inpcb vflag: INP_IPV4

TTL: 255(minimum TTL: 0)

Send VRF: 0xffff

Receive VRF: 0xffff

Table 8 Command output

Field	Description
Total UDP socket number	Total number of UDP sockets.
Connection info	Connection information, including source IP address, source port number, destination IP address, and destination port number.
Location	Socket location.
Creator	Name of the operation that created the socket. The number in brackets is the process number of the creator.
State	Socket state: · NOFDREF—The user has closed the connection. · ISCONNECTED—The connection has been established. · ISCONNECTING—The connection is being established. · ISDISCONNECTING—The connection is being interrupted. · ASYNC—Asynchronous mode. · ISDISCONNECTED—The connection has been terminated. · ISSMOOTHING—Cross-card data smoothing is in progress. · CANBIND—The socket supports the bind operation. · PROTOREF—Indicates strong protocol reference. · ISPCBSYNCING—Cross-card PCB synchronization is in progress. · N/A—None of above state.
Options	Socket options: · SO_DEBUG—Records socket debugging information. · SO_ACCEPTCONN—Enables the server to listen connection requests. · SO_REUSEADDR—Allows the local address reuse. · SO_KEEPALIVE—Requires the protocol to test whether the connection is still alive. · SO_DONTROUTE—Bypasses the routing table query for outgoing packets because the destination is in a directly connected network. · SO_BROADCAST—Supports broadcast packets. · SO_LINGER—Closes the socket. The system can still send remaining data in the socket send buffer. · SO_OOBINLINE—Stores the out-o-band data in the input queue. · SO_REUSEPORT—Allows the local port reuse. · SO_TIMESTAMP—Records the timestamps of the input packets, accurate to milliseconds. This option is applicable to protocols that are not connection orientated. · SO_NOSIGPIPE—Disables the socket from sending data. As a result, a sigpipe cannot be established when a return failure occurs. · SO_TIMESTAMPNS—Has a similar function with the timestamp, accurate to nanoseconds. · SO_SEQPACKET—Preserves the boundaries of packets sent to the socket buffer. · SO_USCBINDEX—Obtains the user profile index from the received packets. · SO_FILLTWAMPTIME—Sets the timestamp for TWAMP. · SO_LOCAL—Local socket option. · SO_DONTDELIVER—Do not deliver the data to the application. · SO_UCM—Sets the IPoE enabling status. ‌This option is not supported in the current software version. · SO_RAWSLOT—Raw slot. · SO_LEASEDUSERID—Obtains a usable lease. · N/A—No options are set.
Error	Error code.
Receiving buffer(cc/hiwat/lowat/drop/state)	Displays receive buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · drop—Number of dropped packets. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states.
Sending buffer(cc/hiwat/lowat/state)	Displays send buffer information in the following order: · cc—Used space. · hiwat—Maximum space. · lowat—Minimum space. · state—Buffer state: ¡ CANTSENDMORE—Unable to send data to the peer. ¡ CANTRCVMORE—Unable to receive data from the peer. ¡ RCVATMARK—Receiving tag. ¡ N/A—None of the above states.
Type	Socket type: · 1—SOCK_STREAM. This socket uses TCP to provide reliable transmission of byte streams. · 2—SOCK_DGRAM. This socket uses UDP to provide datagram transmission. · 3—SOCK_RAW. This socket allows an application to change the next upper-layer protocol header. · N/A—None of the above types.
Protocol	Number of the protocol using the socket.
Inpcb flags	Flags in the Internet PCB: · INP_RECVOPTS—Receives IP options. · INP_RECVRETOPTS—Receives replied IP options. · INP_RECVDSTADDR—Receives destination IP address. · INP_HDRINCL—Provides the entire IP header. · INP_REUSEADDR—Reuses the IP address. · INP_REUSEPORT—Reuses the port number. · INP_ANONPORT—Port number not specified. · INP_RECVIF—Records the input interface of the packet. · INP_RECVTTL—Receives TTL of the packet. Only UDP and RawIP support this flag. · INP_DONTFRAG—Sets the Don't Fragment flag. · INP_ROUTER_ALERT—Receives packets with the router alert option. Only RawIP supports this flag. · INP_PROTOCOL_PACKET—Identifies a protocol packet. · INP_RCVVLANID—Receives the VLAN ID of the packet. Only UDP and RawIP support this flag. · INP_RCVMACADDR—Receives the MAC address of the frame. · INP_SNDBYLSPV—Sends through MPLS. · INP_RECVTOS—Receives TOS of the packet. Only UDP and RawIP support this flag. · INP_SYNCPCB—Waits until Internet PCB is synchronized. · INP_LOCAL—Preferentially matches the INPCB with this flag on the same card. · N/A—None of the above flags.
Inpcb extflag	Extension flags in the Internet PCB: · INP_EXTRCVPVCIDX—Records the PVC index of the received packet. · INP_RCVPWID—Records the PW ID of the received packet. · INP_EXTDONTDROP—Do not drop the received packet. · INP_EXLISTEN—Adds the INPCB carrying this flag to the listen hash table. · INP_EXTFILTER—Filters the contents in the received packets. · INP_SELECTMATCHSRCBYFIB—Uses the FIB table to select a matching source. · INP_EXTRCVICMPERR—Receives an ICMP error packet. · INP_EXTPRIVATESOCKET—Associates the INPCB with the NSR private socket. · INP_EXTNOCACHEPKT—Do not cache packets. · INP_EXTRCVVLANDOT1P—Obtains the Dot1p value of the VLAN tag in the received packet. · INP_EXTSNDDATAIF—Sets the output interface of data. · INP_EXTFREEBIND—The socket is not bound to an address or port. · INP_EXTRCVUPID—Obtains the UP ID from the received packet in the UCM control-/user-plane separated (CUPS) network. · INP_EXTINNERPROXY—Receives packets forwarded by the proxy. · INP_EXLISTENNET—Sets this flag when the connection information is added to the network segment linked list. · N/A—None of the above flags.
Inpcb vflag	IP version flags in the Internet PCB: · INP_IPV4—IPv4 protocol. · INP_TIMEWAIT—In TIMEWAIT state. · INP_ONESBCAST—Sends broadcast packets. · INP_DROPPED—Protocol dropped flag. · INP_SOCKREF—Strong socket reference. · INP_DONTBLOCK—Do not block synchronization of the Internet PCB. · N/A—None of the above flags.
TTL	TTL value in the Internet PCB.
Send VRF	VRF from which packets are sent.
Receive VRF	VRF from which packets are received.

‌

ip forward-broadcast

Use ip forward-broadcast to enable an interface to forward directed broadcast packets destined for the directly connected network.

Use undo ip forward-broadcast to disable an interface from forwarding directed broadcast packets destined for the directly connected network.

Syntax

ip forward-broadcast [ acl acl-number ]

undo ip forward-broadcast

Default

An interface cannot forward directed broadcasts destined for the directly connected network.

Views

Interface view

Predefined user roles

network-admin

Parameters

acl acl-number: Specifies an ACL by its number. The interface forwards only the directed broadcasts permitted by the ACL. The value range for basic ACLs is 2000 to 2999. The value range for advanced ACLs is 3000 to 3999.

Usage guidelines

A directed broadcast packet is destined for all hosts on a specific network. In the destination IP address of the directed broadcast, the network ID identifies the target network, and the host ID is made up of all ones.

If an interface is allowed to forward directed broadcasts destined for the directly connected network, hackers can exploit this vulnerability to attack the target network. In some scenarios, however, an interface must send such directed broadcast packets to support UDP helper and Wake on LAN.

The command enables the interface to forward directed broadcast packets that are destined for the directly connected network and are received from another subnet to support Wake on LAN. Wake on LAN sends the directed broadcasts to wake up the hosts on the target network.

When you specify an ACL, follow these guidelines:

· If the specified ACL does not exist or has no rules, the interface cannot forward any directed broadcast packets that are destined for the directly connected network.

· If a rule in the specified ACL is applied to a VPN instance, the rule takes effect only on VPN packets.

· If a rule in the specified ACL is not applied to any VPN instance, the rule takes effect only on public-network packets.

Examples

# Enable VLAN-interface 2 to forward directed broadcast packets destined for the directly connected network.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] ip forward-broadcast

ip icmp broadcast-echo-reply enable

Use ip icmp broadcast-echo-reply enable to enable the device to respond to broadcast echo requests.

Use undo ip icmp broadcast-echo-reply enable to disable the device from responding to broadcast echo requests.

Syntax

ip icmp broadcast-echo-reply enable

undo ip icmp broadcast-echo-reply enable

Default

The device responds to broadcast echo requests.

Views

System view

Predefined user roles

network-admin

Usage guidelines

When you use the ping command to ping a broadcast address, all devices that have received the ICMP echo request must respond to the request. Attackers might exploit this mechanism to launch an ICMP flood attack. The victims will respond to ICMP echo requests frequently, which degrades their forwarding performance. To resolve this issue, use this command to disable the device from responding to broadcast echo requests.

You can also disable response to broadcast echo requests in the following scenarios:

· The device has received too many broadcast packets.

· The CPU usage of the device is too high.

Examples

# Disable response to broadcast echo requests.

<Sysname> system-view

[Sysname] undo ip icmp broadcast-echo-reply enable

ip icmp error-interval

Use ip icmp error-interval to set the interval for tokens to arrive in the bucket and the bucket size for ICMP error messages.

Use undo ip icmp error-interval to restore the default.

Syntax

ip icmp error-interval interval [ bucketsize ]

undo ip icmp error-interval

Default

A token is placed in the bucket every 100 milliseconds, and the bucket allows a maximum of 10 tokens.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the interval for tokens to arrive in the bucket. The value range is 0 to 2147483647 milliseconds. To disable the ICMP rate limit, set the value to 0.

bucketsize: Specifies the maximum number of tokens allowed in the bucket. The value range is 1 to 200.

Usage guidelines

This command limits the rate at which ICMP error messages are sent. Use this command to avoid sending excessive ICMP error messages within a short period that might cause network congestion. A token bucket algorithm is used with one token representing one ICMP error message.

A token is placed in the bucket at intervals until the maximum number of tokens that the bucket can hold is reached.

A token is removed from the bucket when an ICMP error message is sent. When the bucket is empty, ICMP error messages are not sent until a new token is placed in the bucket.

Examples

# Set the interval to 200 milliseconds for tokens to arrive in the bucket and the bucket size to 40 tokens for ICMP error messages.

<Sysname> system-view

[Sysname] ip icmp error-interval 200 40

ip icmp fragment discarding

Use ip icmp fragment discarding to disable forwarding of ICMP fragments.

Use undo ip icmp fragment discarding to enable forwarding of ICMP fragments.

Syntax

ip icmp fragment discarding

undo ip icmp fragment discarding

Default

Forwarding of ICMP fragments is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Disabling forwarding of ICMP fragments can prevent ICMP fragment attacks.

Examples

# Disable forwarding of ICMP fragments.

<Sysname> system-view

[Sysname] ip icmp fragment discarding

ip icmp receive enable

Use ip icmp receive enable to enable the device to receive a specific type of ICMP messages.

Use undo ip icmp receive enable to disable the device from receiving a specific type of ICMP messages.

Syntax

ip icmp { name icmp-name | type icmp-type code icmp-code } receive enable

undo ip icmp { name icmp-name | type icmp-type code icmp-code } receive enable

Default

The device can receive all types of ICMP messages.

Views

System view

Predefined user roles

network-admin

Parameters

name icmp-name: Specifies an ICMP message name, a case-insensitive string of 1 to 20 characters.

type icmp-type: Specifies an ICMP message type. The value range for the icmp-type argument is 0 to 255.

code icmp-code: Specifies an ICMP message code. The value range for the icmp-code argument is 0 to 255.

Usage guidelines

CAUTION:

Disabling receiving ICMP messages of a specific type might affect network operation. Please use this feature with caution.

‌

By default, the device receives all types of ICMP messages. Such a setting might affect device performance if a large number of ICMP responses are received within a short time. To solve this issue, you can use this command to disable the device from receiving a specific type of ICMP messages.

Table 9 shows common ICMP messages and their meanings.

Table 9 Common ICMP messages

Name	Type	Code	Description
echo	8	0	Echo request used to ping a target node.
echo-reply	0	0	Echo reply sent by a target node after receiving an echo request.
fragmentneed-dfset	3	4	Packets that need fragmentation but have the DF bit set.
host-redirect	5	1	Host redirection.
host-tos-redirect	5	3	Host ToS redirection.
host-unreachable	3	1	Unreachable host.
information-reply	16	0	Information reply.
information-request	15	0	Information request.
net-redirect	5	0	Network redirection.
net-tos-redirect	5	2	Network ToS redirection.
net-unreachable	3	0	Unreachable network.
parameter-problem	12	0	Invalid parameter.
port-unreachable	3	3	Unreachable port.
protocol-unreachable	3	2	Unreachable protocol.
reassembly-timeout	11	1	Fragment reassembly timeout.
source-quench	4	0	Source quench message.
source-route-failed	3	5	Source route failure.
timestamp-reply	14	0	Timestamp reply.
timestamp-request	13	0	Timestamp request.
ttl-exceeded	11	0	TTL exceeded in transit.

‌

Examples

# Enable the device to receive ICMP echo reply messages.

<Sysname> system-view

[Sysname] ip icmp name echo-reply receive enable

ip icmp send enable

Use ip icmp send enable to enable the device to send a specific type of ICMP messages.

Use undo ip icmp send enable to disable the device from sending a specific type of ICMP messages.

Syntax

ip icmp { name icmp-name | type icmp-type code icmp-code } send enable

undo ip icmp { name icmp-name | type icmp-type code icmp-code } send enable

Default

The device sends all types of ICMP messages except Destination Unreachable, Time Exceeded, and Redirect messages.

Views

System view

Predefined user roles

network-admin

Parameters

name icmp-name: Specifies an ICMP message name, a case-insensitive string of 1 to 20 characters.

type icmp-type: Specifies an ICMP message type. The value range for the icmp-type argument is 0 to 255.

code icmp-code: Specifies an ICMP message code. The value range for the icmp-code argument is 0 to 255.

Usage guidelines

CAUTION:

Disabling sending ICMP messages of a specific type might affect network operation. Please use this feature with caution.

By default, t he device sends all types of ICMP messages except Destination Unreachable, Time Exceeded, and Redirect messages. Attackers might obtain information from specific types of ICMP messages, causing security issues.

For security purposes, you can use this command to disable the device from sending ICMP messages of specific types.

To enable sending Destination Unreachable, Time Exceeded, or Redirect messages, you can perform one of the following tasks:

· Execute the ip icmp send enable command.

· Execute one of the following commands as needed:

¡ ip unreachables enable

¡ ip ttl-expires enable

¡ ip redirects enable

Table 9 shows common ICMP messages and their meanings.

Examples

# Enable the device to send ICMP echo reply messages.

<Sysname> system-view

[Sysname] ip icmp name echo-reply send enable

Related commands

ip icmp fragment discarding

ip redirects enable

ip ttl-expires enable

ip unreachables enable

ip icmp source

Use ip icmp source to specify the source address for outgoing ICMP packets.

Use undo ip icmp source to remove the specified source address for outgoing ICMP packets.

Syntax

ip icmp source [ vpn-instance vpn-instance-name ] ip-address

undo ip icmp source [ vpn-instance vpn-instance-name ]

Default

No source address is specified for outgoing ICMP packets. The default source IP addresses for different types of ICMP packets vary as follows:

· For an ICMP error message, the source IP address is the IP address of the receiving interface of the packet that triggers the ICMP error message. ICMP error messages include Time Exceeded, Port Unreachable, and Parameter Problem messages.

· For an ICMP echo request, the source IP address is the IP address of the sending interface.

· For an ICMP echo reply, the source IP address is the destination IP address of the ICMP echo request specific to this reply.

Views

System view

Predefined user roles

network-admin

Parameters

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the specified address belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. The specified VPN instance must exist. If you do not specify a VPN instance, the ip-address argument specifies an IP address on the public network.

ip-address: Specifies an IP address.

Usage guidelines

It is a good practice to specify the IP address of the loopback interface as the source IP address for outgoing ping echo request and ICMP error messages. This feature helps users to locate the sending device easily.

Examples

# Specify 1.1.1.1 as the source address for outgoing ICMP packets.

<Sysname> system-view

[Sysname] ip icmp source 1.1.1.1

ip mtu

Use ip mtu to set the interface MTU for IPv4 packets. The setting defines the largest size of an IPv4 packet that an interface can transmit without fragmentation.

Use undo ip mtu to restore the default.

Syntax

ip mtu mtu-size

undo ip mtu

Default

The interface MTU is not set.

Views

Interface view

Predefined user roles

network-admin

Parameters

mtu-size: Specifies the MTU in bytes. The value range for the mtu-size argument varies by interface type as follows:

· For VLAN interfaces, VSI interfaces, Layer 3 Ethernet interfaces, Layer 3 Ethernet subinterfaces, Layer 3 aggregate interfaces, and Layer 3 aggregate subinterfaces, the value range is 128 to 9198.

· For tunnel interfaces, the value range is 128 to 64000.

· For network management interfaces, the value range is 128 to 1500.

Usage guidelines

When a packet exceeds the MTU of the sending interface, the device processes the packet in one of the following ways:

· If the packet disallows fragmentation, the device discards it.

· If the packet allows fragmentation, the device fragments it and forwards the fragments.

Fragmentation and reassembling consume system resources, so set an appropriate MTU to avoid fragmentation.

If an interface supports both the mtu and ip mtu commands, the device fragments a packet based on the MTU set by the ip mtu command.

Examples

# Set the interface MTU for IPv4 packets to 1280 bytes on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] ip mtu 1280

ip option enable

Use ip option enable to enable the device to process IP options in IP packets.

Use undo ip option enable to disable the device from processing IP options in IP packets.

Syntax

ip option enable

undo ip option enable

Default

The device processes IP options in IP packets.

Views

System view

Predefined user roles

network-admin

Usage guidelines

IP options are typically used for network path diagnosis or temporary transmission of specific services. When a packet with IP options arrives at an intermediate device, the device sends the packet to CPU to process IP options before forwarding it out. In a network with excessive packet exchanges, processing IP options will prevent the intermediate device from processing packets in a timely manner and cause packet loss. To avoid this situation, execute the undo ip option enable command to disable the device from processing IP options in packets to be forwarded. Then packets will be forwarded through hardware.

Disable this feature only when IP options are not used in the network.

Examples

# Enable the device to process IP options in IP packets.

<Sysname> system-view

[Sysname] ip option enable

ip reassemble local enable

Use ip reassemble local enable to enable IPv4 local fragment reassembly.

Use undo ip reassemble local enable to disable local fragment reassembly.

Syntax

ip reassemble local enable

undo ip reassemble local enable

Default

IPv4 local fragment reassembly is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use this feature on a multichassis IRF fabric to improve fragment reassembly efficiency. If this feature is disabled, all IPv4 fragments are delivered to the master for reassembly. With this feature enabled, a subordinate performs fragment reassembly for an IPv4 packet destined for the IRF fabric if it receives fragments of that packet.

This feature fails to reassemble an IPv4 packet if fragments of the packet are received by different subordinates.

Examples

# Enable IPv4 local fragment reassembly.

<Sysname> system-view

[Sysname] ip reassemble local enable

ip redirects enable

Use ip redirects enable to enable sending ICMP redirect messages.

Use undo ip redirects enable to disable sending ICMP redirect messages.

Syntax

ip redirects enable

undo ip redirects enable

Default

Sending ICMP redirect messages is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

ICMP redirect messages simplify host management and enable hosts to gradually optimize their routing tables.

A host that has only one route destined for the default gateway sends all packets to the default gateway. The default gateway sends an ICMP redirect message to inform the host of a correct next hop when the following conditions are met:

· The receiving and sending interfaces are the same.

· The packet source IP address and the IP address of the packet receiving interface are on the same segment.

· There is no source route option in the received packet.

Examples

# Enable sending ICMP redirect messages.

<Sysname> system-view

[Sysname] ip redirects enable

ip ttl-expires enable

Use ip ttl-expires enable to enable sending ICMP time exceeded messages.

Use undo ip ttl-expires enable to disable sending ICMP time exceeded messages.

Syntax

ip ttl-expires enable

undo ip ttl-expires enable

Default

Sending ICMP time exceeded messages is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

A device sends ICMP time exceeded messages by following these rules:

· The device sends an ICMP TTL exceeded in transit message to the source when the following conditions are met:

¡ The received packet is not destined for the device.

¡ The TTL field of the packet is 1.

· When the device receives the first fragment of an IP datagram destined for the device itself, it starts a timer. If the timer expires before all the fragments of the datagram are received, the device sends an ICMP fragment reassembly time exceeded message to the source.

A device disabled from sending ICMP time exceeded messages does not send ICMP TTL exceeded in transit messages but can still send ICMP fragment reassembly time exceeded messages.

Examples

# Enable sending ICMP time exceeded messages.

<Sysname> system-view

[Sysname] ip ttl-expires enable

ip unreachables enable

Use ip unreachables enable to enable sending ICMP destination unreachable messages.

Use undo ip unreachables enable to disable sending ICMP destination unreachable messages.

Syntax

ip unreachables enable

undo ip unreachables enable

Default

Sending ICMP destination unreachable messages is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

A device sends ICMP destination unreachable messages by following these rules:

· The device sends the source an ICMP network unreachable message when the following conditions are met:

¡ The received packet does not match any route.

¡ No default route exists in the routing table.

· The device sends the source an ICMP protocol unreachable message when the following conditions are met:

¡ The received packet is destined for the device.

¡ The transport layer protocol of the packet is not supported by the device.

· The device sends the source an ICMP port unreachable message when the following conditions are met:

¡ The received UDP packet is destined for the device.

¡ The packet's port number does not match the running process.

· The device sends the source an ICMP source route failed message when the following conditions are met:

¡ The source uses Strict Source Routing to send packets.

¡ The intermediate device finds that the next hop specified by the source is not directly connected.

· The device sends the source an ICMP fragmentation needed and DF set message when the following conditions are met:

¡ The MTU of the sending interface is smaller than the packet.

¡ The packet has Don't Fragment set.

Examples

# Enable sending ICMP destination unreachable messages.

<Sysname> system-view

[Sysname] ip unreachables enable

reset ip statistics

Use reset ip statistics to clear IP traffic statistics.

Syntax

reset ip statistics [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears IP traffic statistics for all member devices.

Usage guidelines

Use this command to clear history IP traffic statistics before you collect IP traffic statistics for a time period.

Examples

# Clear IP traffic statistics.

<Sysname> reset ip statistics

Related commands

display ip interface

display ip statistics

reset tcp statistics

Use reset tcp statistics to clear TCP traffic statistics.

Syntax

reset tcp statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear TCP traffic statistics.

<Sysname> reset tcp statistics

Related commands

display tcp statistics

reset udp statistics

Use reset udp statistics to clear UDP traffic statistics.

Syntax

reset udp statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear UDP traffic statistics.

<Sysname> reset udp statistics

Related commands

display udp statistics

snmp-agent trap enable port-attack

Use snmp-agent trap enable port-attack to enable SNMP notifications for attack events on ports.

Use undo snmp-agent trap enable port-attack to disable SNMP notifications for attack events on ports.

Syntax

snmp-agent trap enable port-attack

undo snmp-agent trap enable port-attack

Default

SNMP notifications are disabled for attack events on ports.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the port attack module to generate SNMP notifications for critical events, such as ICMP packet reception overspeeding on a port. The SNMP notifications are sent to the SNMP module. For the SNMP notifications to be sent correctly, you must also configure SNMP. For more information about SNMP configuration, see SNMP configuration in Network Management and Monitoring Configuration Guide.

Examples

# Enable SNMP notifications for attack events on ports.

<Sysname> system-view

[Sysname] snmp-agent trap enable port-attack

snmp-agent trap enable tcp

Use snmp-agent trap enable tcp to enable SNMP notifications for TCP events.

Use undo snmp-agent trap enable tcp to disable SNMP notifications for TCP events.

Syntax

snmp-agent trap enable tcp

undo snmp-agent trap enable tcp

Default

SNMP notifications for TCP events are enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature enables the TCP module to generate SNMP notifications for critical TCP events, such as MD5 authentication failure for TCP connection. The SNMP notifications are sent to the SNMP module. For the SNMP notifications to be sent correctly, you must also configure SNMP. For more information about SNMP configuration, see SNMP configuration in Network Management and Monitoring Configuration Guide.

Examples

# Disable SNMP notifications for TCP events.

<Sysname> system-view

[Sysname] undo snmp-agent trap enable tcp

statistics l3-packet enable

Use statistics l3-packet enable to enable Layer 3 packet statistics collection.

Use undo statistics l3-packet enable to disable Layer 3 packet statistics collection.

Syntax

statistics l3-packet enable { inbound | outbound }

undo statistics l3-packet enable { inbound | outbound }

Default

Layer 3 packet statistics collection is disabled.

Views

Interface view

Predefined user roles

network-admin

Parameters

inbound: Enables statistics collection for incoming Layer 3 packets.

outbound: Enables statistics collection for outgoing Layer 3 packets.

Usage guidelines

With this feature enabled on an interface, the device counts incoming and outgoing IP packets on the interface. To display the collected statistics, execute the display interface command.

When the interface is processing a large number of packets, enabling this feature will cause high CPU usage and degrade forwarding performance. If the statistics are not necessary, disable this feature to ensure device performance.

Examples

# Enable Layer 3 packet statistics collection on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] statistics l3-packet enable

Related commands

display ip interface (Layer 3—IP Services Command Reference)

display interface (Interface Command Reference)

tcp mss

Use tcp mss to set the TCP maximum segment size (MSS).

Use undo tcp mss to restore the default.

Syntax

tcp mss value

undo tcp mss

Default

The TCP MSS is not set.

Views

Interface view

Predefined user roles

network-admin

Parameters

value: Specifies the TCP MSS in bytes. The minimum value is 128 bytes. The maximum value equals the maximum MTU that the interface supports minus 40.

Usage guidelines

The MSS option informs the receiver of the largest segment that the sender can accept. Each end announces its MSS during TCP connection establishment. If the size of a TCP segment is smaller than the MSS of the receiver, TCP sends the TCP segment without fragmentation. If not, TCP fragments the segment according to the receiver's MSS.

If you set the TCP MSS on an interface, the size of each TCP segment received or sent on the interface cannot exceed the MSS value.

This configuration takes effect only on TCP connections that are established after the configuration and not on the TCP connections that already exist.

This configuration is effective only on IP packets. If MPLS is enabled on the interface, do not set the TCP MSS on the interface.

Examples

# Set the TCP MSS to 300 bytes on VLAN-interface 100.

<Sysname> system-view

[Sysname] interface vlan-interface 100

[Sysname-Vlan-interface100] tcp mss 300

tcp path-mtu-discovery

Use tcp path-mtu-discovery to enable TCP path MTU discovery.

Use undo tcp path-mtu-discovery to disable TCP path MTU discovery.

Syntax

tcp path-mtu-discovery [ aging age-time | no-aging ]

undo tcp path-mtu-discovery

Default

TCP path MTU discovery is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

aging age-time: Specifies the aging time for the path MTU, in the range of 10 to 30 minutes. The default aging time is 10 minutes.

no-aging: Does not age out the path MTU.

Usage guidelines

After you enable TCP path MTU discovery, all new TCP connections detect the path MTU. The device uses the path MTU to calculate the MSS to avoid IP fragmentation.

After you disable TCP path MTU discovery, the system stops all path MTU timers. The TCP connections established later do not detect the path MTU, but the TCP connections previously established still can detect the path MTU.

Examples

# Enable TCP path MTU discovery and set the path MTU aging time to 20 minutes.

<Sysname> system-view

[Sysname] tcp path-mtu-discovery aging 20

tcp syn-cookie enable

Use tcp syn-cookie enable to enable SYN Cookie to protect the device from SYN flood attacks.

Use undo tcp syn-cookie enable to disable SYN Cookie.

Syntax

tcp syn-cookie enable

undo tcp syn-cookie enable

Default

SYN Cookie is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

A TCP connection is established through a three-way handshake:

1. The sender sends a SYN packet to the server.

2. The server receives the SYN packet, establishes a TCP semi-connection in SYN_RECEIVED state, and replies with a SYN ACK packet to the sender.

3. The sender receives the SYN ACK packet and replies with an ACK packet. Then, a TCP connection is established.

An attacker can exploit this mechanism to mount SYN flood attacks. The attacker sends a large number of SYN packets, but they do not respond to the SYN ACK packets from the server. As a result, the server establishes a large number of TCP semi-connections and cannot handle normal services.

SYN Cookie can protect the server from SYN flood attacks. When the server receives a SYN packet, it responds to the request with a SYN ACK packet without establishing a TCP semi-connection.

The server establishes a TCP connection and enters ESTABLISHED state only when it receives an ACK packet from the sender.

Examples

# Enable SYN Cookie.

<Sysname> system-view

[Sysname] tcp syn-cookie enable

tcp timer fin-timeout

Use tcp timer fin-timeout to set the TCP FIN wait timer.

Use undo tcp timer fin-timeout to restore the default.

Syntax

tcp timer fin-timeout time-value

undo tcp timer fin-timeout

Default

The TCP FIN wait timer is 675 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Specifies the TCP FIN wait timer in the range of 76 to 3600 seconds.

Usage guidelines

TCP starts the FIN wait timer when the state of a TCP connection changes to FIN_WAIT_2. If no FIN packet is received within the timer interval, the TCP connection is terminated.

If a FIN packet is received, TCP changes the connection state to TIME_WAIT. If a non-FIN packet is received, TCP restarts the timer and tears down the connection when the timer expires.

Examples

# Set the TCP FIN wait timer to 800 seconds.

<Sysname> system-view

[Sysname] tcp timer fin-timeout 800

tcp timer syn-timeout

Use tcp timer syn-timeout to set the TCP SYN wait timer.

Use undo tcp timer syn-timeout to restore the default.

Syntax

tcp timer syn-timeout time-value

undo tcp timer syn-timeout

Default

The TCP SYN wait timer is 75 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Specifies the TCP SYN wait timer in the range of 2 to 600 seconds.

Usage guidelines

TCP starts the SYN wait timer after sending a SYN packet. Within the SYN wait timer if no response is received or the upper limit on TCP connection tries is reached, TCP fails to establish the connection.

Examples

# Set the TCP SYN wait timer to 80 seconds.

<Sysname> system-view

[Sysname] tcp timer syn-timeout 80

tcp timestamps enable

Use tcp timestamps enable to enable the device to encapsulate the TCP Timestamps option in outgoing TCP packets.

Use undo tcp timestamps enable to disable the device from encapsulating the TCP Timestamps option in outgoing TCP packets.

Syntax

tcp timestamps enable

undo tcp timestamps enable

Default

The TCP Timestamps option is encapsulated in outgoing TCP packets.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Devices at each end of the TCP connection can calculate the RTT value by using the TCP Timestamps option carried in TCP packets. For security purpose in some networks, you can disable the TCP Timestamps option encapsulation at one end of the TCP connection to prevent intermediate devices from obtaining the option information.

This command takes effect only on new connections that are established after you execute the command. Existing TCP connections are not affected.

Examples

# Enable the device to encapsulate the TCP Timestamps option in outgoing TCP packets.

<Sysname> system-view

[Sysname] undo tcp timestamps enable

tcp window

Use tcp window to set the size of the TCP receive/send buffer.

Use undo tcp window to restore the default.

Syntax

tcp window window-size

undo tcp window

Default

The size of the TCP receive/send buffer is 63 KB.

Views

System view

Predefined user roles

network-admin

Parameters

window-size: Specifies the size of the TCP receive/send buffer, in the range of 1 to 64 KB.

Examples

# Set the size of the TCP receive/send buffer to 3 KB.

<Sysname> system-view

[Sysname] tcp window 3

Field	Description
bad formats	Number of received messages with error format.
bad checksum	Number of received messages with checksum errors.
echo	Number of received or sent ICMP echo request messages.
destination unreachable	Number of received or sent destination unreachable messages.
source quench	Number of received or sent source quench messages.
redirects	Number of received or sent redirect messages.
echo replies	Number of received or sent echo reply messages.
parameter problem	Number of received or sent parameter problem messages.
timestamp	Number of received timestamp request messages or number of sent timestamp reply messages.
information requests	Number of received information request messages.
mask requests	Number of received or sent mask request messages.
mask replies	Number of received or sent mask reply messages.
invalid type	Number of received messages with invalid type.
router solicit	Number of received RS messages.
broadcast/multicast echo requests ignored	Number of dropped incoming broadcast or multicast echo request messages.
broadcast/multicast timestamp requests ignored	Number of dropped incoming broadcast or multicast timestamp request messages.
information replies	Number of sent information reply messages.
time exceeded	Number of received or send ICMP time exceeded messages
bad address	Number of sent messages with invalid destination addresses.
packet error	Number of sent error messages.
router advert	Number of received or sent RA messages.

05-Layer 3—IP Services Command Reference

ip icmp fragment discarding

reset ip statistics

tcp mss

tcp timestamps enable

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us