ipv4 destination-unreachable drop

Usage Scenario

If the switch receives an IP packet that matches no routing entry in the local routing table, it sends the packet to the CPU. If a lot of IP packets match no routing entry because of an attack or incorrect network configuration, the CPU is busy. To prevent this problem, run the ipv4 destination-unreachable drop command to configure the switch to discard these packets.

Precautions

If you run the ipv4 destination-unreachable drop command, the switch does not respond to ICMP error packets when a route fails to match the routing policies. To enable the switch to respond to these ICMP packets, you need to run the undo ipv4 destination-unreachable drop command.

On the S5720-EI, S6720-EI, and S6720S-EI, when both the ipv4 destination-unreachable drop command and the traffic policy command are run, both the drop action and the redirection action take effect. The ICMP redirection packets are discarded because the drop action has a higher priority than the redirection action. This leads to a redirection failure for ICMP packets. To make the redirection action for ICMP packets effective, run the undo ipv4 destination-unreachable drop command to disable the drop action. However, disabling the drop action will degrade the attack defense performance of the system. You must configure the two actions properly according to the network requirements.

For the S6720-EI and S6720S-EI, if the resource allocation mode is set to enhanced-ipv4 or ipv4-ipv6 6:1 using the assign resource-mode command, the ipv4 destination-unreachable drop command does not take effect.