S600-E Education Network Series Switches

Configuration Guide - IP Service 5 IP Performance Optimization Configuration

5 IP Performance Optimization
Configuration

About This Chapter

You can optimize IP performance by adjusting parameters on the network.

5.1 Overview of IP Performance Optimization
5.2 Licensing Requirements and Limitations for IP Performance Optimization
5.3 Default Settings for IP Performance Optimization
5.4 Optimizing IP Performance
5.5 Maintaining IP Performance
5.6 Example for Optimizing System Performance by Discarding Certain ICMP
Packets

5.1 Overview of IP Performance Optimization

A large number of packets need to be forwarded on the network, which may
cause network congestion and degrade network performance. IP performance
optimization can solve the problem. You can adjust parameters or forwarding
modes for IP packets to achieve optimal network performance.
IP performance can be optimized using any of the following functions:
● Configuring source IP addresses verification
● Configuring the switch to fragment outgoing IP packets
● Configuring a load balancing mode for IP packet forwarding
● Configuring the switch to discard IP packets with options
● Configuring an interface to forward directed broadcast packets
● Disabling the IP packet checking function
● Enabling the switch to perform layer 2 forwarding for IP traffic during a ring
network switchover

Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 181

S600-E Education Network Series Switches
Configuration Guide - IP Service 5 IP Performance Optimization Configuration

● Configuring ICMP properties

● Configuring TCP properties

5.2 Licensing Requirements and Limitations for IP

Performance Optimization
Involved Network Elements
Other network elements are not required.

Licensing Requirements
IP performance optimization is a basic feature of a switch and is not under license
control.

Version Requirements

Table 5-1 Product and version requirements of IP performance optimization

Product Software Version

S600-E V200R010C00, V200R011C00, V200R011C10

NOTE
To know details about software mappings, see Hardware Query Tool.

Feature Limitations
A device can only forward ICMPv4 packets with the Option field at Layer 3. Other
IPv4 packets with the Option field will be discarded.

5.3 Default Settings for IP Performance Optimization

Table 5-2 describes the default settings for IP performance optimization.

Table 5-2 Default settings for IP performance optimization

Parameter Default Setting

Source IP address verification Disabled.

Outgoing forwarding-plain IP Disabled.

packet fragmentation on an
interface

Load balancing mode for IP Flow-based load balancing mode.

packet forwarding

Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 182

S600-E Education Network Series Switches
Configuration Guide - IP Service 5 IP Performance Optimization Configuration

Parameter Default Setting

Processing for directed broadcast Not forwarding.

packets on an interface

IP error packet checking Enabled.

Performing layer 2 forwarding for Enabled.

IP traffic during a ring network
switchover

IPv4 Layer 3 unicast forwarding Enabled.

Fast ICMP reply function Enabled.

Receiving ICMP packets Enabled.

Sending ICMP Host Unreachable Enabled.

packets

Sending ICMP Port Unreachable Enabled.

packets

Sending ICMP Protocol Enabled.

Unreachable packets

Sending an ICMP Destination Disabled.

Unreachable packet to an initiator
when a tracert packet matches an
IPv4 blackhole route

Sending ICMP Redirect packets Enabled.

Sending ICMP Time Exceeded Enabled.

packets on an interface

TCP SYN-Wait timer 75s.

TCP FIN-Wait timer 675s.

Socket receive/send buffer size 8k bytes.

Minimum MSS value for a TCP 216 bytes.

connection

5.4 Optimizing IP Performance

Pre-configuration Tasks
Before optimizing IP performance, configure IP addresses for interfaces. For
details, see Configuring IP Addresses for Interfaces.

Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 183

S600-E Education Network Series Switches
Configuration Guide - IP Service 5 IP Performance Optimization Configuration

5.4.1 Configuring Source IP Addresses Verification

Context
Configuring source IP address verification enables an interface to check validity of
source IP addresses of received packets. Packets with invalid addresses are
discarded, which improves the network security.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run ip verify source-address
Source IP address verification is configured.
By default, an interface does not check validity of source IP addresses of received
packets.
The interface only checks validity of source IP addresses of the packets that need
to be forwarded to the CPU, and does not check validity of source IP addresses of
the packets that will be directly forwarded according to the FIB table.
If the mask in the IP address of the received packet is of 31 bits, the receiver
considers it as a valid source address without checking the broadcast address of
the subnet.

----End

5.4.2 Configuring the Switch to Fragment Outgoing IP Packets

Context
During actual packet forwarding, the length of an IP packet may exceed the MTU
value. Packets whose length exceeds the MTU value are discarded. Therefore, IP
packet fragmentation can be enabled so that the system sets the DF field of IP
packets to 0 and fragments the packets. In this way, all IP packets can be
forwarded.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run clear ip df

Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 184

S600-E Education Network Series Switches
Configuration Guide - IP Service 5 IP Performance Optimization Configuration

The fragmentation is enabled for outgoing IP packets on an interface.

By default, fragmentation for outgoing IP packets on an interface is disabled.

NOTE

This command takes effect only for the packets that are forwarded by the CPU but not for
the packets that are forwarded by the chip.

----End

5.4.3 Configuring a Load Balancing Mode for IP Packet

Forwarding

Context
If flow-based load balancing is used, the hash algorithm is used to calculate a
value for selecting a link to forward packets. The value is calculated based on the
protocol type, source IP address, destination IP address, source port number, and
destination port number.

If packet-based load balancing is used, packets are forwarded through different

links. Packet-based load balancing can be implemented only for packets forwarded
by the CPU such as protocol packets.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run load-balance { flow | packet } [ all | slot slot-id ]

The flow-based load balancing mode is configured for IP packet forwarding.

By default, flow-based load balancing is used.

----End

5.4.4 Configuring the Switch to Discard IP Packets with

Options

Context
IP packets can carry route options including the route-alert option, route-record
option, source-route option, and timestamp option. These route options are used
to diagnose network paths and temporarily transmit special services. These
options, however, may be used by attackers to spy on the network structure for
initiating attacks, degrading network security and switch performance. To solve
this problem, you can configure the switch to discard the IP packets that carry the
route options.

Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 185

S600-E Education Network Series Switches
Configuration Guide - IP Service 5 IP Performance Optimization Configuration

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Do as follows according to different route options in IP packets:
● Run discard ra
The interface is configured to discard IP packets with route-alert options.
● Run discard rr
The interface is configured to discard IP packets with record-route options.
● Run discard srr
The interface is configured to discard IP packets with source-route options.
● Run discard ts
The interface is configured to discard IP packets with time-stamp options.
By default, the device processes packets sent to the CPU based on route options
contained in these packets.

NOTE

The discard { ra | rr | srr | ts } command only takes effect for the packets on inbound
interfaces.
The discard { ra | rr | srr | ts } command only takes effect for packets sent to the CPU. For
packets that are not sent to the CPU, the device processes and forwards them using the
same method of processing packets without route options regardless of whether the
discard { ra | rr | srr | ts } command is configured or not.

----End

5.4.5 Configuring an Interface to Forward Directed Broadcast

Packets
Context
Directed broadcast packets are sent to a specified network. In the destination IP
address of a directed broadcast packet, the network number is that of the
specified network and the host number is all 1s.
Hackers use directed broadcast packets to attack networks, which threatens the
network security. Therefore, directed broadcast packets are isolated by Layer 3
switches in normal cases. However, in some scenarios, the device needs to receive
or forward these directed broadcast packets. For example, when Wake on LAN
(WOL) is configured on a PC, the interface can be set to forward directed
broadcast packets. (WOL enables a PC in dormancy or shutdown state to wake up
from dormancy state to running state or turn from shutdown state to power-on
state through the instruction from the peer of the network.)
As shown in Figure 5-1, on Switch A, GE0/0/1 is on the same network segment
with PC A; GE0/0/2 is on another network segment with the WOL server. The WOL

Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 186

S600-E Education Network Series Switches
Configuration Guide - IP Service 5 IP Performance Optimization Configuration

server uses directed broadcast packets to wake up PC A. In normal cases, the

directed broadcast packets are isolated by Switch A. After the ip forward-
broadcast command is run on Switch A's GE0/0/1 to enable the interface to
forward the directed broadcast packets, PC A can receive the directed broadcast
packets from the WOL server.

Figure 5-1 Configuring the interface to forward directed broadcast packets in the
WOL scenario
GE 0/0/1 GE 0/0/2
10.1.1.1/24 10.2.2.1/24
10.1.1.2/24 10.2.2.2/24

PC A Switch A WoL Server

NOTE

By default, the device identifies directed broadcast packets as malformed packets, and
intercepts and discards them because the attack defense function of malformed packets is
enabled on the device. In this case, the interface on the device cannot forward the directed
broadcast packets.
To solve this problem, use either of the following methods:
● Run the anti-attack abnormal disable command to disable the attack defense function
of malformed packets. However, after this command is configured, other malformed
packets will not be intercepted and discarded, which brings certain security risks. Use
this command with caution.
● Run the anti-attack disable command to disable all attack defense functions. However,
after this command is configured, not only malformed packets but also fragmented, tcp-
syn, udp-flood, and icmp-flood attack packets will not be intercepted and discarded,
which brings certain security risks. Use this command with caution.

The device can also be enabled to receive and forward a certain type of directed
broadcast packets based on ACLs. For example, if the basic ACL is used, run the
acl (system view) and rule (basic ACL view) commands to define the directed
broadcast packets to be received and forwarded as permit, and then run the ip
forward-broadcast command to bind this ACL.

Procedure
Step 1 Configure the basic or advanced ACL. For details, see Configuring and Applying a
Basic ACL or Configuring and Applying an Advanced ACL in "ACL Configuration" in
the S600-E V200R011C10 Configuration Guide - Security.

Step 2 Run system-view

The system view is displayed.

Step 3 Run interface interface-type interface-number

The interface view is displayed.

Step 4 Run ip forward-broadcast [ acl acl-number ]

The interface is configured to forward directed broadcast packets.

By default, an interface does not forward directed broadcast packets.

Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 187

S600-E Education Network Series Switches
Configuration Guide - IP Service 5 IP Performance Optimization Configuration

Only broadcast packets that match the permit action defined in the ACL are
forwarded. Broadcast packets that match the deny action defined in the ACL or do
not match any ACL rules are not forwarded.

----End

5.4.6 Disabling the IP Packet Checking Function

Context
When the link type of an interface is QinQ or the VLAN mapping or VLAN
stacking function is configured on the interface, the system checks IP packets so
that the switch cannot transparently transmit IP error packets. In addition, during
Layer 2 forwarding, devices cannot transparently transmit packets with the same
source and destination IP addresses. To enable the switch to transparently transmit
IP error packets, you can disable the IP packet checking function.

NOTE

When the IP packet checking function is disabled, the IP subnet-based VLAN assignment ,
policy-based VLAN assignment do not take effect. Therefore, confirm your action before
disabling this function.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The interface view is displayed.

Step 3 Run ip error-packet-check disable

The IP packet checking function is disabled.

By default, the IP packet checking function is enabled.

----End

5.4.7 Configuring ICMP Properties

Context
The Internet Control Message Protocol (ICMP) is a protocol of the TCP/IP protocol
suite. It exchanges messages between hosts and routing devices. When receiving
an ICMP packet, the device sends the packet to the CPU. When a device receives a
large number of ICMP packets, the forwarding performance of the device
degrades. Therefore, you need to set related ICMP properties to optimize IP
performance.

Procedure
● Set ICMP properties in the system view to optimize IP performance.

Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 188

S600-E Education Network Series Switches
Configuration Guide - IP Service 5 IP Performance Optimization Configuration

a. Run system-view
The system view is displayed.
b. Set ICMP properties as required to optimize IP performance.

▪ Run icmp-reply fast

The fast ICMP reply function is enabled.
By default, the fast ICMP reply function is enabled.

▪ Run undo icmp { type icmp-type code icmp-code | name icmp-

name | all } receive
The function of receiving ICMP packets is disabled.
By default, the function of receiving ICMP packets is enabled.

▪ Run undo icmp host-unreachable send

The function of sending ICMP Host Unreachable packets is disabled.
By default, the function of sending ICMP Host Unreachable packets is
enabled.
NOTE

The icmp host-unreachable send command can be run in the system view
or VLANIF interface view.
● After the function of sending ICMP Host Unreachable packets is disabled
in the system view, all VLANIF interfaces do not send ICMP Host
Unreachable packets. Even if the function is enabled on a VLANIF
interface, the VLANIF interface does not send ICMP Host Unreachable
packets.
● After the function of sending ICMP Host Unreachable packets is enabled
in the system view, all VLANIF interfaces send ICMP Host Unreachable
packets because the function is enabled on all interfaces by default. You
can run the undo icmp host-unreachable send command in VLANIF
interface view to disable the function on a specified VLANIF interface.
If the function of sending ICMP Host Unreachable packets is disabled, the
switch does not send ICMP Host Unreachable packets in any situations.

▪ Run undo icmp port-unreachable send

The function of sending ICMP Port Unreachable packets is disabled.
By default, the function of sending ICMP Port Unreachable packets is
enabled.

Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 189

S600-E Education Network Series Switches
Configuration Guide - IP Service 5 IP Performance Optimization Configuration

NOTE

The icmp port-unreachable send command can be run in the system view
or VLANIF interface view.
● After the function of sending ICMP Port Unreachable packets is disabled
in the system view, all VLANIF interfaces do not send ICMP Port
Unreachable packets. Even if the function is enabled on a VLANIF
interface, the VLANIF interface does not send ICMP Port Unreachable
packets.
● After the function of sending ICMP Port Unreachable packets is enabled
in the system view, all VLANIF interfaces send ICMP Port Unreachable
packets because the function is enabled on all interfaces by default. You
can run the undo icmp port-unreachable send command in VLANIF
interface view to disable the function on a specified VLANIF interface.
If the function of sending ICMP Port Unreachable packets is disabled, the
switch does not send ICMP Port Unreachable packets in any situations.

▪ Run undo icmp protocol-unreachable send

The function of sending ICMP Protocol Unreachable packets is
disabled.
By default, the function of sending ICMP Protocol Unreachable
packets is enabled.

▪ Run icmp blackhole unreachable send

The switch is enabled to send an ICMP Destination Unreachable
packet to an initiator when a tracert packet matches an IPv4
blackhole route.
By default, the switch is disabled from sending an ICMP Destination
Unreachable packet to an initiator when a tracert packet matches an
IPv4 blackhole route.
● Set ICMP properties in the interface view to optimize IP performance.
a. Run interface interface-type interface-number
The interface view is displayed.
b. Set ICMP properties in the interface view as required to optimize IP
performance.

▪ Run undo icmp redirect send

The function of sending ICMP Redirect packets is disabled.
By default, the function of sending ICMP Redirect packets is enabled.
NOTE

If the function of sending ICMP Redirect packets is disabled, the switch does
not send ICMP Redirect packets in any situations.

▪ Run undo icmp ttl-exceeded send

The function of sending ICMP Time Exceeded packet is disabled.
By default, the function of sending ICMP Time Exceeded packet is
enabled.

▪ Run undo icmp port-unreachable send

The function of sending ICMP Port Unreachable packets is disabled.

Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 190

S600-E Education Network Series Switches
Configuration Guide - IP Service 5 IP Performance Optimization Configuration

By default, the function of sending ICMP Port Unreachable packets is

enabled.

▪ Run undo icmp host-unreachable send

The function of sending ICMP Host Unreachable packets is disabled.
By default, the function of sending ICMP Host Unreachable packets is
enabled.
----End

5.4.8 Configuring TCP Properties

Context
When a TCP connection is set up between switch and other devices, TCP properties
need to be configured.
The following TCP properties can be configured on the switch:
● SYN-Wait timer: When SYN packets are sent, the SYN-Wait timer starts. If no
response packet is received after the SYN-Wait timer expires, the TCP
connection is closed.
● FIN-Wait timer: When the TCP connection status changes from FIN_WAIT_1 to
FIN_WAIT_2, the FIN-Wait timer starts. If no response packet is received after
the FIN-Wait timer expires, the TCP connection is closed.
● Receive/send buffer size of connection-oriented socket.
● Minimum Maximum Segment Size (MSS) value: Setting a minimum MSS
value for a TCP connection defines the smallest TCP packet size, preventing
DoS attacks caused by packets with small MSS values.
● Maximum MSS value: Setting a maximum MSS value for a TCP connection
defines the largest TCP packet size, allowing TCP packets to be successfully
forwarded by intermediate devices when no MTU is available.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run tcp timer syn-timeout interval
The SYN-Wait timer of TCP connections is configured.
By default, the value of the TCP SYN-Wait timer is 75s.
Step 3 Run tcp timer fin-timeout interval
The FIN-WAIT timer of TCP connections is configured.
By default, the value of the TCP FIN-Wait timer is 675s.
Step 4 Run tcp window window-size
The size of the receive or send buffer of a connection-oriented socket is
configured.

Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 191

S600-E Education Network Series Switches
Configuration Guide - IP Service 5 IP Performance Optimization Configuration

By default, the size of the receive or send buffer of a connection-oriented socket is

8k bytes.
Step 5 Run tcp min-mss mss-value
The minimum MSS value is configured for a TCP connection.
By default, the minimum MSS value for a TCP connection is 216 bytes.
Step 6 Run tcp max-mss mss-value
The maximum MSS value is configured for a TCP connection.
By default, the maximum MSS value is not configured for TCP connections.

NOTE

The maximum MSS value configured using the tcp max-mss command must be greater
than the minimum MSS value configured using the tcp min-mss command.

----End

5.4.9 Verifying the IP Performance Optimization Configuration

Procedure
● Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] |
[ local-ip ip-address ] [ local-port local-port-number ] [ remote-ip ip-
address ] [ remote-port remote-port-number ] ] command to check the TCP
connection status.
● Run the display tcp statistics command to view the TCP traffic statistics.
● Run the display udp statistics command to view the UDP traffic statistics.
● Run the display ip statistics command to view the IP traffic statistics.
● Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id |
socket-type socket-type ] command to view information about the created
IPv4 socket.
● Run the display icmp statistics command to view the ICMP traffic statistics.
----End

5.5 Maintaining IP Performance

5.5.1 Clearing IP Performance Statistics

Context

NOTICE

The IP/TCP/UDP traffic statistics cannot be restored after being cleared. Therefore,
confirm your action before clearing the IP performance statistics.

Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 192

S600-E Education Network Series Switches
Configuration Guide - IP Service 5 IP Performance Optimization Configuration

Procedure
● After you are determined to clear IP statistics, run the reset ip statistics
[ interface interface-type interface-number ] command in the user view.
● After you are determined to clear statistics in a socket monitor, run the reset
ip socket monitor [ task-id task-id socket-id socket-id ] command in the
user view.
● After you are determined to clear statistics on the dual receive buffer of the
socket, run the reset ip socket pktsort task-id task-id socket-id socket-id
command in the user view.
● After you are determined to clear RawIP statistics, run the reset rawip
statistics command in the user view.
● After you are determined to clear TCP statistics, run the reset tcp statistics
command in the user view.
● After you are determined to clear UDP statistics, run the reset udp statistics
command in the user view.

----End

5.5.2 Monitoring the IP Performance Running Status

Context
In routine maintenance, you can run the following commands in any view to
check the running status of IP performance.

Procedure
● Run the display icmp statistics command to check ICMP traffic statistics.
● Run the display ip interface [ interface-type interface-number ] or display ip
interface brief [ interface-type [ interface-number ] | slot slot-id [ card card-
number ] ] command to check interface-related IP information.
● Run the display ip socket [ monitor ] [ task-id task-id socket-id socket-id |
socket-type socket-type ] command to check information about the created
IPv4 sockets.
● Run the display ip socket register-port command to check non-well-known
port numbers that have been assigned to services.
● Run the display ip statistics command to check IP traffic statistics.
● Run the display load-balance mode [ packet | flow | slot slot-number ]
command to check the load balancing mode on a switch.
● Run the display network status { all | tcp | udp | port port-number }
command to check the network status.
● Run the display rawip statistics command to check RawIP traffic statistics.
● Run the display tcp status [ [ task-id task-id ] [ socket-id socket-id ] |
[ local-ip ip-address ] [ local-port local-port-number ] [ remote-ip ip-
address ] [ remote-port remote-port-number ] ] command to check TCP
connection status.
● Run the display tcp statistics command to check TCP traffic statistics.

Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 193

S600-E Education Network Series Switches
Configuration Guide - IP Service 5 IP Performance Optimization Configuration

● Run the display udp statistics command to check UDP traffic statistics.
----End

5.6 Example for Optimizing System Performance by

Discarding Certain ICMP Packets
Networking Requirements
The switch in Figure 5-2 functions as the aggregation device. Enterprise users,
individual users, and DSLAMs are attached to the switch and the switch is
connected to the Internet through a BRAS. When a large amount of information is
exchanged on the network or the network is attacked, lots of ICMP packets are
forwarded and the network performance is degraded. In this case, some ICMP
packets need to be discarded to reduce the burden on the switch.

Figure 5-2 Networking diagram for configuring the ICMP security function

Internet

BRAS

Switch

DSLAM

User
network
Enterprise Individual
user user

Configuration Roadmap
The configuration roadmap is as follows:
Configure the switch to discard ICMP packets whose TTL value is 1, ICMP packets
that carry options, and ICMP Destination Unreachable packets to reduce its
burden in processing a large number of ICMP packets.

Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 194

S600-E Education Network Series Switches
Configuration Guide - IP Service 5 IP Performance Optimization Configuration

Procedure
Step 1 Configure the switch to discard certain ICMP packets.
# Configure the switch to discard ICMP packets whose TTL value is 1.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] icmp ttl-exceeded drop all

# Configure the switch to discard ICMP packets that carry options.

[Switch] icmp with-options drop all

# Configure the switch to discard ICMP packets whose destination addresses are
unreachable.
[Switch] icmp unreachable drop

Step 2 Verify the configuration.

# Run the display this command in the system view to view the ICMP security
configurations.
[Switch] display current-configuration | include icmp
icmp unreachable drop
icmp ttl-exceeded drop slot 0
icmp with-options drop slot 0

----End

Configuration Files
Switch configuration file

#
sysname Switch
#
icmp unreachable drop
icmp ttl-exceeded drop slot 0
icmp with-options drop slot 0
#
return

Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 195