VFR drop-fragments

PStefanov · March 2008

Hi guys,

I've got trouble understanding what the drop-fragments keyword does in the ip virtual-reassembly command. The command reference says the following:

drop-fragments (Optional) Enables the VFR to drop all fragments that arrive on the configured interface. By default, this function is disabled.

What is the point then in enabling VFR if fragments are to be dropped? It seems a bit paradoxical to me (or probably I didn't understand something).

Regards,
Pavel

dtlokee · March 2008

I would guess it's best used in cases where VFR is enabled by default (such as when you enable NAT on an interface) but you don't want the router to accept and reassemble the packets, possibly to prevent an attacker from overwhelming the router with massive numbers of fragments.

PStefanov · March 2008

Thank you, dtlokee!

After I though about it for awhile, I came to the conclusion that this command can be used instead of creating an ACL statement such as the following:

access-list 101 deny ip any any fragments

Turgon · March 2008

PStefanov wrote:

Thank you, dtlokee!

After I though about it for awhile, I came to the conclusion that this command can be used instead of creating an ACL statement such as the following:

access-list 101 deny ip any any fragments

Makes sense. Watch out that that ACL doesn't block everything.

PStefanov · March 2008

Turgon wrote:

PStefanov wrote:

Thank you, dtlokee!

After I though about it for awhile, I came to the conclusion that this command can be used instead of creating an ACL statement such as the following:

access-list 101 deny ip any any fragments

Makes sense. Watch out that that ACL doesn't block everything.

Oops! You're right! Excuse my mistake. The statement above only matches the non-initial fragments and ip virtual-reassembly drop-fragments matches initial and non-initial ones.

VFR drop-fragments

Comments