Configure Basic Functions of the ICMP Protocol

In the TCP/IP protocol stack, ICMP is mainly used to provide network detection services. It also provides an error report if the network layer or transmission layer protocol becomes abnormal, and it informs the related device of the abnormality to facilitate network control management.

Configuration Condition

None

Enable Global ICMP Redirection

After a device receives an IP packet to be forwarded, if it is found that the receiving interface of the packet and the transmitting interface of the packet are the same through route selection, the device forwards the packet and sends back an ICMP redirection packet to the source end, requesting the source end to reselect the correct next hop for transmission of later packets. By default, a device can send ICMP redirection packets. In some special cases, you can prohibit a device from sending ICMP redirection packets.

Table 2-10 Enabling Global ICMP Redirection

Enable Global ICMP Redirection

In sending ICMP redirection packets, if you need to send ICMP redirection packets, you need to enable the ICMP redirection function on the interface.

Table 2-11 Enabling Global ICMP Redirection

• You can send ICMP redirection packets only when the ICMP redirection function is enabled globally and on the interface.

Enable ICMP Destination Network Unreachable

After the device receives an IP packet, if an unreachable error occurs in the destination network, drop the packet and send the unreachable error packet of the ICMP destination network to the source.

• For the forwarded IP packet, if searching for the route failed, send the “Network unreachable” ICMP error packet back to the source end.

Table 2-12 Enable ICMP destination network unreachable

Enable ICMP Destination Unreachable

After a device receives IP data packets, if the destination is unreachable, the packet is discarded and the ICMP destination unreachable error packet is sent back to the source end.

• If route selection of a forwarded IP packet fails, the host unreachable ICMP error packet is sent back to the source end.
• For an IP packet that can be forwarded, if you need to fragment the IP packet but a Don't Fragment (DF) bit is set in the packet, an ICMP error packet indicating that "segmentation is required but a DF bit is set" is sent to the source end.
• For an IP packet whose destination address is the local device, if the device does not support the upper-layer protocol of the device, it sends a "protocol unreachable" ICMP error packet to the source end.
• For an IP packet whose destination address is the local device, if the transport layer port of the packet of the packet does not match the port that the device process monitors, the device sends back a "port unreachable" ICMP error packet to the source end.

If a device encounters a malicious attack by a large number of ICMP destination unreachable packets, the device performance is degraded, and network traffic is increased. To prevent such case, you can disable the function of sending ICMP destination unreachable packets.

Table 2-13 Enabling ICMP Destination Unreachable

Configure ICMP Speed Limitation

If the device suffers from malicious attacks that need to send a large number of ICMP error messages, the performance of the device will be reduced and the network traffic will be increased. To avoid this situation, you can configure ICMP packet speed limit to handle. Among them, ICMP error packet types include: unreachable packet, redirection packet, TTL timeout packet and parameter error packet. The default speed limit rate of these packet s is 10pps, and the default sending rate of other types of packets is 0, that is, no speed limit. In addition, users can configure different types of transmission rates separately. If not, the default value will prevail.

Table 2-14 Configure ICMP speed limitation