Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
32 views54 pages

04-Network Protocol Command

04-Network Protocol command

Uploaded by

Giridaran_Jagadeesan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
32 views54 pages

04-Network Protocol Command

04-Network Protocol command

Uploaded by

Giridaran_Jagadeesan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 54

Network Protocol Command

Content

Table of Content
Chapter 1 IP Address Command.......................................................................................................................................... 1
1.1 IP Address Command............................................................................................................................................ 1
1.1.1 arp ............................................................................................................................................................. 1
1.1.2 arp timeout ................................................................................................................................................ 2
1.1.3 clear arp-cache.......................................................................................................................................... 3
1.1.4 ip address.................................................................................................................................................. 3
1.1.5 ip host........................................................................................................................................................ 5
1.1.6 ip default-gateway ..................................................................................................................................... 6
1.1.7 show arp.................................................................................................................................................... 6
1.1.8 show hosts ................................................................................................................................................ 7
1.1.9 show ip interface ....................................................................................................................................... 8
Chapter 2 IP Service Command......................................................................................................................................... 10
2.1.1 clear tcp................................................................................................................................................... 10
2.1.2 clear tcp statistics.................................................................................................................................... 11
2.1.3 debug arp ................................................................................................................................................ 12
2.1.4 debug ip icmp.......................................................................................................................................... 13
2.1.5 debug ip packet....................................................................................................................................... 16
2.1.6 debug ip raw............................................................................................................................................ 20
2.1.7 debug ip tcp packet ................................................................................................................................. 22
2.1.8 debug ip tcp transactions ........................................................................................................................ 23
2.1.9 debug ip udp............................................................................................................................................ 25
2.1.10 ip mask-reply......................................................................................................................................... 26
2.1.11 ip mtu..................................................................................................................................................... 27
2.1.12 ip redirects............................................................................................................................................. 28
2.1.13 ip tcp synwait-time................................................................................................................................. 29
2.1.14 ip tcp window-size ................................................................................................................................. 30
2.1.15 ip unreachables..................................................................................................................................... 31
2.1.16 show ip irdp ........................................................................................................................................... 31
2.1.17 show ip sockets..................................................................................................................................... 32
2.1.18 show ip traffic ........................................................................................................................................ 33
2.1.19 show tcp ................................................................................................................................................ 34
2.1.20 show tcp brief ........................................................................................................................................ 38
2.1.21 show tcp statistics ................................................................................................................................. 39
2.1.22 show tcp tcb .......................................................................................................................................... 41
Chapter 3 Access-list Command ........................................................................................................................................ 43
3.1.1 deny......................................................................................................................................................... 43
3.1.2 ip access-group....................................................................................................................................... 46
3.1.3 ip access-list............................................................................................................................................ 47
3.1.4 permit ...................................................................................................................................................... 48
3.1.5 show ip access-list .................................................................................................................................. 51

-I-
04-Network Protocol command

Chapter 1 IP Address Command

1.1 IP Address Command

You can use command in this chapter to configure and check the addressing of IP
network. If you want to know more information about the configuration of IP addressing,
please refer to chapter “the configuration of IP addressing”.

1.1.1 arp

When configuring static ARP map, the static ARP map will be permanently saved in
ARP cache. If you want to delete the configured static ARP map, use command “no
arp”.

Syntas

arp ip-address hardware-address [alias]

no arp ip-address

Parameter

Parameter Description
ip-address IP address of local data link interface.

hardware-address Physical address of local data link interface.

alias (Optional) the router responds to the ARP request of this IP address, just
like it owns this IP address.

Default

Permanent ARP map does not exist in ARP cache.

Command mode

Global configuration mode

Explanation

All general hosts can support dynamic ARP analysis, so generally user does not need
to specifically configure static ARP map for the host.

-1-
04-Network Protocol command

Example

The following command configures the MAC address of host with IP address of 1.1.1.1
as 00:12:34:56:78:90.
arp 1.1.1.1 00:12:34:56:78:90

Ralated command

clear arp-cache

1.1.2 arp timeout

Configure the duration of dynamic ARP entry in ARP cache. If you want to reset it to
default value, use command no arp timeout or default arp timeout.

Syntas

arp timeout seconds

no arp timeout

default arp timeout

Parameter

Parameter Description
seconds Duration (second) of dynamic ARP entry in ARP cache. 0 means that ARP
cache dynamically resoluted from this interface will not be released
timeout.

Default

14400 seconds (4 hours)

Command mode

Interface configuration mode

Explanation

If you do not configure on interface without (with)ARP, then the configuration will not be
effective.

Command “show interface” will display the ARP entry timeout configured on this
interface, it is shown as follows:

ARP type: ARPA, ARP timeout 04:00:00

-2-
04-Network Protocol command

Example

The following command configures the duration of dynamic ARP map as 900 seconds
on interface Ethernet 1/0, in order to more quickly refresh ARP cache.
interface ethernet 1/0
arp timeout 900

Ralated command

show interface

1.1.3 clear arp-cache

Clear all dynamic ARP cache.

Syntas

clear arp-cache

Parameter

none

Command mode

Supervisor mode

Example

The following command clears all dynamic ARP caches.


clear arp-cache

Ralated command

arp

1.1.4 ip address

Configure interface IP address, meanwhile configure network mask. Currently we do


not classify A.B.C IP addresses seriously, yet do not use multicast address and
broadcast address (all “1” for host part). Except Ethernet, various interfaces of other
types can be on the same network. But, network configured on the Ethernet interface
cannot be the same as any types of interfaces, except unnumbered interfaces .
Normally you can configure one primary address and infinite secondary addresses
on one interface. Secondary address can only be configured after the configuration of
primary address, you can only delete primary address after delete all secondary

-3-
04-Network Protocol command

address. IP address generated by the system itself, if the upper layer application does
not designate the source address, the router will use the IP address on the same
network as the gateway and configured on the outgoing interface, as the source
address, if you are not sure about this IP address (such as interface router), then you
can use the primary address of the outgoing interface. If one interface is not a
configured IP address, and is not unnumbered interface, then this interface does not
process IP packet.

If you want to delete an IP address, or stop the IP packet processing by a certain


interface, you can use command “no ip address” to clear one or all IP addresses on
the interface.

Syntas

ip address ip-address mask [secondary]

no ip address {ip-address mask}

no ip address

Parameter

Parameter Description
ip-address IP address

mask IP network mask

secondary (optional) Designate that it is a configured IP secondary address, if there


is no designation, it is a configured IP primary address.

Default

No configuration of any IP address on the interface.

Command mode

Interface configuration mode

Explanation

If the router configures secondary IP address on certain physical segment, other


systems on the same physical segment should also be configured the secondary
address of the same logical network, or it will easily result in a route loop.

When using OSPFprotocol, you should guarantee that the secondary address and its
primary address are in the same OSPF area.

-4-
04-Network Protocol command

Example

The following command configures the primary address 202.0.0.1, network mask
255.255.255.0 on vlan 10 interface, in addition, configures two IP secondary address
203.0.0.1 and 204.0.0.1.
interface vlan 10
ip address 202.0.0.1 255.255.255.0
ip address 203.0.0.1 255.255.255.0 secondary
ip address 204.0.0.1 255.255.255.0 secondary

1.1.5 ip host

Define static host name-address map. If you want to delete host name-address map,
use command “no ip host”.

Syntas

ip host name address

no ip host name

Parameter

Parameter Description
name host name

address IP address.

Default

No maps configured

Command mode

Global configuration mode

Example

The following example configures the host name as dns-server with IP address
202.96.1.3.
ip host dns-server 202.96.1.3

-5-
04-Network Protocol command

1.1.6 ip default-gateway

Syntas

ip default-gateway address

no ip default-gateway

Parameter

Parameter Description

address IP address.

Default

Disable

Command mode

Global Configuration mode

Explanation

Configure switch default gateway,no command to delete switch default gateway.

Example

The following example configure default-gateway IP address202.96.1.3.


ip default-gateway 202.96.1.3

1.1.7 show arp

Show all ARP entrys entries , including ARP map of interface IP address, static ARP
map, dynamic ARP map configured by the user.

Syntas

show arp

Parameter

none

-6-
04-Network Protocol command

Command mode

Supervisor mode

Explanation

Displayed information includes:


potocol Type of network address maps physical address, such as IP.

address Address, network address maps physical address, such as IP address.

age Survival time, the time between the generation and current of ARP entry,
minute as the unit. The router use this ARP entry will not affect this value.

hardware Address Physical address, the physical address corresponds to the network
address, for irresoluted entry the value is empty.

type Type, means the packet encapsulation type used by the interface,
including ARPA, SNAP and etc…

interface Interface, the interface related to this network address.

Example

The following command shows ARP cache.


router#show arp
Protocol IP Address Age(min) Hardware Address Type Interface
IP 192.168.20.77 11 00:30:80:d5:37:e0 ARPA vlan 10
IP 192.168.20.33 0 Incomplete
IP 192.168.20.22 - 08:00:3e:33:33:8a ARPA vlan 10
IP 192.168.20.124 0 00:a0:24:9e:53:36 ARPA vlan10
IP 192.168.0.22 - 08:00:3e:33:33:8b ARPA vlan 11

1.1.8 show hosts

Show host name—all entrys in address cache.

Syntas

show hosts

Parameter

This command has no parameter or keyword.

Command mode

Supervisor Configure mode

-7-
04-Network Protocol command

Example

The following command displays all host name/address map


show hosts

Ralated command

clear host

1.1.9 show ip interface

Show IP configuration on the interface.

Syntas

show ip interface [type number]

Parameter

Parameter Description
type (Optional) interface type

number (Optional) interface serial.

Command mode

Supervisor Configure mode

Explanation

If the link layer of the interface can effectively send or receive data, it is a usable
interface and the mode is “protocol up”. If you configure IP address on this interface,
the router will add a directly connected route in the routing table. If the link layer
protocol disconnects, which is “protocol down”, this directly connected route will be
deleted. If you designate interface type and serial, it only displays interface information.
Or, it displays IP configuration information of all interfaces.

Example

The following command shows the IP configuration on VLAN11:


Router#show ip vlan11
vlan10 is up, line protocol is up
IP address : 192.168.20.167/24
Broadcast address : 192.168.20.255
Helper address : not set
MTU : 1500(byte)

-8-
04-Network Protocol command

Forward Directed broadcast : OFF


Multicast reserved groups joined:
224.0.0.9 224.0.0.6 224.0.0.5 224.0.0.2
224.0.0.1
Outgoing ACL : not set
Incoming ACL : not set
IP fast switching : ON
IP fast switching on the same interface : OFF
ICMP unreachables : ON
ICMP mask replies : OFF
ICMP redirects : ON

Show description:

Domain Description
vlan10 is up If the interface hardware is usable, the interface is tagged “up”. If the
interface is usable, its hardware and line protocol must all be “up”.

line protocol is up If the interface can provide intercommunication, its line protocol would
be tagged “up”. If the interface is usable, both the interface hardware
and line protocol must be “up”.

Internet address Interface IP address and network mask.

Broadcast address Show broadcast address.

MTU Show IP MTU configured on the interface.

Helper address Show helper address/

Directed broadcast Whether to forward directed broadcast packet.


forwarding

Multicast reserved groups Reserved multicast group interface joined


joined

Outgoing access list Outgoing access control list used by the interface.

Inbound access list Inbound access control list used by the interface.

Proxy ARP Whether the interface supports proxy ARP

ICMP redirects Whether to send ICMP redirect packet on the interface

ICMP unreachables Whether to send ICMP unreachable packets on the interface

ICMP mask replies Whether to send ICMP mask reply packets on the interface.

-9-
04-Network Protocol command

Chapter 2 IP Service Command

Use the following commands to configure various IP services. For more configuration
information about IP services, please refer to the chapter “configure IP services”.

2.1.1 clear tcp

Syntas

Clear a TCP connection.

clear tcp {local host-name port remote host-name port | tcb address}

Parameter

Parameter Description
local host-name IP address of the local host and TCP port.
port

remote host-name IP address of the remote host and TCP port.


port

tcb address The convert control block(TCB) of TCP connection to be deleted. TCB is
the identifier of TCP connection which can be obtained by command
“show tcp brief”.

Command mode

Supervisor mode

Explanation

Command “clear tcp” is mainly used to clear the closed TCP connection. In some
cases, such as communication line problem, TCP connection or restart of the dealing
host, TCP connection is actually stopped, but as there is no communication on TCP
connection, the system cannot timely discover this situation, here you can use
command “clear TCP” to close the invalid TCP connection. Among them, command
clear tcp local host-name port remote host-name port is used to stop the TCP
connection between designated IP address/port of local host and remote host.
Command clear tcp tcb address is used to stop the TCP connection tagged by the
designated TCB address.

Example

The following example clears the TCP connection between 192.168.20.22:23 local
&192.168.20.120:4420 remote . Command “show tcp brief” shows the local and
remote host information of current TCP connection.

- 10 -
04-Network Protocol command

switch#show tcp brief


TCB Local Address Foreign Address State
0xE85AC8 192.168.20.22:23 192.168.20.120:4420 ESTABLISHED
0xEA38C8 192.168.20.22:23 192.168.20.125:1583 ESTABLISHED
switch#clear tcp local 192.168.20.22 23 remote 192.168.20.120 4420
switch#show tcp brief
TCB Local Address Foreign Address State
0xEA38C8 192.168.20.22:23 192.168.20.125:1583 ESTABLISHED

The following example clears the TCP connection with TCB address 0xea38c8.
Command “show tcp brief” shows the TCB address of TCP connection.
switch#show tcp brief
TCB Local Address Foreign Address State
0xEA38C8 192.168.20.22:23 192.168.20.125:1583 ESTABLISHED
switch#clear tcp tcb 0xea38c8
switch#show tcp brief
TCB Local Address Foreign Address State

Relevant command

show tcp

show tcp brief

show tcp tcb

2.1.2 clear tcp statistics

Syntas

clear tcp statistics

Parameter

none

Command mode

Supervisor mode

Example

Use the following command to clear TCP statistics:


switch#clear tcp statistics

- 11 -
04-Network Protocol command

Relevant command

show tcp statistics

2.1.3 debug arp

Show ARP interactive information, such as sending ARP request, receiving ARP
response, receiving ARP request, sending ARP response and etc… When the switch
cannot communicate with the host, the command can be used to analyse the ARP
interactive information. Use “no debug arp” to stop showing the information.

Syntas

debug arp

no debug arp

Parameter

none

Command mode

Supervisor mode

Example

switch#debug arp
switch#IP ARP: rcvd req src 192.168.20.116 00:90:27:a7:a9:c2, dst 192.168.20.111, vlan 10
IP ARP: req filtered src 192.168.20.139 00:90:27:d5:a9:1f, dst 192.168.20.82 00:
00:00:00:00:00, wrong cable, vlan 11
IP ARP: created an incomplete entry for IP address 192.168.20.77, vlan 10
IP ARP: sent req src 192.168.20.22 08:00:3e:33:33:8a, dst 192.168.20.77, vlan 10
IP ARP: rcvd reply src 192.168.20.77 00:30:80:d5:37:e0, dst 192.168.20.22, vlan 10

The first information indicates: the switch receives an ARP request on interface
Ethernet1/0, IP address of the host sending the request is 192.168.20.116, the MAC
address is 00:90:27:a7:a9:c2, it requests the MAC address of host with IP address
192.168.20.111:
IP ARP: rcvd req src 192.168.20.116 00:90:27:a7:a9:c2, dst 192.168.20.111, vlan 10

The second information means: the switch receives an ARP address request from
192.168.20.139 on interface VLAN11. But, according to the interface configuration of
the switch, this interface is not on the network on which the host claims to be. So,
there might be an error in configuration of the host. If the switch sets up ARP cache
according to this information, it may be unable to communication with certain host
configured at the same address on the normal interface.
IP ARP: req filtered src 192.168.20.139 00:90:27:d5:a9:1f, dst 192.168.20.82 00:
00:00:00:00:00, wrong cable, vlan 11

- 12 -
04-Network Protocol command

The third information means, the switch wants to resolute the MAC address of host
192.168.20.77, so it creates an incomplete ARP entry for the host, and then fills in
MAC address while receiving ARP response. According to the configuration of the
switch, this host connects on the interface VLAN10.
IP ARP: created an incomplete entry for IP address 192.168.20.77, vlan 10

The fourth information means: the switch sends ARP request on interface VLAN10, IP
address of the switch is 192.168.20.22, MAC address of the interface is
08:00:3e:33:33:8a, the IP address of the requested host is 192.168.20.77. This
information is related to the third information.
IP ARP: sent req src 192.168.20.22 08:00:3e:33:33:8a, dst 192.168.20.77, vlan10

The fifth information means, the switch receives ARP response from 192.168.20.77 to
switch interface 192.168.20.22 on interface VLAN10, which tells that its MAC address
is 00:30:80:d5:37:e0. This information is related to the third and fourth information.
IP ARP: rcvd reply src 192.168.20.77 00:30:80:d5:37:e0, dst 192.168.20.22, vlan10.

2.1.4 debug ip icmp

Show the interactive information of Internet Control Message Protocol (ICMP). Use
command “no debug ip icmp” to disable debug output.

Syntas

debug ip icmp

no debug ip icmp

Parameter

none

Command mode

Supervisor mode

Explanation

This command can show the ICMP packet the system received and sent, in order to
solve the connection problem between port to port of the network. If you want to know
the detailed information about command output “debug ip icmp”, please refer to RFC
792, “Internet Control Message Protocol ”.

Example

switch#debug ip icmp
switch#ICMP: sent pointer indicating to 192.168.20.124 (dst was 192.168.20.22), len 48
ICMP: rcvd echo from 192.168.20.125, len 40
ICMP: sent echo reply, src 192.168.20.22, dst 192.168.20.125, len 40

- 13 -
04-Network Protocol command

ICMP: sent dst (202.96.209.133) host unreachable to 192.168.20.124, len 36


ICMP: sent dst (192.168.20.22) protocol unreachable to 192.168.20.124, len 36
ICMP: rcvd host redirect from 192.168.20.77, for dst 22.0.0.3 use gw 192.168.20.26, len 36
ICMP: rcvd dst (22.0.0.3) host unreachable from 192.168.20.26, len 36
ICMP: sent host redirect to 192.168.20.124, for dst 22.0.0.5 use gw 192.168.20.77, len 36
ICMP: rcvd dst (2.2.2.2) host unreachable from 192.168.20.26, len 36

The explanation of the first information is as follows:


ICMP: sent pointer indicating to 192.168.20.124 (dst was 192.168.20.22), len 48
Domain Description
ICMP Shows the information of Internet Control Message Protocol (ICMP)
packet.

Sent Sending ICMP packet.

pointer indicating ICMP packet type, this ICMP packet means that original IP packet
parameter error, and also indicates the error domain. Other types of ICMP
packets include:

echo reply

dst unreachable include

---net unreachable

---host unreachable

---protocol unreachable

---port unreachable

---fragmentation needed and DF set

---source route failed

---net unacknowledged

---destination host unacknowledged

---source host isolated

---net prohibited

---host prohibited

---net tos unreachable

---host tos unreachable

source quench

redirect,includes

---net redirect

---host redirect

---net tos redirect

---host tos redirect

echo

switch advertisement

switch solicitation

time exceeded, includes:

- 14 -
04-Network Protocol command

---ttl exceeded

---reassembly timeout

parameter problem includes:

---pointer indicating

---option missed

---bad length

timestamp

timestamp reply

information request

information reply

mask request

mask reply

If it is the ICMP type unacknowledged by the system, the system will


show the ICMP type and code value.

to 192.168.20.124 The destination address of ICMP packet is 192.168.20.124, and also the
source address of the original packet which initiates ICMP packet.

(dst was The destination address of the original packet initiates ICMP packet is
192.168.20.22) 192.168.20.22.

len 48 The length of ICMP packet is 48 bytes, not including the length of IP
header.

The explanation of the second information is as follows:

ICMP: rcvd echo from 192.168.20.125, len 40

Parameter Description
rcvd Received ICMP packet.

echo ICMP packet type, for echo request packet.

from The source address of ICMP packet is 192.168.20.125.


192.168.20.125

The explanation of the third information is as follows:

ICMP: sent echo reply, src 192.168.20.22, dst 192.168.20.125, len 40

Domain Command
src 192.168.20.22 Source address of ICMP packet is 192.168.20.22.

dst 192.168.20.125 Destination address of ICMP packet is 192.168.20.125.

According to the different types of ICMP packets, the generated ICMP packet
information use different formats in the convenience of showing the packet content.

For example, for ICMP redirect packet, you can use the following format to print:

ICMP: rcvd host redirect from 192.168.20.77, for dst 22.0.0.3 use gw 192.168.20.26,
len 36

- 15 -
04-Network Protocol command

ICMP: sent host redirect to 192.168.20.124, for dst 22.0.0.5 use gw 192.168.20.77, len
36

The first information means, it receives the redirect packet of ICMP host from host
192.168.20.77, suggests that you can use gateway 192.168.20.26 to reach the
destination host 22.0.0.3, the length of ICMP packet is 36 bytes.

The second information means, it sends the redirect packet of ICMP host to
192.168.20.124, informs it to use 192.168.20.77 to reach host 22.0.0.5, the length of
ICMP packet is 36 bytes.

For destination unreachable packet of ICMP, use the following formats to print:

ICMP: sent dst (202.96.209.133) host unreachable to 192.168.20.124, len 36

ICMP: rcvd dst (2.2.2.2) host unreachable from 192.168.20.26, len 36

The first information means, the switch can not route a certain IP packet, so it sends
destination host 202.96.209.133 unreachable packet of ICMP to the source host
192.168.20.124 of the packet, the length of ICMP packet is 36 bytes.

The second information means, the switch receives an ICMP packet from host
192.168.20.26, informs that the destination host (2.2.2.2) is unreachable, and the
length of ICMP packet is 36 bytes.

2.1.5 debug ip packet

Show the interactive information of internet protocol (IP). Use “no debug ip packet” to
stop showing the information.

Syntas

debug ip packet [detail] [ip-access-list-name]

no debug ip packet

Command mode

Supervisor mode

Explanation

This command can help to realize the final destination of every IP packets received or
produced local and realize the reason of communication trouble.

Possible situations include:

Forwarded

Forwarded as broadcast packet or multicast packet

Routing failure during forwarding

- 16 -
04-Network Protocol command

Send redirect packet

Rejected as it has source routing option

Rejected as it has illegal IP options

Source route

It is required to be fragmented when sending packets from local, but DF position is


reset.

Receive packet

Receive IP fragment

Send packet

Send broadcast/multicast

Routing failure for packet generated local

Packets generated local are fragmented

Received packets are filtered

Sent packets are filtered

Link layer encapsulation failure (only for Ethernet)

Unknown protocol

Using this command may result in great traffic of output information. So you’d better
use it in the relatively leisure time of the switch, or it will seriously affect the system
performance. What is more, you’d better use access list to filter the output, so that the
system shows only the packet information that interest the user.

Example

switch#debug ip packet
switch#IP: s=192.168.20.120 (vlan 10), d=19.0.0.9 (vlan 10), g=192.168.20.1, len=60, redirected
IP: s=192.168.20.22 (local), d=192.168.20.120 (vlan 10), g=192.168.20.120, len=56, sending
IP: s=192.168.20.120 (vlan 10), d=19.0.0.9 (vlan 10), g=192.168.20.1, len=60, forward
IP: s=192.168.20.81 (vlan 10), d=192.168.20.22 (vlan 10), len=56, rcvd
Parameter Description
IP Means that this information is about IP packet.

s=192.168.20.120 The source address of IP packet and the vlan interface name to receive
(vlan 10) the packet (if it is not the packet generated local)

d=19.0.0.9 (vlan Destination address of IP packet and vlan interface name of sent packet (if
10) the routing is successful)

g=192.168.20.1 Net hop destination address of IP packet, may be gateway address, may
be destination address.

len Length of IP packet.

- 17 -
04-Network Protocol command

redirected Means that the switch will send ICMP redirect packet to the source host of
this packet. Other situations include:

forward---Packets are forwarded

forward directed broadcast---The packets are sent as directed broadcast,


packets will be transformed into physical broadcast on the sending
interface.

unroutable---Packet routing failure and will be discarded.

source route---Source route

rejected source route---System does not support source route currently, so


it rejects the packet with IP source route option.

bad options---IP option error and packets will be discarded.

need frag but DF set---local packets need to be fragmented, but DF is


reset

rcvd---Packets are received local.

rcvd fragment---Packet fragment received

sending---sending packets generated local

sending broad/multicast---sending broadcast/multicast packets generated


local.

Sending fragment ------Sending IP packet sent local.

denied by in acl---Denied by receiving access list of the receiving


interface.

denied by out acl---Denied by sending access list of the sending interface.

unknown protocol--- unknown protocol

encapsulation failed---protocol encapsulation error, only for Ethernet. It is


shown when the packets to be sent on Ethernet were discarded because
of ARP resolution error.

The first information means, the switch receives an IP packet, its source address is
192.168.20.120, and is from the session connected to interface vlan10, the destination
address is 19.0.0.9, the sending interface defined by the routing table is vlan10,
gateway address is 192.168.20.1 and the length of the packet is 60 bytes. The source
hosts to discover gateway and to send IP packets are connected on the same network,
which is the network connected with interface Ethernet1/0 of the switch, so the switch
sends out ICMP redirect packet.

IP: s=192.168.20.120 (vlan 10), d=19.0.0.9 (vlan 10), g=192.168.20.1, len=60,


redirected

The second information, describes the sending of ICMP redirect packet, the source
address is local address 192. 168. 20.22, the destination address is the above packets’
source address 192.168.20.120, sent from interface vlan10, as it is directly arriving at
the destination, the gateway address is the destination address 192.168.20.120 and
the length of ICMP redirect packet is 56 bytes.

IP: s=192.168.20.22 (local), d=192.168.20.120 (vlan10), g=192.168.20.120, len=56,


sending

The third information means, the IP layer receives an IP packet and the source
address of it is 192.168.20.120, the receiving interface is VLAN10, the destination
address of the packet is 19.0.0.9, by searching the routing table, you find out that you

- 18 -
04-Network Protocol command

should forward this packet to interface VLAN10, gateway is 192.168.20.77, the length
packet is 60 bytes. This information shows that after the system sends ICMP redirect
packet, it forwards the packet shown by the first information.

IP: s=192.168.20.120 (vlan10), d=19.0.0.9 (vlan10), g=192.168.20.77, len=60, forward

The fourth packet means, the IP layer receives an IP packet, whose source address is
192.168.20.81, receiving interface is VLAN10, destination address is 192.168.20.22, it
is an IP address configured on interface VLAN10 of the switch and the length of the
packet is 56 bytes, received local.

IP: s=192.168.20.81 (vlan10), d=192.168.20.22 vlan10), len=56, rcvd

We are going to introduce the output of command “debug ip packet detail” in the
following,
switch#debug ip packet detail
switch#IP: s=192.168.12.8 (vlan 10), d=255.255.255.255 (vlan 10), len=328, rcvd, UDP: src=68,
dst=67
IP: s=192.168.20.26 (vlan 10), d=224.0.0.5 (vlan 10), len=68, rcvd, proto=89
IP: s=192.168.20.125 (vlan 10), d=192.168.20.22 (vlan 10), len=84, rcvd, ICMP: type=0, code =
0
IP: s=192.168.20.22 (local), d=192.168.20.124 (vlan 10), g=192.168.20.124, len=40, sending,
TCP: src=1024, dst=23, seq=75098622, ack=161000466, win=17520, ACK
Domain Description
UDP Protocol name, such as UDP, ICMP, TCP and etc… Other protocols are
described in protocol number.

type, code ICMP packet type and code

src, dst Source interface and destination interface of UDP and TCP packet.

seq Serial of TCP packet.

ack Acknowledgement number of TCP packet

win Window value of TCP packet.

ACK ACK of control bit of TCP packet is reset, means that the confirmation
serial is valid. Other control bits including SYN, URG, FIN, PSH, RST.

The first information means, received UDP packet, the source port is 68, the
destination port is 67.
IP: s=192.168.12.8 (vlan 10), d=255.255.255.255 (vlan 10), len=328, rcvd, UDP: src=68, dst=67

The second information means, protocol number received the packets is 89.
IP: s=192.168.20.26 (vlan 10), d=224.0.0.5 (vlan 10), len=68, rcvd, proto=89

The third information means, received ICMP packet, the packet type is 0, code is 0.
IP: s=192.168.20.125 (vlan 10), d=192.168.20.22 (vlan 10), len=84, rcvd, ICMP: type=0, code =
0

The fourth information means, send TCP packet, the source port is 1024, destination
port is 23, serial number is 75098622, confirmation number is 161000466, size of the
receiving window is 17520, the ACK tag position is reset. For information about the
meaning of these domains, please refer to RFC 793— TRANSMISSION CONTROL
PROTOCOL.

- 19 -
04-Network Protocol command

IP: s=192.168.20.22 (local), d=192.168.20.124 (vlan 10), g=192.168.20.124, len=40, sending,


TCP: src=1024, dst=23, seq=75098622, ack=161000466, win=17520, ACK

Now we are going to introduce the usage of access control list. For example, if you
want to display the packet information with source address of 192.168.20.125, first you
should define standard access control list abc to only accept IP packet with source
address of 192.168.20.125. Then, use this access control list in command “debug ip
packet”.
switch#config
switch_config#ip access-list standard abc
switch_config_std_nacl#permit 192.168.20.125
switch_config_std_nacl#exit
switch_config#exit
switch#debug ip packet abc
switch#IP: s=192.168.20.125 (vlan 101), d=192.168.20.22 (vlan 101), len=48, rcvd

The above command uses the standard control access list, and it can also use
extended access control list.

Relevant command

debug ip tcp packet

2.1.6 debug ip raw

Show the interactive information of internet protocol (IP). Use “no debug ip raw” to
stop showing the information.

Syntas

debug ip raw [detail] [access-list-group] [interface]

no debug ip raw

Parameter

Parameter Description
detail (Optional) output the protocol information encapsulated by IP packet,
such as protocol number, UDP, TCP port number, ICMP packet type and
etc…

access-list-group (Optional) the IP access list name used to filter output information. Only IP
packet information meets designated IP access list will be output.

interface (Optional) the port number used to filter output information. Only the
information meets IP packet of the designated port will be output.

Command mode

Supervisor mode

- 20 -
04-Network Protocol command

Explanation

This command can help to realize the final destination of every received or local
generated IP packet, and to realize the reas

Possible situations include:

Forwarded

Forwarded as broadcast packet or multicast packet

Routing failure while being forwarded

Send redirect packet

Rejected as it includes source routing option

Rejected as it includes illegal IP options

Source switch

Local sent packet needs to be fragmented, but DF position is reset

Receive packet

Receive IP fragment

Send packet

Send broadcast/multicast

Routing failure of local generated packet

Local generated packets are fragmented

Received packets are filtered

Sent packets are filtered

Link layer encapsulation failure (only applies to Ethernet)

Unknown protocol

Use this command may produce great number of output information, so you’d better
use it during the leisure time of the switch, or it will seriously affect the system function.
In addition, you should use access list to filter output if possible, and enable the
system to display only the packet information that interest the user.

Example

The same as “debug ip packet”

- 21 -
04-Network Protocol command

Relevant command

debug ip tcp packet

2.1.7 debug ip tcp packet

Displays the received and sent information of transmit control protocol (TCP). Use “no
debug ip tcp packet” to stop the display.

Syntas

debug ip tcp packet

no debug ip tcp packet

Parameter

none

Command mode

Supervisor mode

Example

switch#debug ip tcp packet


switch#tcp: O ESTABLISHED 192.168.20.22:23 192.168.20.125:3828 seq 50659460
DATA 1 ACK 3130379810 PSH WIN 4380
tcp: I ESTABLISHED 192.168.20.22:23 192.168.20.125:3828 seq 3130379810
DATA 2 ACK 50659460 PSH WIN 16372
tcp: O ESTABLISHED 192.168.20.22:23 192.168.20.125:3828 seq 50659461
DATA 50 ACK 3130379812 PSH WIN 4380
tcp: O FIN_WAIT_1 192.168.20.22:23 192.168.20.125:3828 seq 50659511
ACK 3130379812 FIN WIN 4380
tcp: I FIN_WAIT_1 192.168.20.22:23 192.168.20.125:3828 seq 3130379812
ACK 50659511 WIN 16321
tcp: I FIN_WAIT_1 192.168.20.22:23 192.168.20.125:3828 seq 3130379812
ACK 50659512 WIN 16321
tcp: I FIN_WAIT_2 192.168.20.22:23 192.168.20.125:3828 seq 3130379812
ACK 50659512 FIN WIN 16321
tcp: O TIME_WAIT 192.168.20.22:23 192.168.20.125:3828 seq 50659512
ACK 3130379813 WIN 4380
tcp: I LISTEN 0.0.0.0:23 0.0.0.0:0 seq 3813109318
DATA 2 ACK 8057944 PSH WIN 17440
tcp: O LISTEN 0.0.0.0:23 0.0.0.0:0 seq 8057944
RST

- 22 -
04-Network Protocol command

Domain Description
tcp: Show the information about TCP packet.

O Send TCP packet.

ESTABLISHED Current mode of TCP connection. For the description of TCP connection
mode, please refer to the explanation of command “debug ip tcp
transactions”.

192.168.20.22:23 The source address of the packet is 192.168.20.22 and the source port is
23.

192.168.20.125:38 The destination address of the packet is 192.168.20.125 and the


28 destination port is 3828.

seq 50659460 Serial number of the packet is 50659460.

DATA 1 Effective data bit number included in the packet is 1.

ACK 3130379810 Acknowledgement number of the packet is 3130379810.

PSH PSH in the control bit of the packet is reset.

Other control bit including ACK, FIN, SYN, URG, and RST.

WIN 4380 The window domain of the packet is functioned to inform the size of the
receiving cache of recipient’s receiving port. Currently it is 4380 bytes.

I Receive TCP packet.

If some of above domains are not displayed, it means that this domain has no valid
value in this TCP packet.

Relevant command

debug ip tcp transactions

2.1.8 debug ip tcp transactions

Display the important interactive information of convert control protocol (TCP), such as
the change of TCP connection mode. Use “no debug ip tcp transactions” to stop the
display.

Syntas

debug ip tcp transactions

no debug ip tcp transactions

Parameter

none

Command mode

Supervisor mode

- 23 -
04-Network Protocol command

Example

switch#debug ip tcp transactions


switch#TCP: rcvd connection attempt to port 23
TCP: TCB 0xE88AC8 created
TCP: state was LISTEN -> SYN_RCVD [23 -> 192.168.20.125:3828]
TCP: sending SYN, seq 50658312, ack 3130379657 [23 -> 192.168.20.125:3828]
TCP: state was SYN_RCVD -> ESTABLISHED [23 -> 192.168.20.125:3828]
TCP: connection closed by user, state was LISTEN [23 -> 0.0.0.0:0]
TCP: state was TIME_WAIT -> CLOSED [23 -> 192.168.20.125:3827]
TCP: TCB 0xE923C8 deleted
TCP: TCB 0xE7DBC8 created
TCP: connection to 192.168.20.124:513 from 192.168.20.22:1022, state was CLOSED to
SYN_SENT
TCP: sending SYN, seq 52188680, ack 0 [1022 -> 192.168.20.124:513]
TCP: state was SYN_SENT -> ESTABLISHED [1022 -> 192.168.20.124:513]
TCP: rcvd FIN, state was ESTABLISHED -> CLOSE_WAIT [1022 -> 192.168.20.124:513]
TCP: connection closed by user, state was CLOSE_WAIT [1022 -> 192.168.20.124:513]
TCP: sending FIN [1022 -> 192.168.20.124:513]
TCP: connection closed by user, state was LAST_ACK [1022 -> 192.168.20.124:513]
TCP: state was LAST_ACK -> CLOSED [1022 -> 192.168.20.124:513]
TCP: TCB 0xE7DBC8 deleted
Domain Description
TCP: Showing the TCP interactive information.

rcvd connection Receive the connection attempt to port 23. (telnet port)
attempt to port 23

TCB 0xE88AC8 A new TCP connection control block, tagged “0xE88AC8”.


created

state was LISTEN Means that the state of TCP state machine is changed from listen to
-> SYN_RCVD LISTEN to SYN_RCVD.

Possible TCP states include:

LISTEN---Wait for the TCP connection attempt from any remote host.

SYN_SENT--- Sending connection attempt to initiate TCP connection


negotiation, and waiting for the response from recipient.

SYN_RCVD---It receives the connection request and sends


acknowledgement, it also sends its own connection request and waits for
the recipient’s acknowledgement of connection request.

ESTABLISHED---Means that the connection is set up successfully, during


the data sending period, it can receive the application of upstream.

FIN_WAIT_1---It has already sent the request to finish the connection, and
is waiting for the acknowledgement from the recipients and the recipient’s
request to finish the connection.

FIN_WAIT_2--- It has already sent the request to finish the connection and
received the acknowledgement from the recipients and is waiting for the
recipient’s request to finish the connection.

CLOSE_WAIT---It has already sent the request to finish the connection


and sent the acknowledgement and is waiting for the local user to close

- 24 -
04-Network Protocol command

the connection, once the user wants to close the connection, the system
will send request to finish the connection.

CLOSING--- It has already sent the request to finish the connection,


received the request to finish the connection from the recipient and sent
the acknowledgement, and is waiting for the acknowledgement of the
request from the recipient to finish the connection.

LAST_ACK---It has received the request from the recipient to finish the
connection and acknowledged, sent the request to finish the connection is
waiting for the acknowledgement.

TIME_WAIT---It is waiting enough time for the confirmation that the


recipient has received the acknowledgement of local request to finish
connection with it, and whether the packet about this connection
converted in the network has arrived at the destination or been discarded.

CLOSED---Means no connection or the connection has been completely


closed.

For detailed information, please refer to RFC793, TRANSMISSION


CONTROL PROTOCOL.

[23 -> In the column:


192.168.20.125:38
The first domain (23) means local TCP port
28]
The second domain 192.168.20.125 means remote IP address.

The third domain (3828) means remote TCP port.

sending SYN Send a connection attempt packet (SYN reset in TCP header control bit).
Other TCP control bits include SYN, ACK, FIN, PSH, RST and URG.

seq 50658312 The serial number of sent packet is 50658312.

ack 3130379657 The acknowledge number of the sent packet is 3130379657.

rcvd FIN Receive the request to finish the connection (FIN reset in TCP header
control bit).

connection closed TCP connection closed per the request of upstream application
by user

connection timed Connection timed out and closed


out

Relevant command

debug ip tcp packet

2.1.9 debug ip udp

Show the interactive information of user data protocol (UDP). Use command “no debug
ip udp” to stop.

Syntas

debug ip udp

no debug ip udp

- 25 -
04-Network Protocol command

Parameter

none

Command mode

Supervisor mode

Example

switch#debug ip udp
switch#UDP: rcvd src 192.168.20.99(520), dst 192.168.20.255(520), len = 32
UDP: sent src 192.168.20.22(20001), dst 192.168.20.43(1001), len = 1008
Domain Description
UDP: It shows that this packet is related to UDP packet.

rcvd Packets received

sent Packets sent.

src The source IP address and UDP interface of UDP packets.

dst The target IP address and UDP interface of UDP packets.

len The length of UDP packets.

So, the first packet means it receives a UDP packet from host 192.168.20.99, on
interface 520, the target address is 192.168.20.255, on target interface 520, and the
packet length is 32 bytes.

The second packet means it sends a UDP packet, the host address is 192.168.20.22,
on interface 20001, the target address is 192.168.20.43, on target interface 1001, and
the packet length is 1008 bytes.

2.1.10 ip mask-reply

Demand the switch to respond to IP address mask request on the designated interface.
If you want to turn this function off, use command “no ip mask-reply”.

Syntas

ip mask-reply

no ip mask-reply

default ip mask-reply

Parameter

none

- 26 -
04-Network Protocol command

Default

Do not respond to the IP address mask request.

Command mode

Interface configuration mode

Example

interface vlan 11
ip mask-reply

2.1.11 ip mtu

Configure the length of Maximum convert Unit of IP packets sent from the interface via
command “ip mtu”. If you want to use the default value of MTU again, use command
“no ip mtu”.

Syntas

ip mtu bytes

no ip mtu

Parameter

Parameter Description
bytes The maximum convert length of IP calculated by unit of byte.

Default

It is variable according to the different physical media of the interface, and is the same
as the maximum transfer unit on the interface. The minimum is 68 bytes.

Command mode

Interface configuration mode

Explanation

If the IP packet length exceeds the IP MTU set on the interface, the switch would
fragment the packets. For all the devices connected on the same physical media, you
should configure the same protocolMTU before they can communicate. The MTU
(configure by interface configuration command “mtu”) value will affect the IP MTU
value. If the IP MTU value is the same as MTU value, when you change the MTU
value, the IP MTU value will be automatically changed into a new MTU value. But, the
change of IP MTU value will not affect the MTU value.

- 27 -
04-Network Protocol command

The minimum value of IP MTU is 68 bytes, the maximum value will not exceed the
MTU configured on the interface.

Example

The following command configures the IP MTU of the interface as 200:


interface vlan 10
ip mtu 200

Relevant command

mtu

2.1.12 ip redirects

Send IP ICMP redirect packet. Use command “no ip redirects” to stop sending ICMP
redirect packet.

Syntas

ip redirects

no ip redirects

Parameter

none

Default

Normally, IP redirect packet is sent by default. But, if the user configures hot backup
routingprotocol, this function will be automatically closed. And, if the configuration of
hot backup routingprotocol is canceled then, this function will not be automatically
opened.

Command mode

Interface configuration mode

Explanation

When the switch finds out that the forwarding interface where gateway is located is the
same as the receiving interface while forwarding packets, and the host sending
packets is connected to the logical network of this interface, according to the protocol,
it can send a ICMP redirect packet to inform the host to directly set the switch as the
gateway to the destination address of the packet without being forwarded by this
switch.

- 28 -
04-Network Protocol command

If the interface is configured hot backup routerprotocol, the sending of IP redirect


packet may cause the loss of packets.

Example

The following command opens the function of sending ICMP redirect packet on
interface VLAN10:
interface vlan10
ip redirects

2.1.13 ip tcp synwait-time

Configure the timeout the switch waits for the successful TCP connection. If you want
to reset it to default time, use command “no ip tcp synlatency time”.

Syntas

ip tcp synwait-time seconds

no ip tcp synwait-time

Parameter

Parameter Description
seconds The TCP connection waiting time counted in the unit of second. The
effective value ranges from 5 to 300 seconds. 75 seconds by default.

Default

75 seconds

Command mode

global configuration mode

Explanation

When the switch initiates TCP connection, if the connection is still not established
successfully after latency time of TCP connection, the switch considers connection
failure and returns this result to the upstream application program. The user can
configure the latency time for successful TCP connection, 75 seconds by default. This
option has no relation with TCP connection packet forwarded by the switch, but only
relates to the TCP connection of the switch itself.

If you want to know the current value of it, use command ip tcp synwait-time the
value in [ ] is the current value.

- 29 -
04-Network Protocol command

Example

The following example sets the latency time for TCP connection as 30 seconds:
switch_config#ip tcp synwait-time 30
switch_config#ip tcp synwait-time ?
<5-300>[30] seconds -- wait time

2.1.14 ip tcp window-size

Configure the window size of TCP. If you want it to return to the default value, use
command “no ip tcp window-size”.

Syntas

ip tcp window-size bytes

no ip tcp window-size

Parameter

Parameter Description
bytes Window size illustrated in the unit of bit. 65535 bytes at most. 2000 bytes
by default.

Default

2000 bytes

Command mode

global configuration mode

Explanation

Only if you clearly know your reason to change the default value, you’d better not
change it hotheaded. If you want to know the current value, use command ip tcp
window-size , the value in [] is the current value.

Example

The following example configures the TCP window size as 6000 bytes:
Switch_config#ip tcp window-size 6000
Switch_config#ip tcp window-size ?
<1-65535>[6000] bytes -- Window size

- 30 -
04-Network Protocol command

2.1.15 ip unreachables

Configure the switch to send ICMP unreachable packet. If you want the switch to stop
sending, use command “no ip unreachables”.

Syntas

ip unreachable

no ip unreachable

Parameter

none

Default

Send ICMP unreachable packet.

Command mode

Interface configuration mode

Explanation

When the switch is forwarding IP packet, it may discover that there is no related routes
in routing table, which results in the discard of the packet. Meanwhile, the switch can
send ICMP unreachable packet to the source host, inform the source host about this
situation, in order to let the source host timely discover the errors and make
corrections.

Example

The following example configures to send ICMP unreachable packet on interface


VLAN 10:
interface vlan 10
ip unreachables

2.1.16 show ip irdp

Show socket information.

Syntas

show ip irdp

- 31 -
04-Network Protocol command

Parameter

none

Command mode

Supervisor mode

Example

switch_config_vlan10# show ip irdp


Async0/0 ICMP router discovery protocol(IRDP) : OFF

vlan 10 ICMP router discovery protocol(IRDP) : ON


Advertisements occur between every 450 and 600 seconds
Advertisements are sent as broadcasts
Advertisements valid in 1800 seconds
Default preference : 0

vlan 11 ICMP router discovery protocol(IRDP) : OFF


Null0 ICMP router discovery protocol(IRDP) : OFF
Loopback7 ICMP router discovery protocol(IRDP) : OFF
Loopback10 ICMP router discovery protocol(IRDP) : OFF

2.1.17 show ip sockets

Show socket information.

Syntas

show ip sockets

Parameter

none

Command mode

Supervisor mode

Example

Router#show ip sockets
Proto Local Port Remote Port In Out
17 0.0.0.0 0 0.0.0.0 0 161 0

- 32 -
04-Network Protocol command

6 0.0.0.0 0 0.0.0.0 0 513 0

17 0.0.0.0 0 0.0.0.0 0 1698 0

17 0.0.0.0 0 0.0.0.0 0 69 0

6 0.0.0.0 0 0.0.0.0 0 23 0

17 0.0.0.0 0 0.0.0.0 0 137 122590

2.1.18 show ip traffic

Show IP traffic statistics.

Syntas

show ip traffic

Parameter

none

Command mode

Supervisor mode

Example

switch#show ip traffic
IP statistics:
Rcvd: 0 total, 0 local destination, 0 delivered
0 format errors, 0 checksum errors, 0 bad ttl count
0 bad destination address, 0 unknown protocol, 0 discarded
0 filtered , 0 bad options, 0 with options
Opts: 0 loose source route, 0 record route, 0 strict source route
0 timestamp, 0 router alert, 0 others
Frags: 0 fragments, 0 reassembled, 0 dropped
0 fragmented, 0 fragments, 0 couldn't fragment
Bcast: 0 received, 0 sent
Mcast: 0 received, 0 sent
Sent: 230 generated, 0 forwarded
0 filtered, 0 no route, 0 discarded
ICMP statistics:
Rcvd: 0 total, 0 format errors, 0 checksum errors
0 redirect, 0 unreachable, 0 source quench
0 echos, 0 echo replies, 0 mask requests, 0 mask replies
0 parameter problem, 0 timestamps, 0 timestamp replies
0 time exceeded, 0 router solicitations, 0 router advertisements
Sent: 0 total, 0 errors

- 33 -
04-Network Protocol command

0 redirects, 0 unreachable, 0 source quench


0 echos, 0 echo replies, 0 mask requests, 0 mask replies
0 parameter problem, 0 timestamps, 0 timestamp replies
0 time exceeded, 0 router solicitations, 0 router advertisements

UDP statistics:
Rcvd: 28 total, 0 checksum errors, 22 no port, 0 full sock
Sent: 0 total

TCP statistics:
Rcvd: 0 total, 0 checksum errors, 0 no port
Sent: 3 total

IGMP statistics:
Rcvd: 0 total, 0 format errors, 0 checksum errors
0 host queries, 0 host reports
Sent: 0 host reports

ARP statistics:
Rcvd: 8 total, 7 requests, 1 replies, 0 reverse, 0 other
Sent: 5 total, 5 requests, 0 replies (0 proxy), 0 reverse
Parameter Description
format errors Packet format error, such as IP header length error.

bad hop count When the router is forwarding packets, if it finds that the TTL value is
reduced to 0, the packets will be discarded.

no route The router has no packet from corresponding route.

2.1.19 show tcp

Shows the state information of all TCP connections.

Syntas

show tcp

Parameter

none

Command mode

Supervisor mode

- 34 -
04-Network Protocol command

Example

switch#show tcp
TCB 0xE9ADC8
Connection state is ESTABLISHED, unread input bytes: 934
Local host: 192.168.20.22, Local port: 1023
Foreign host: 192.168.20.124, Foreign port: 513

Enqueued bytes for transmit: 0, input: 934 mis-ordered: 0 (0 packets)

Timer Starts Wakeups Next(ms)


Retrans 33 1 0
TimeWait 0 0 0
SendWnd 0 0 0
KeepAlive 102 0 7199500

iss: 29139463 snduna: 29139525 sndnxt: 29139525 sndwnd: 17520


irs: 709124039 rcvnxt: 709205436 rcvwnd: 4380

SRTT: 15 ms, RXT: 2500 ms, RTV: 687 ms


minRXT: 1000 ms, maxRXT: 64000 ms, ACK hold: 200 ms

Datagrams (max data segment is 1460 bytes):


Rcvd: 102 (out of order: 0), with data: 92, total data bytes: 81396
Sent: 104 (retransmit: 0), with data: 31, total data bytes: 61
Domain Description
TCB 0xE77FC8 Inside identification of TCP connection control block.

Connection state is Current connection state. TCP connection may be in any states of the
ESTABLISHED following:

LISTEN---wait for the TCP connection attempt from any remote hosts.

SYN_SENT---After sending connection request, waiting for the response


from the recipient.

SYN_RCVD---It receives the connection request and sends


acknowledgement, it also sends its own connection request and waits for
the recipient’s acknowledgement of connection request.

ESTABLISHED---Means that the connection is set up successfully, during


the data sending period, it can receive the application of upstream.

FIN_WAIT_1---It has already sent the request to finish the connection, and
is waiting for the acknowledgement from the recipients and the recipient’s
request to finish the connection.

FIN_WAIT_2--- It has already sent the request to finish the connection and
received the acknowledgement from the recipients and is waiting for the
recipient’s request to finish the connection.

CLOSE_WAIT---It has already sent the request to finish the connection


and sent the acknowledgement and is waiting for the local user to close
the connection, once the user wants to close the connection, the system
will send request to finish the connection.

- 35 -
04-Network Protocol command

CLOSING--- It has already sent the request to finish the connection,


received the request to finish the connection from the recipient and sent
the acknowledgement, and is waiting for the acknowledgement of the
request from the recipient to finish the connection.

LAST_ACK---It has received the request from the recipient to finish the
connection and acknowledged, sent the request to finish the connection is
waiting for the acknowledgement.

TIME_WAIT---It waits enough time for the confirmation that the recipient
has received the acknowledgement of local request to finish connection
with it.

CLOSED---Means no connection or the connection has been completely


closed.

For detailed information, please refer to RFC793, TRANSMISSION


CONTROL PROTOCOL.

unread input bytes: The data can be submitted for upstream application after the TCP
procession yet has not been received by upstream application.

Local host: Local IP address.

Local port: Local TCP port.

Foreign host: Remote IP address.

Foreign port: Remote TCP port.

Enqueued bytes for Enqueued bytes for transmission include the data sent yet not
transmit: acknowledged and unsent data.

input: Enqueued bytes for receiving: these data are waiting to be accepted for
upstream application after sorting.

mis-ordered: The bytes and packets in the mis-ordered queue, these data can only be
accepted by upstream application in the receiving queue in order after
other data are received. For example, if it receives packet 1,2,4,5,6,
packet 1 and 2 can enter the receiving queue, but 4,5 and 6 can only enter
mis-ordered queue to wait for the arrival of packet 3.

Then it shows the situation of currently connected timer, includes the start times of the
timer, timeouts of the timer and the interval from the next timeout of the timer (0 means
the timer is not running currently). Each connection uses independent timer. The
number of timeouts of timer is normally less than the starts of the timer, because the
timer may be reset during the process of running. For example, if the system receives
the acknowledgement of all sent data from the recipient while the retransmit timer is
running, the retransmit timer will stop running.
Timer Starts Wakeups Next(ms)
Retrans 33 1 0
TimeWait 0 0 0
SendWnd 0 0 0
KeepAlive 102 0 7199500
Domain Description
Timer Name of the timer.

Starts Starts of the timer.

Wakeups Timeouts of the timer.

Next(ms) Interval from the next timeout of the timer (ms as the unit), o means the
ti i t i

- 36 -
04-Network Protocol command

timer is not running.

Retrans Retransmit timer, used to initiate data retransmission. The timer is started
after sending the data, if the data is not acknowledged within the timeout,
the timer will retransmit the data.

TimeWait Time wait timer, used to guarantee the recipient’s receiving of


acknowledgement of connection stop request.

SendWnd Send window timer, used to guarantee that the send window is reset to
the normal size in the situation when TCP acknowledges loss.

KeepAlive Keep alive timer, used to guarantee the normal operation of


communication link and the recipient’s still state of connection. It will ignite
the sending of test packet in order to check the communication link state
and the recipient’s state.

Then shows the serial used by TCP connection. TCP uses serial to guarantee the
reliable and ordered data convert. Local and remote hosts also perform traffic control
and sending acknowledgement according to serial number.
iss: 29139463 snduna: 29139525 sndnxt: 29139525 sndwnd: 17520
irs: 709124039 rcvnxt: 709205436 rcvwnd: 4380
Domain Description
iss: Initial sending serial

snduna: Sending serial of the first bit of the data sent yet have not received the
acknowledgement from the recipient.

sndnxt: The send serial of the first bit of the data sent thereafter.

sndwnd: TCP window size of remote host.

irs: Initial receiving serial, which is also the initial sending serial of the remote
host

rcvnxt: Receiving serial recently acknowledged.

rcvwnd: TCP window size of the local host.

The it shows the sending time recorded by local host, the system can adjust the
system to adapt to various network according to these data.
SRTT: 15 ms, RXT: 2500 ms, RTV: 687 ms
minRXT: 1000 ms, maxRXT: 64000 ms, ACK hold: 200 ms
Domain Description
SRTT: Trip time after smooth treatment

RXT: Retransmission timeout

RTV: Variation of trip time.

MinRXT: Minimum retransmit timeout permitted.

MaxRXT: Maximum retransmit timeout permitted.

ACK hold: Maximum latency of the delay of acknowledgement in order to be sent


with the data.

Datagrams (max data segment is 1460 bytes):


Rcvd: 102 (out of order: 0), with data: 92, total data bytes: 81396
Sent: 104 (retransmit: 0), with data: 31, total data bytes: 61

- 37 -
04-Network Protocol command

Domain Description
max data segment Maximum data segment permitted for this connection.

Rcvd Packets received in this connection process by local host, and packets
dis-ordered among them.

with data Packets with valid data.

total data bytes Total data bytes included in the packets.

Sent: Total packets sent during the connection process of local host, and the
packets resent.

with data Packets include valid data.

total data bytes Data bytes included in the packets.

Relevant command

show tcp brief

show tcp tcb

2.1.20 show tcp brief

Show brief information of TCP connection.

Syntas

show tcp brief [all]

Parameter

Parameter Description
all (optional) show all ports. If you do not input this key word, the system will
not show the port in the state of “LISTEN”.

Command mode

Supervisor mode

Example

Router#show tcp brief


TCB Local Address Foreign Address State
0xE9ADC8 192.168.20.22:1023 192.168.20.124:513 ESTABLISHED
0xEA34C8 192.168.20.22:23 192.168.20.125:1472 ESTABLISHED
Domain Description
TCB Inside tag of TCP connection.

Local Address Local IP address and TCP port.

- 38 -
04-Network Protocol command

Foreign Address Remote IP address and TCP port.

State Connection mode. For detailed information please refer to command


“show tcp”.

Relevant command

show tcp

show tcp tcb

2.1.21 show tcp statistics

show tcp statistics

Syntas

show tcp statistics

Parameter

none

Command mode

Supervisor mode

Example

switch#show tcp statistics


Rcvd: 148 Total, 0 no port
0 checksum error, 0 bad offset, 0 too short
131 packets (6974 bytes) in sequence
0 dup packets (0 bytes)
0 partially dup packets (0 bytes)
0 out-of-order packets (0 bytes)
0 packets (0 bytes) with data after window
0 packets after close
0 window probe packets, 0 window update packets
0 dup ack packets, 0 ack packets with unsend data
127 ack packets (247 bytes)
Sent: 239 Total, 0 urgent packets
6 control packets
123 data packets (245 bytes)
0 data packets (0 bytes) retransmitted
110 ack only packets (101 delayed)
0 window probe packets, 0 window update packets

- 39 -
04-Network Protocol command

4 Connections initiated, 0 connections accepted, 2 connections established


3 Connections closed (including 0 dropped, 1 embryonic dropped)
5 Total rxmt timeout, 0 connections dropped in rxmt timeout
1 Keepalive timeout, 0 keepalive probe, 1 Connections dropped in keepalive
Domain Description
Rcvd: The statistics of the packets the router received.

Total Total packets received.

no port The number of the received packets with non-existent ports.

checksum error The number of the checked and wrong packets received.

bad offset The number of the received packets with bad offset traffic.

too short The number of the received packets with less than the minimum effective
length.

packets in sequence The number of data packets received in sequence.

dup packets The number of duplicated packets received.

partially dup packets The number of partly duplicated packets received.

out-of-order packets The number of out-of-order packets received.

packets with data after The number of packets received with data out of the receiving window of
window the router.

packets after close The number of packets received after the connection closes.

window probe packets The number of window probe packets received.

window update packets The number of window update packets received.

dup ack packets The number of duplicately acknowledged packets received.

ack packets with unsent The number of acknowledged packets received with unsent data.
data

ack packets The number of acknowledged packets received.

Sent The statistics about the packets sent by the router.

Total The number of total sent packets.

urgent packets The number of urgent packets sent.

control packets The number of control SYN FIN or RST packets sent.

data packets The number of data packets sent.

data packets The number of retransmitted data packets.


retransmitted

ack only packets The number of acknowledged only packets sent.

window probe packets The number of window probe packets sent.

window update packets The number of window update packets sent.

Connections initiated The number of connections initiated locally.

connections accepted The number of connections accepted locally.

connections established The number of connections established locally.

Connections closed The number of local connections closed.

Total rxmt timeout Total number of resent time-outs.

- 40 -
04-Network Protocol command

Connections dropped in Total number of connections dropped resulted from resent time-outs
rxmit timeout

Keepalive timeout The number of keepalive time-outs.

keepalive probe The number of Keepalive probe packets sent.

Connections dropped in The number of connections dropped because of keepalive.


keepalive

Relevant command

clear tcp statistics

2.1.22 show tcp tcb

Display the mode information of certain TCP connection.

Syntas

show tcp tcb address

Parameter

Parameter Description
address The convert control block (TCB) address connected with TCP to be
shown. TCB is the inside TCP connection tag of the system, which can be
obtained via command “show tcp brief”.

Command mode

Supervisor mode

Example

For detailed explanation of the following displayed, please refer to command “show
tcp”
switch_config#show tcp tcb 0xea38c8

TCB 0xEA38C8
Connection state is ESTABLISHED, unread input bytes: 0
Local host: 192.168.20.22, Local port: 23
Foreign host: 192.168.20.125, Foreign port: 1583

Enqueued bytes for transmit: 0, input: 0 mis-ordered: 0 (0 packets)

Timer Starts Wakeups Next(ms)


Retrans 4 0 0

- 41 -
04-Network Protocol command

TimeWait 0 0 0
SendWnd 0 0 0
KeepAlive +5 0 6633000

iss: 10431492 snduna: 10431573 sndnxt: 10431573 sndwnd: 17440


irs: 915717885 rcvnxt: 915717889 rcvwnd: 4380

SRTT: 2812 ms, RXT: 18500 ms, RTV: 4000 ms


minRXT: 1000 ms, maxRXT: 64000 ms, ACK hold: 200 ms

Datagrams (max data segment is 1460 bytes):


Rcvd: 5 (out of order: 0), with data: 1, total data bytes: 3
Sent: 4 (retransmit: 0), with data: 3, total data bytes: 80

Relevant command

show tcp

show tcp brief

- 42 -
04-Network Protocol command

Chapter 3 Access-list Command

3.1.1 deny

This command can be used in IP access list configuration mode to configure prohibit
regulations. Add a prefix “no” in front of the command to delete “deny” regulation from
the ip access-list.

Syntas

deny source [source-mask] [log]

no deny source [source-mask] [log]

deny protocol source source-mask destination destination-mask [precedence


precedence] [tos tos] [log]

no deny protocol source source-mask destination destination-mask [precedence


precedence] [tos tos] [log]

The following syntax can also be used for internet control massage protocol(ICMP):

deny icmp source source-mask destination destination-mask [icmp-type]


[precedence precedence] [tos tos] [log]

The following syntax can be used for internet group management protocol (ICMP):

deny igmp source source-mask destination destination-mask [igmp-type]


[precedence precedence] [tos tos] [log]

The following syntax can be used for TCP:

deny tcp source source-mask [operator port] destination destination-mask


[operator port ] [established] [precedence precedence] [tos tos] [log]

The following syntax can be used for data gram protocol(UDP):

deny udp source source-mask [operator port] destination destination-mask


[operator port] [precedence precedence] [tos tos] [log]

Parameter

Parameter Description
protocol Protocol name or protocol number. It can be a key word like icmp, igmp,
igrp, ip, ospf, tcp or udp. It can also be a whole number among 0-255 that
refers to the IP protocol number. Use key word “ip” to match any Internet
protocol (including ICMP, TCP and UDP). Some protocols are allowed to
be restricted further as the following.

source Source network or host number. There are 2 ways to designate the
32 di it bi b d i l b t d ith 4 d t

- 43 -
04-Network Protocol command

source: 32-digit binary number, decimal number separated with 4 dots.


Use key word “any” to be the abbreviation of source and source Mask of
0.0.0.0 0.0.0.0

source-mask Source address network mask. Use key word “any” to be the abbreviation
of source and source Mask of 0.0.0.0 0.0.0.0 .

destination Destination or host number. There are 2 ways to designate:

Decimal number separated with 4 dots and 32-digit binary number.

Use key word “any” to be the abbreviation of destination and destination


Mask of 0.0.0.0 0.0.0.0 .

destination-mask Destination address network mask. Use key word “any” to be the
abbreviation of destination address and destination address Mask of
0.0.0.0 0.0.0.0 .

precedence (Optional) Package can be filtered by priority and designated by a number


precedence among 0-7.

tos tos (Optional) Data package can use service level filter. Use a number among
0-15 to designate.

icmp-type (Optional) ICMP package can be filtered by ICMP packet type. The type
is a number among 0-255.

igmp-type (Optional) ICMP package can be filtered by ICMP packet type or name.
The type is a number among 0-15.

operator (Optional) Compare source or destination interface. Operations include lt


(smaller than), gt (bigger than), eq (equals to), neq (doesn’t equal to). If
operating symbol is placed after source and source-mask, it should match
the source interface. If operating symbol is placed after destination and
destination-mask, it should match the destination interface.

port (Optional) Decimal number or name of TCP or UDP interface. Interface


number is a number among 0-65535. TCP interface name is listed in the
part “Using Guideline”. TCP interface name can be used only to filter TCP.
UDP interface name is also listed in the part “Using Instruction”. Only TCP
interface name can be used to filter UDP.

established (Optional) Indicates an established connection for TCP protocol only.


Matching will occur where ACK or RST location of TCP data gram is set.
Initiate TCP data gram in non-match situation to form a connection.

log (Optional) Log can be recorded.

Command mode

IP access-list configuration state

Explanation

Access-list can be used to control the transmission of data package on the interface,
control line access to virtual terminals. Stop checking extended access-list after the
matching occurs. It is IP packages divided by sections but not initial sections that will
be received by any extended IP access-list at once. Extended access-list is used to
control accessing virtual terminal line or restricting routes from choosing update
content. It is not necessary to match TCP source interface, type of service value and
priority of package.

- 44 -
04-Network Protocol command

Notes:

After the initial establishment of an access-list, any follow-up addition (can be keyed in at a terminal)
should be placed at the end of the list.

TCP interface name used to replace interface number is shown as below. Find out
reference related to these protocols regarding current allocation number RFC.
Interface number relevant to these protocols can also be found out by keying in a “?” to
replace interface number.

bgp

ftp

ftp-data

login

pop2

pop3

smtp

telnet

www

UDP interface name used to replace interface number is shown as below. Find out
reference related to these protocols regarding current allocation number RFC.
Interface number relevant to these protocols can also be found out by keying in a “?” to
replace interface number.

domain

snmp

syslog

tftp

Example

The following example prohibits the network 192.168.5.0:


ip access-list standard filter
deny 192.168.5.0 255.255.255.0

Notes:

IP access-list ends with connotative “deny” regulation.

Ralated command

ip access-group

- 45 -
04-Network Protocol command

ip access-list

permit

show ip access-list

3.1.2 ip access-group

Use interface configuration command “ip access-group” to control accessing an


interface. Use “no” format command to delete this designated access group.

Syntas

ip access-group {access-list-name}{in | out}

no ip access-group {access-list-name}{in | out}

Parameter

Parameter Description
Access-list-name Name of access-list. This is a character string with 20 characters at most.

in Use access-list when entering in the interface.

out Use access-list when going out of the interface.

Command mode

interface configuration state

Explanation

Access-list can be used either in the out-interface or in the in-interface. For standard
entrance access-list, source address of the package will be checked regarding to
access-list after the package is received. For extended access-list, this router also
checks destination address. If the address is permitted by access-list, the software will
continue to work on the package. If the address is not permitted by the access-list, this
software will give up the package and return a packet showing ICMP host is not
reachable.

For standard exit access-list, source address of the package will be checked by
software regarding to access-list after receiving and routing a package to the control
interface. For extended access-list, this router also checks access-list at the receiving
end. If the address is permitted by access-list, it will transmit the package. If the
address is not permitted by the access-list, this software will give up the package and
return a packet showing ICMP host is not reachable.

If the designated access-list doesn’t exist, all packages are permitted to pass.

- 46 -
04-Network Protocol command

Example

In the below example, list filter is applied on the package exist of Ethernet interface
1/0:
interface ethernet 0
ip access-group filter out

Ralated command

ip access-list

show ip access-list

3.1.3 ip access-list

Entering the IP access-list configuration mode after using this command. Access
regulations can be added or deleted. Command “exit” is used to return to configuration
state.

Use prefix “no” to delete IP access-list.

Syntas

ip access-list {standard | extended} name

no ip access-list {standard | extended} name

Parameter

Parameter Description
standard Designated as standard access-list.

extended Designated as extended access-list.

name Name of access-list. It is a character string of 20 characters at most.

Default

No IP access-list is defined.

Command mode

global configuration mode

Explanation

Use this command to enter IP access-list configuration mode. Command “deny” or


“permit” can be used to configure access regulation.

- 47 -
04-Network Protocol command

Example

The following example is the configuration of a standard access-list.


ip access-list standard filter
deny 192.168.1.0 255.255.255.0
permit any

Ralated command

deny

ip access-group

permit

show ip access-list

3.1.4 permit

This command can be used to configure permit regulation in IP access-list


configuration mode. Add a prefix “no” in the front of the command to delete permit
regulation from IP access-list.

Syntas

permit source source-mask log

no permit source source-mask log

permit protocol source source-mask destination destination-mask [precedence


precedence] [tos tos] [log]

no permit protocol source source-mask destination destination-mask


[precedence precedence] [tos tos] [log]

For internet control massage protocol (ICMP), the following syntax can also be used:

permit icmp source source-mask destination destination-mask [icmp-type]


[precedence precedence] [tos tos] [log]

For internet group management protocol (IGMP), the following syntax can also be
used:

permit igmp source source-mask destination destination-mask [igmp-type]


[precedence precedence] [tos tos] [log]

For TGP, the following syntax can also be used:

permit tcp source source-mask [operator port] destination destination-mask


[operator port ] [established] [precedence precedence] [tos tos] [log]

For data gram protocol (UDP), the following syntax can also be used:

- 48 -
04-Network Protocol command

permit udp source source-mask [operator port [port]] destination destination-mask


[operator port] [precedence precedence] [tos tos] [log]

Parameter

Parameter Description
protocol Protocol name or protocol number. It can be key word like icmp, igmp,
igrp, ip, ospf, tcp or udp. It can also be a whole number among 0-255 that
refers to the IP protocol number. Use key word “ip” to match any Internet
protocol (including ICMP, TCP and UDP). Some protocols are allowed to
be restricted further as the following.

source Source network or host number. There are 2 ways to designate the
source: 32-digit binary number, decimal number separated with 4 dots.
Use key word “any” to be the abbreviation of source and source Mask of
0.0.0.0 0.0.0.0

source-mask Source address network mask. Use key word “any” to be the abbreviation
of source and source Mask of 0.0.0.0 0.0.0.0 .

destination Destination or host number. There are 2 ways to designate:

Decimal number separated with 4 dots and 32-digit binary number.

Use key word “any” to be the abbreviation of source and source Mask of
0.0.0.0 0.0.0.0 .

destination-mask Destination address network mask. Use key word “any” to be the
abbreviation of destination address and destination address Mask of
0.0.0.0 0.0.0.0 .

precedence (Optional) Package can be filtered by priority and designated by a


precedence number among 0-7.

tos tos (Optional) Data package can use service level filter. Use a number among
0-15 to designate.

icmp-type (Optional) ICMP package can be filtered by ICMP packet type. The type is
a number among 0-255.

igmp-type (Optional) ICMP package can be filtered by ICMP packet type or name.
The type is a number among 0-15.

operator (Optional) Compare source or destination interface. Operations include


lt(smaller than), gt(bigger than), eq(equals to), neq(doesn’t equal to). If
operating symbol is placed after source and source-mask, it should match
the source interface. If operating symbol is placed after destination and
destination-mask, it should match the destination interface.

port (Optional) Decimal number or name of TCP or UDP interface. Interface


number is a number among 0-65535. TCP interface name is listed in the
part “Using the Guideline”. TCP interface name can be used only to filter
TCP. UDP interface name is also listed in the part “Using Instruction”. Only
TCP interface name can be used to filter UDP.

established (Optional) Indicates an established connection for TCP protocol only.


Matching will occur where ACK or RST location of TCP data gram is set.
Initiate TCP data gram in non-match situation to form a connection.

log (Optional) Log can be recorded.

- 49 -
04-Network Protocol command

Command mode

IP access-list configuration mode

Explanation

Access-list can be used to control the transmission of data package on the interface,
control line access to virtual terminals. Stop checking extended access-list after the
matching occurs.

It is IP packages divided by sections but not initial sections that will be received by any
extended IP access-list at once. Extended access-list is used to control accessing
virtual terminal line or restrict routes from choosing update content. It is not necessary
to match TCP source interface, type of service value and priority of package.

Notes:

After the initial establishment of an access-list, any follow-up addition (can be keyed in at a terminal)
should be placed at the end of the list.

TCP interface name used to replace interface number is shown as below. Find out
reference related to these protocols regarding current allocation number RFC.
Interface number relevant to these protocols can also be found out by keying in a “?” to
replace interface number.

bgp

ftp

ftp-data

login

pop2

pop3

smtp

telnet

www

UDP interface name used to replace interface number is shown as below. Find out
reference related to these protocols regarding the current allocation number RFC.
Interface number relevant to these protocols can also be found out by keying in a “?” to
replace interface number.

domain

snmp

syslog

tftp

- 50 -
04-Network Protocol command

Example

The following example permits the network 192.168.5.0:


ip access-list standard filter
permit 192.168.5.0 255.255.255.0

Notes:

IP access-list is ended with connotative “deny” regulation.

Ralated command

deny

ip access-group

ip access-list

show ip access-list

3.1.5 show ip access-list

Use command “show ip access-list” to show current IP access-list content.

Syntas

show ip access-list[access-list-name]

Parameter

Parameter Description
access-list-name Name of access-list. This is a character string of 20 characters at most.

Default

Show all standards and extended IP access-lists.

Command mode

Supervisor mode

Explanation

Command “show ip access-list” allows you to designate a specific access-list.

- 51 -
04-Network Protocol command

Example

The following is an example output of command “show ip access-list” when the name
is not designated.
Switch# show ip access-list
ip access-list standard aaa
permit 192.2.2.1
permit 192.3.3.0 255.255.255.0
ip access-list extended bbb
permit tcp any any eq www
permit ip any any

The following is an example output of command “show ip access-list” when the name
is designated.
ip access-list extended bbb
permit tcp any any eq www
permit ip any any

- 52 -

You might also like