icmp unreachable drop
Function
The icmp unreachable drop command enables the function of discarding ICMP Destination Unreachable packets.
The undo icmp unreachable drop command disables the function of discarding the ICMP Destination Unreachable packets.
By default, the function of discarding ICMP Destination Unreachable packets is disabled.
Only the S5720-EI, S5720-HI, S5720I-SI, S5720S-SI, S5720-SI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720-LI, S6720S-EI, S6720S-LI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this command.
Usage Guidelines
ICMP error packets contain network information, such as network connectivity, host reachability, and route availability. ICMP error packets are ultimately returned to the sender because the sender is the logical receiver of the ICMP error packets. The sender learns about the error types from the ICMP error packets, and then determines how to retransmit the data.
After receiving an IP packet, if the device finds that the destination is unreachable, the device discards the packet, and returns a Destination Unreachable packet to the source.
- When receiving a data packet of which the destination address is a local address and transport protocol is UDP, if the device detects that the port number of the packet does not match the running process, the source sends a Port Unreachable packet to the source.
- When receiving a data packet of which the destination address is the local address, if the device does not support the transport layer protocol of the data packet, the device returns a Protocol Unreachable packet to the source.
- When a device receives a data packet, but cannot forward it, the device returns a Host Unreachable packet to the source.
- The ICMP packets increase traffic volume and burden the network devices.
- If a device receives a large number of malicious attack packets and needs to return ICMP error packets, the device is busy handling ICMP packets, and the device performance is degraded.
- The ICMP Destination Unreachable packets indicate that the destination is unreachable. If there are malicious attacks, user terminals cannot normally use the network.
The switch sends ICMP Destination Unreachable packets to the CPU for processing. When a large number of such packets are received, the CPU may be overloaded. To reduce the number of ICMP packets on the network, you can enable the switch to discard ICMP Destination Unreachable packets. After the configuration, the workload on the switch is reduced and malicious attacks can be prevented.