How do S series switches discard ICMP destination-unreachable packets


On S series switches (excluding the S1700), you can run the icmp unreachable drop command to discard ICMP destination-unreachable packets.
S series modular switches do not support this function.
The following models of S series fixed switches do not support this function:
S1720, S2720, S275xEI, S5700LI, S5700S-LI and S5710LI do not support this function.

Other related questions:
Configure ACLs on S series switches to restrict communications between users
For details about the configuration on S series switches (except S1700 switches), click Typical Configuration Examples and choose Typical Security Configuration > Typical ACL Configuration > Example for Using ACLs to Restrict Mutual Access Between Network Segments.

Why ICMP packets used to ping a host cannot be discarded using a traffic policy on an S series modular switch
An S series modular switch sends ICMP packets to the CPU based on an ACL and discards ICMP packets based on an ACL in a traffic policy. The two ACLs are used for packet sending to the CPU and packet discarding respectively, and the ACL with a higher priority takes effect. The ACL for sending ICMP packets to the CPU has a higher priority. Therefore, ICMP packets cannot be discarded by configuring a traffic policy. To discard the ICMP packets, configure a blacklist. If the switch sends ICMP packets to the CPU through a route, you can configure a traffic policy to discard ICMP packets.

How to check ICMP packets on S series switches
You can check ICMP packets on S series switches (excluding the S1700) using the following method:
Ensure that at least one ICMP packet passes or arrives at the switch. Then enable the debugging of ICMP packets in the user view:
 <HUAWEI> terminal debugging
 <HUAWEI> terminal monitor
 <HUAWEI> debugging ip icmp

