Disabling forwarding icmp fragments, Configuring rate limit for icmp error messages, Configuring basic dhcp snooping – H3C Technologies H3C S12500-X Series Switches User Manual

102

{

If the source uses Strict Source Routing to send packets, but the intermediate device finds that the

next hop specified by the source is not directly connected, the device sends the source a Source
Routing Failure ICMP error message.

{

If the MTU of the sending interface is smaller than the packet and the packet has DF set, the
device sends the source a Fragmentation Needed and DF-set ICMP error message.

To enable sending ICMP error messages:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable sending ICMP
error messages.

•

Enable sending ICMP redirect messages:

ip redirects enable

•

Enable sending ICMP time-exceeded

messages:

ip ttl-expires enable

•

Enable sending ICMP destination

unreachable messages:

ip unreachables enable

The default settings are

disabled.

Sending ICMP error messages facilitates network management, but sending excessive ICMP messages

increases network traffic. A device's performance degrades if it receives a lot of malicious ICMP

messages that cause it to respond with ICMP error messages.
To prevent such problems, you can disable the device from sending ICMP error messages. A device that
is disabled from sending ICMP time-exceeded messages does not send ICMP TTL Expired messages.

However, it can still send ICMP Fragment Reassembly Timeout messages.

Disabling forwarding ICMP fragments

Disabling forwarding ICMP fragments can protect your device from ICMP fragments attacks.
To disable forwarding ICMP fragments:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Disable forwarding ICMP fragments.

ip icmp fragment discarding

By default, forwarding ICMP
fragments is enabled.

Configuring rate limit for ICMP error messages

To avoid sending excessive ICMP error messages within a short period that might cause network

congestion, you can limit the rate at which ICMP error messages are sent. A token bucket algorithm is

used with one token representing one ICMP error message. Tokens are placed in the bucket at a specific

interval until the maximum number of tokens that the bucket can hold is reached. Tokens are removed
from the bucket when ICMP error messages are sent. When the bucket is empty, ICMP error messages

are not sent until a new token is placed in the bucket.