IPv4 ICMP Broadcast

Table 1. Internet Control Message Protocol product support

Feature

Product

Release introduced

Internet Control Message Protocol (ICMP)

5320 Series

Fabric Engine 8.6

Only 5320-48P-8XE and 5320-48T-8XE support more than one VRF with IP configuration.

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

5720 Series

Fabric Engine 8.7

ICMP broadcast and multicast enable or disable

5320 Series

Fabric Engine 8.6

Only 5320-48P-8XE and 5320-48T-8XE support more than one VRF with IP configuration.

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

5720 Series

Fabric Engine 8.7

Fragmented ICMP Packet Filtering for IPv4

5320 Series

Fabric Engine 8.6

Only 5320-48P-8XE and 5320-48T-8XE support more than one VRF with IP configuration.

5420 Series

VOSS 8.5

5520 Series

VOSS 8.5

5720 Series

Fabric Engine 8.7

Fragmented ICMP Packet Filtering for IPv6

5320 Series

Fabric Engine 8.6

Only 5320-48P-8XE and 5320-48T-8XE support more than one VRF with IP configuration.

5420 Series

VOSS 8.5

5520 Series

VOSS 8.5

5720 Series

Fabric Engine 8.7

On IPv4 networks, a packet can be directed to an individual machine or broadcast to an entire network. When a packet is sent to an IP broadcast address from a machine on the local network, that packet is delivered to all machines on that network.

If a packet that is broadcast is an ICMP echo request packet, the machines on the network receive this ICMP echo request packet and send an ICMP echo reply packet back. When all the machines on a network respond to this ICMP echo request, the result can be severe network congestion or outages.

The switch always responds to IPv4 ICMP packets sent to a broadcast address. You can disable the processing of these IPv4 ICMP packets sent to the broadcast address. On disabling the ICMP broadcast processing, all the packets containing ICMP sent to the broadcast addresses will be dropped when the packets reach the control plane.

You can disable or enable the IPv4 ICMP broadcast processing at the VRF level.

Fragmented ICMP Packet Filtering

ICMP fragmentation distributed denial-of-service (DDoS) attacks flood the destination resources with fragmented packets and overwhelm the network because of massive volumes of traffic. With Fragmented ICMP packet filtering, the system inspects each incoming IPv4 ICMP packet to determine if it should drop the packet or forward it.

You can configure ICMP drop packet filtering globally, on a specific VRF, and on the following management interfaces:
  • Out-of-Band (OOB) management
  • Circuitless IP (CLIP) management
  • VLAN management