beautypg.com

Disabling icmp to send error packets – H3C Technologies H3C S3600 Series Switches User Manual

Page 131

background image

2-3

Follow these steps to enable the switch to receive directed broadcasts:

To do…

Use the command…

Remarks

Enter system view

system-view

Enable the device to receive
directed broadcasts

ip forward-broadcast

Required

Disabled by default.

Disabling ICMP to Send Error Packets

Sending error packets is a major function of ICMP protocol. In case of network abnormalities, ICMP

packets are usually sent by the network or transport layer protocols to notify corresponding devices so

as to facilitate control and management.

Although sending ICMP error packets facilitate control and management, it still has the following

disadvantages:

Sending a lot of ICMP packets will increase network traffic.

If receiving a lot of malicious packets that cause it to send ICMP error packets, the device’s

performance will be reduced.

As the ICMP redirection function increases the routing table size of a host, the host’s performance

will be reduced if its routing table becomes very large.

If a host sends malicious ICMP destination unreachable packets, end users may be affected.

You can disable the device from sending such ICMP error packets for reducing network traffic and

preventing malicious attacks.

Follow these steps to disable sending ICMP error packets:

To do…

Use the command…

Remarks

Enter system view

system-view

Disable sending ICMP redirects undo icmp redirect send

Required

Enabled by default.

Disable sending ICMP
destination unreachable
packets

undo icmp unreach send

Required

Enabled by default.

Canceling the System-Defined ACLs for ICMP Attack Guard

ICMP attacks are common in networks. To guard against malicious ICMP attacks, the device

pre-defines some ACLs to match the incoming ICMP packets and process them separately, thus

reducing ICMP attacks’ impact on normal data packets and increasing network stability.

In a secure network, you can cancel the system-defined ACLs for ICMP attack guard, and thus increase

the available ACL resources.

Follow these steps to cancel the system-defined ACLs for ICMP attack guard:

To do …

Use the command…

Remarks

Enter system view

system-view

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: