icmp ttl-exceeded drop
Function
The icmp ttl-exceeded drop command enables the device to discard the ICMP packets whose TTL values are 1.
The undo icmp ttl-exceeded drop command disables the device from discarding the ICMP packets whose TTL values are 1.
By default, the function of discarding ICMP packets with TTL values of 1 is disabled on the device.
Only the S5720-EI, S5720-HI, S5720I-SI, S5720S-SI, S5720-SI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720-LI, S6720S-EI, S6720S-LI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this command.
Format
icmp ttl-exceeded drop { slot slot-id | all }
undo icmp ttl-exceeded drop { slot slot-id | all }
Parameters
Parameter |
Description |
Value |
|---|---|---|
slot slot-id |
Indicates the slot ID. |
The value is determined based on the device configuration. |
| all | Indicates all the devices. This parameter is used when you need to enable all the devices to discard or disable all the devices from discarding the ICMP packets whose TTL values are 1. |
- |
Usage Guidelines
Usage Scenario
TTL is a field in an IP packet that limits the lifespan of the IP packet on the network. The TTL value is set by the sender, and is reduced by 1 every time the packet passes a device. If a forwarding device receives an IP packet of which the TTL is 0 and the destination address is not the local address, the device discards this packet and returns an ICMP packet to the sender.
ICMP packets are encapsulated into IP packets. When receiving an ICMP packet of which the destination address is not the local address and the TTL value is 1, the device discards the packet and returns an ICMP Time Exceeded.
When receiving a packet of which the TTL value is 1, the switch sends the packet to the CPU. The tracert function implements hop-by-hop detection using the packets with TTL value 1. If an attacker sends a large number of IP packets with TTL value 1 to a target device, the CPU of the target device is busy handling these IP packets and returns ICMP Destination Unreachable packets. Therefore, the CPU usage becomes high.
If a switch is configured to discard the ICMP packets with TTL value 1, the pressure on the switch can be reduced and network attacks can be prevented.
Precautions
After the function is enabled on the device, the tracert command does not take effect.