Option 82 configuration example, Disabling forwarding icmp fragments, Enabling icmp flow control – H3C Technologies H3C S12500 Series Switches User Manual
Page 110: Configuration procedure
97
•
A device's performance degrades if it receives a lot of malicious packets that cause it to respond
with ICMP error packets.
•
A host's performance degrades if the redirect function adds many routes to its routing table.
•
End users are affected if malicious users send many ICMP destination unreachable packets.
To prevent such problems, you can disable the device from sending ICMP error packets.
247B
Configuration procedure
To enable sending ICMP error packets:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable sending ICMP
error packets.
•
Enable sending ICMP redirect packets:
ip redirects enable
•
Enable sending ICMP time-exceeded
packets:
ip ttl-expires enable
•
Enable sending ICMP destination
unreachable packets:
ip unreachables enable
The default settings are
disabled.
A device disabled from sending ICMP time-exceeded packets does not send ICMP TTL Expired packets
but can still send ICMP Fragment Reassembly Timeout packets.
107B
Disabling forwarding ICMP fragments
Disabling forwarding ICMP fragments can protect your device from ICMP fragments attacks.
To disable forwarding ICMP fragments:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Disable forwarding ICMP fragments.
ip icmp fragment discarding
By default, forwarding ICMP
fragments is enabled.
108B
Enabling ICMP flow control
Delivering a large number of ICMP packets to the CPU impacts the processing of other services. To
prevent this situation, you can enable ICMP flow control.
To enable ICMP flow control:
Step Command
Remarks
1.
Enter system view.
system-view
N/A