Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

can we disable ICMP netmask reply in HP 5500 Switch?

Althafahmed
Occasional Contributor

can we disable ICMP netmask reply in HP 5500 Switch?

customer has both cisco/hp devices in their network and is able to enable/disable 'ip mask-reply' on cisco units, but wondering what's the substitute in 3com/H3C (hp 5500IE switch)..

I could see that the function 'netmask request/reply' works on h3c switch, however, not sure how to configure these functions on the switch?
what's the default state of 'netmask reply'... is it disabled by default?

******************************
******************************
dis ip interface Vlan-interface 1

Vlan-interface1 current state :UP
Line protocol current state :UP
Internet Address is 16.48.50.125/24, acquired via DHCP
Broadcast address : 16.48.50.255
The Maximum Transmit Unit : 1500 bytes
input packets : 1005412, bytes : 126354989, multicasts : 0
output packets : 493581, bytes : 33711876, multicasts : 0
ARP packet input number: 104031313
Request packet: 103992340
Reply packet: 38973
Unknown packet: 0
TTL invalid packet number: 0
ICMP packet input number: 269054
Echo reply: 5
Unreachable: 73
Source quench: 0
Routing redirect: 0
Echo request: 268740
Router advert: 0
Router solicit: 0
Time exceed: 0
IP header bad: 0
Timestamp request: 24
Timestamp reply: 0
Information request: 0
Information reply: 0
Netmask request: 24
Netmask reply: 0
Unknown type: 188

1 REPLY
Apachez-
Trusted Contributor

Re: can we disable ICMP netmask reply in HP 5500 Switch?

I failed to locate a specific command to allow/disallow ICMP netmask replies.

 

However  you can setup ACL's to filter either type 17 code 0 (request, which is the preferred since you normally want to block the original request and not waste any system resources on a reply which will be dropped anyway) or type 18 code 0 (reply itself).

 

Like so:

 

rule 1234 deny icmp icmp-type 17 0 destination 1.2.3.4 0

 

Where 1.2.3.4 is the ip of the router you wish to protect, or you could just drop any address mask requests like so:

 

rule 1234 deny icmp icmp-type 17 0

 

For more info:

 

https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol