Disadvantages of sending icmp error packets, Configuration procedure – H3C Technologies H3C S12500 Series Switches User Manual

Page 139

125

{

If a packet is destined for the switch but the transport layer protocol of the packet is not

supported by the switch, the switch sends the source a Protocol Unreachable ICMP error packet.

{

If a UDP packet is destined for the switch but the packet's port number does not match the
corresponding process, the switch sends the source a Port Unreachable ICMP error packet.

{

If the source uses Strict Source Routing to send packets, but the intermediate device finds that the
next hop specified by the source is not directly connected, the switch sends the source a Source

Routing Failure ICMP error packet. (The switch does not support this function.)

{

If the MTU of the sending interface is smaller than the packet and the packet has DF set, the
switch sends the source a Fragmentation Needed and DF-set ICMP error packet. (The switch

does not support this function.)

{

If a packet does not match any route and there is no default route in the routing table, the device

sends a Network Unreachable ICMP error packet to the source. (The switch does not support
this function.)

Disadvantages of sending ICMP error packets

Although sending ICMP error packets facilitates network control and management, it still has the

following disadvantages:

•

Sending a lot of ICMP packets increases network traffic.

•

A device's performance degrades if it receives a lot of malicious packets that cause it to respond
with ICMP error packets.

•

A host's performance degrades if the redirection function increases the size of its routing table.

•

End users can be affected if a host sends malicious ICMP destination unreachable packets.

To prevent such problems, you can disable the switch from sending ICMP error packets.

Configuration procedure

To disable sending ICMP error packets:

Step Command

Remarks

Enter system view.

system-view

N/A

Enable sending ICMP

error packets.

•

Enable sending ICMP redirect packets:
ip redirects enable

•

Enable sending ICMP timeout packets:

ip ttl-expires enable

•

Enable sending ICMP destination unreachable

packets:

ip unreachables enable

Disabled by default.

This manual is related to the following products:

H3C S9500E Series Switches H3C MSR 5600 H3C MSR 50 H3C MSR 3600 H3C MSR 30 H3C MSR 2600 H3C MSR 20-2X[40] H3C MSR 20-1X H3C MSR 930 H3C MSR 900 H3C SecPath F5020 H3C SecPath F5040 H3C VMSG VFW1000