HPE Community
Comware Based
1827473 Members
1810 Online
109965 Solutions
New Discussion

Re: can we disable ICMP netmask reply in HP 5500 Switch?

 
Althafahmed
Occasional Contributor

‎07-01-2015 08:19 PM

‎07-01-2015 08:19 PM

can we disable ICMP netmask reply in HP 5500 Switch?

customer has both cisco/hp devices in their network and is able to enable/disable 'ip mask-reply' on cisco units, but wondering what's the substitute in 3com/H3C (hp 5500IE switch)..

I could see that the function 'netmask request/reply' works on h3c switch, however, not sure how to configure these functions on the switch?
what's the default state of 'netmask reply'... is it disabled by default?

******************************
******************************
dis ip interface Vlan-interface 1

Vlan-interface1 current state :UP
Line protocol current state :UP
Internet Address is 16.48.50.125/24, acquired via DHCP
Broadcast address : 16.48.50.255
The Maximum Transmit Unit : 1500 bytes
input packets : 1005412, bytes : 126354989, multicasts : 0
output packets : 493581, bytes : 33711876, multicasts : 0
ARP packet input number: 104031313
Request packet: 103992340
Reply packet: 38973
Unknown packet: 0
TTL invalid packet number: 0
ICMP packet input number: 269054
Echo reply: 5
Unreachable: 73
Source quench: 0
Routing redirect: 0
Echo request: 268740
Router advert: 0
Router solicit: 0
Time exceed: 0
IP header bad: 0
Timestamp request: 24
Timestamp reply: 0
Information request: 0
Information reply: 0
Netmask request: 24
Netmask reply: 0
Unknown type: 188

0 Kudos
1 REPLY 1
Apachez-
Trusted Contributor

‎07-10-2015 12:45 PM

‎07-10-2015 12:45 PM

Re: can we disable ICMP netmask reply in HP 5500 Switch?

I failed to locate a specific command to allow/disallow ICMP netmask replies.

 

However  you can setup ACL's to filter either type 17 code 0 (request, which is the preferred since you normally want to block the original request and not waste any system resources on a reply which will be dropped anyway) or type 18 code 0 (reply itself).

 

Like so:

 

rule 1234 deny icmp icmp-type 17 0 destination 1.2.3.4 0

 

Where 1.2.3.4 is the ip of the router you wish to protect, or you could just drop any address mask requests like so:

 

rule 1234 deny icmp icmp-type 17 0

 

For more info:

 

https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.