H3C S9500 Series Operating instructions

Brand: H3C

Model: S9500 Series

Type: Operating instructions

H3C S9500 Series offers a robust networking solution with its advanced IP performance features. You can optimize TCP connections by configuring attributes like SYNWAIT and FINWAIT timers, and socket buffer sizes. To safeguard against certain types of attacks, the switch can be configured to send "time exceeded" ICMP error packets instead of destination unreachable packets when receiving packets with a TTL of 1. Troubleshoot network issues efficiently using debugging commands for IP, TCP, and UDP protocols.

Operation Manual – IP Performance

H3C S9500 Series Routing Switches Table of Contents

Table of Contents

Chapter 1 IP Performance Configuration....................................................................................1-1

1.1 Configuring IP Performance ..............................................................................................1-1

1.1.1 Configuring TCP Attributes .....................................................................................1-1

1.1.2 Configuring the Switch Whether to Send a Time Exceeded ICMP Packet.............1-2

1.2 Displaying and Maintaining IP Performance......................................................................1-2

1.3 Troubleshooting IP Performance.......................................................................................1-4

Operation Manual – IP Performance

H3C S9500 Series Routing Switches Chapter 1 IP Performance Configuration

1-1

Chapter 1 IP Performance Configuration

When configuring IP performance, go to these sections for information you are

interested in:

z Configuring IP Performance

z Displaying and Maintaining IP Performance

z Troubleshooting IP Performance

1.1 Configuring IP Performance

IP performance configuration includes:

z Configuring TCP Attributes

z Configuring the Switch Whether to Send a Time Exceeded ICMP Packet

1.1.1 Configuring TCP Attributes

TCP attributes include:

z synwait timer: When sending the syn packets, TCP starts the synwait timer. If

response packets are not received before synwait timeout, the TCP connection is

terminated. The timeout of synwait timer ranges from 2 to 600 seconds and it is 75

seconds by default.

z finwait timer: When the TCP connection state turns from FIN_WAIT_1 to

FIN_WAIT_2, finwait timer is started. If FIN packets are not received before finwait

timer timeout, the TCP connection is terminated. The timeout of finwait timer

ranges from 76 to 3600 seconds and it is 675 seconds by default.

z The receiving/sending buffer size of the connection-oriented socket is in the range

from 1 to 32 KB and is 8 KB by default.

Perform the following configuration in system view to configure TCP attributes:

To do… Use the command…

Configure timeout time for the synwait

timer in TCP

tcp timer syn-timeout time-value

Restore the default timeout time of the

synwait timer

undo tcp timer syn-timeout

Configure timeout time for the

FIN_WAIT_2 timer in TCP

tcp timer fin-timeout time-value

Restore the default timeout time of the

FIN_WAIT_2 timer

undo tcp timer fin-timeout

Configure the socket receiving/sending

buffer size of TCP

tcp window window-size

Operation Manual – IP Performance

H3C S9500 Series Routing Switches Chapter 1 IP Performance Configuration

1-2

To do… Use the command…

Restore the socket receiving/sending

buffer size of TCP to default value

undo tcp window

1.1.2 Configuring the Switch Whether to Send a Time Exceeded ICMP Packet

The switch will return a destination unreachable packet to the sender when receiving a

packet whose TTL is "1”. But if an attacker continuously sends IP packets whose TTL is

“1”, the switch will reply to this attacker with a destination unreachable packet

ceaselessly. As a result, the CPU of the switch is attacked.

When the switch receives IP packets whose TTL is “1”, if the switch sends a “time

exceeded" ICMP error packet, instead of with a destination unreachable packet to the

network management system, such an attack can be avoided.

Follow these steps to configure the switch whether to send a destination unreachable

packet:

To do… Use the command… Remarks

Enter system view

system-view

—

Configure the switch to send a

“time exceeded” ICMP error

packet to the IP packet sender

when the switch receives a

packet whose TTL is “1”

ip icmp-time-exceed

enable

By default, the switch

sends a "time

exceeded” ICMP error

packet to the network

management system.

Configure the switch to return a

destination unreachable packet

to the sender when the switch

receives a packet whose TTL is

“1”

undo ip

icmp-time-exceed

enable

—

1.2 Displaying and Maintaining IP Performance

Displaying IP performance:

To do… Use the command… Remarks

Display the states of all the TCP

connections

display tcp status

Display TCP connection statistics data

display tcp statistics

Display UDP statistics information

display udp statistics

Display IP statistics information

display ip statistics

Available in

any view

Operation Manual – IP Performance

H3C S9500 Series Routing Switches Chapter 1 IP Performance Configuration

1-3

To do… Use the command… Remarks

Display ICMP statistics information

display icmp statistics

Display the current socket information

of the system

display ip socket

[ socktype sock-type ]

[ task-id socket-id ]

Display the summary of the

Forwarding Information Base (FIB)

display fib [ all ]

Display the FIB entries matching the

specified destination IP address

display fib [ all ]

[ ip-address [ mask |

mask-length ] [ longer ] ]

Display the FIB entries matching the

specified destination IP address range

display fib [ all ]

ip-address1 { mask1 |

mask-length1 }

ip-address2 { mask2 |

mask-length2 }

Display the FIB entries permitted by a

specific ACL

display fib [ all ] acl

{ number | name }

Display the FIB entries in the buffer

which begin with, include or exclude

the specified character string

display fib [ all ] |

{ { begin | include |

exclude } text }

Display the FIB entries permitted by a

specific prefix list

display fib [ all ]

ip-prefix listname

Display the total number of the FIB

entries

display fib [ all ]

statistics

Available in

any view

Debuging IP performance

To do… Use the command… Remarks

Reset IP statistics information

reset ip statistics

Reset TCP statistics information

reset tcp statistics

Reset UDP statistics information

reset udp statistics

Available in

user view

Enable the debugging of IP packets

debugging ip packet [ acl

acl-number ]

Available in

user view

Operation Manual – IP Performance

H3C S9500 Series Routing Switches Chapter 1 IP Performance Configuration

1-4

To do… Use the command… Remarks

Disable the debugging of IP

packets

undo debugging ip packet

Enable the debugging of ICMP

packets

debugging ip icmp

Disable the debugging of ICMP

packets

undo debugging ip icmp

Enable the debugging of UDP

connections

debugging udp packet

[ task-id socket-id ]

Disable the debugging of UDP

connections

undo debugging udp

packet [ task-id socket-id ]

Enable the debugging of TCP

connections

debugging tcp packet

[ task-id socket-id ]

Disable the debugging of TCP

connections

undo debugging tcp

packet [ task-id socket-id ]

Enable the debugging of TCP

events

debugging tcp event

[ task-id socket-id ]

Disable the debugging of TCP

events

undo debugging tcp event

[ task-id socket-id ]

Enable the debugging of the MD5

authentication

debugging tcp md5

Disable the debugging of the MD5

authentication

undo debugging md5

Available in

user view

1.3 Troubleshooting IP Performance

Fault: IP layer protocol works normally but TCP and UDP cannot work normally.

Troubleshoot: In the event of such a fault, you can enable the corresponding debugging

information output to view the debugging information.

z Use the display command to view the running information of IP performance and

make sure that the PCs used by the user is running normally.

z Use the terminal debugging command to output the debugging information to the

console.

z Use the debugging udp packet command to enable the UDP debugging to trace

the UDP packet.

The following are the UDP packet formats:

UDP output packet:

Source IP address:202.38.160.1

Source port:1024

Destination IP Address 202.38.160.1

Operation Manual – IP Performance

H3C S9500 Series Routing Switches Chapter 1 IP Performance Configuration

1-5

Destination port: 4296

task = ROUT(15)

socketid = 6,

src = 192.168.1.1:520,

dst = 255.255.255.255:520,

datalen = 24

z Use the debugging tcp packet command to enable the TCP debugging to trace

the TCP packets.

Operations include:

<H3C> terminal debugging

<H3C> debugging tcp packet

Then the TCP packets received or sent can be checked in real time. Specific packet

formats include:

TCP output packet:

Source IP address:202.38.160.1

Source port:1024

Destination IP Address 202.38.160.1

Destination port: 4296

Sequence number :4195089

Ack number: 0

Flag :SYN

Packet length :60

Data offset: 10

task = ROUT(15)

socketid = 5

state = Established

src = 172.16.1.2

Source port:1025

dst = 172.16.1.1

Destination port: 4296

seq = 1921836502

ack = 4192768493

flag = ACK

window = 16079

H3C S9500 Series Operating instructions

H3C S9500 Series Operating instructions

H3C S9500 Series Operating instructions

Related papers

Other documents