How to check ICMP packets on S series switches

28

You can check ICMP packets on S series switches (excluding the S1700) using the following method:
Ensure that at least one ICMP packet passes or arrives at the switch. Then enable the debugging of ICMP packets in the user view:
 <HUAWEI> terminal debugging
 <HUAWEI> terminal monitor
 <HUAWEI> debugging ip icmp

Other related questions:
Configure ACLs on S series switches to restrict communications between users
For details about the configuration on S series switches (except S1700 switches), click Typical Configuration Examples and choose Typical Security Configuration > Typical ACL Configuration > Example for Using ACLs to Restrict Mutual Access Between Network Segments.

How do S series switches discard ICMP destination-unreachable packets
On S series switches (excluding the S1700), you can run the icmp unreachable drop command to discard ICMP destination-unreachable packets. S series modular switches do not support this function. The following models of S series fixed switches do not support this function: S1720, S2720, S275xEI, S5700LI, S5700S-LI and S5710LI do not support this function.

DHCP packet checksum check on S series switch
After the dhcp enable command is executed in the system view of S series switches, the switch checks the checksum of all passing DHCP packets as well as IP and UDP checksums.

Duplicate option check in DHCP packets on S series switch
As specified in RFC, duplicate Options are not recommended in a DHCP packet if the length of the Option field in the DHCP packet does not exceed 255 bytes. However, different vendors process the Option field differently. DHCP response packets sent from some servers may contain duplicate options, such as Option 3 and Option 51. In some versions, after DHCP is enabled using the dhcp enable command, the switch drops received DHCP packets with duplicate options. In V100R003 and earlier versions, the switch checks for duplicate options in DHCP packets by default. In V100R006 and later versions, the switch does not check for duplicate options in DHCP packets by default. You can run the dhcp anti-attack check duplicate option command in the system view to enable the switch to check for duplicate options in DHCP packets.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top