The SG200-08 switch drops IP fragments

000amluto · ‎02-25-2014

Easy test: take an SG200-08 with firmware 1.0.7.4. Reset it to factory defaults.

Connect two computers. Suppose that one of them is 192.168.1.2. From the other one, do:

$ ping -s 1472 192.168.1.2

This works fine. Now do:

$ ping -s 1473 192.168.1.2

This sends two IP fragments for each echo request. Both are dropped by the switch. You see this with tcpdump as well.

Needless to say, this breaks things. Is there a configuration setting I'm missing? Is this a bug in this switch firmware?

The same issue existed in 1.0.1.something.

mpyhala · ‎02-28-2014

Andrew,

Have you tried raising the MTU value on the ports?

Port Management-> Port Settings:

• MTU—Specify the maximum transmission unit size in bytes. The default

MTU is 1518 and the range is between 1518 and bytes.

This is copied from the Admin Guide, note that the high value is missing. The Data Sheet shows:

Frame sizes up to 10 KB supported on 10/100 and Gigabit Ethernet interfaces

(9 KB for SG200-08 and SG200-08P)

- Marty

000amluto · ‎02-28-2014

Yes, I've tried that.

To be clear, the issue is not that the switch has difficulty with large frames. The switch seems to selectively drop frames that contain a fragment of an IP packet. I've even tried setting sending rather small fragments. None of them get through.

The command:

$ ping -s 1473 192.168.1.2

does not send a 1501-byte frame. It sends two fragments, because the host knows that a 1501-byte frame would exceed MTU. The switch drops both fragments.

mpyhala · ‎08-11-2014

Hello all,

I have done some research on this issue. I found some cases that were escalated due to this issue and other similar issues. The consistent response that I have found is that the switch is "performing as designed". There is a limitation with regards to the maximum packet size for ICMP traffic. The switch will not permit ICMP packets larger than 1272 bytes. This was implemented to prevent ICMP based DDoS attacks. Normal TCP and UDP traffic is not affected. Also, SG200-08 have a DoS drop action for ICMP fragments.

This information comes from the development team and there is no plan to change the functionality.

If you have any questions, please call support or open a chat session at the following link:

http://cisco.com/go/sbsc

- Marty

jc-denton · ‎06-15-2014

I'm having this exact same problem. To rule out the switch, I swapped in another gigabit switch and the fragments make it across. I really just need this switch to behave like a switch. I was on the 1.0.5.1 firmware and went to 1.0.7.4 like the OP here and still have the issue.

I've heard other folks mention disabling the DoS protection, but this switch doesn't have that option in its UI.

Any other suggestions?

jc-denton · ‎06-19-2014

Bump. Anyone else able to replicate this?

hanskbakke · ‎07-01-2014

I can confirm in my setup too. I have two SB300-20s and a SB300-10 and a single SB200-08.

The SB200-08 fails with fragmentet ping test packets for two tests:

1. ping -l 1473 <sb200-08 management ip>

2. ping -l 1473 <win7 host behind sb200-08> (both fragments are dropped in the switch)

Both these tests are successful against my SB300s.

This is a showstopper issue for SB200-08 as it introduces subtle breakages that is very hard to identify.

rlagerquist · ‎08-11-2014

@mpyhala

Can you confirm if framentation problem will be fixed in next release?