Easy test: take an SG200-08 with firmware 126.96.36.199. Reset it to factory defaults.
Connect two computers. Suppose that one of them is 192.168.1.2. From the other one, do:
$ ping -s 1472 192.168.1.2
This works fine. Now do:
$ ping -s 1473 192.168.1.2
This sends two IP fragments for each echo request. Both are dropped by the switch. You see this with tcpdump as well.
Needless to say, this breaks things. Is there a configuration setting I'm missing? Is this a bug in this switch firmware?
The same issue existed in 1.0.1.something.
Have you tried raising the MTU value on the ports?
Port Management-> Port Settings:
• MTU—Specify the maximum transmission unit size in bytes. The default
MTU is 1518 and the range is between 1518 and bytes.
This is copied from the Admin Guide, note that the high value is missing. The Data Sheet shows:
Frame sizes up to 10 KB supported on 10/100 and Gigabit Ethernet interfaces
(9 KB for SG200-08 and SG200-08P)
Yes, I've tried that.
To be clear, the issue is not that the switch has difficulty with large frames. The switch seems to selectively drop frames that contain a fragment of an IP packet. I've even tried setting sending rather small fragments. None of them get through.
$ ping -s 1473 192.168.1.2
does not send a 1501-byte frame. It sends two fragments, because the host knows that a 1501-byte frame would exceed MTU. The switch drops both fragments.
I have done some research on this issue. I found some cases that were escalated due to this issue and other similar issues. The consistent response that I have found is that the switch is "performing as designed". There is a limitation with regards to the maximum packet size for ICMP traffic. The switch will not permit ICMP packets larger than 1272 bytes. This was implemented to prevent ICMP based DDoS attacks. Normal TCP and UDP traffic is not affected. Also, SG200-08 have a DoS drop action for ICMP fragments.
This information comes from the development team and there is no plan to change the functionality.
If you have any questions, please call support or open a chat session at the following link:
I'm having this exact same problem. To rule out the switch, I swapped in another gigabit switch and the fragments make it across. I really just need this switch to behave like a switch. I was on the 188.8.131.52 firmware and went to 184.108.40.206 like the OP here and still have the issue.
I've heard other folks mention disabling the DoS protection, but this switch doesn't have that option in its UI.
Any other suggestions?
I can confirm in my setup too. I have two SB300-20s and a SB300-10 and a single SB200-08.
The SB200-08 fails with fragmentet ping test packets for two tests:
1. ping -l 1473 <sb200-08 management ip>
2. ping -l 1473 <win7 host behind sb200-08> (both fragments are dropped in the switch)
Both these tests are successful against my SB300s.
This is a showstopper issue for SB200-08 as it introduces subtle breakages that is very hard to identify.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: