VFR drop-fragments

PStefanovPStefanov Member Posts: 79 ■■□□□□□□□□
Hi guys,

I've got trouble understanding what the drop-fragments keyword does in the ip virtual-reassembly command. The command reference says the following:

drop-fragments (Optional) Enables the VFR to drop all fragments that arrive on the configured interface. By default, this function is disabled.

What is the point then in enabling VFR if fragments are to be dropped? It seems a bit paradoxical to me (or probably I didn't understand something).

Regards,
Pavel

Comments

  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    I would guess it's best used in cases where VFR is enabled by default (such as when you enable NAT on an interface) but you don't want the router to accept and reassemble the packets, possibly to prevent an attacker from overwhelming the router with massive numbers of fragments.
    The only easy day was yesterday!
  • PStefanovPStefanov Member Posts: 79 ■■□□□□□□□□
    Thank you, dtlokee!

    After I though about it for awhile, I came to the conclusion that this command can be used instead of creating an ACL statement such as the following:

    access-list 101 deny ip any any fragments
  • TurgonTurgon Banned Posts: 6,308 ■■■■■■■■■□
    PStefanov wrote:
    Thank you, dtlokee!

    After I though about it for awhile, I came to the conclusion that this command can be used instead of creating an ACL statement such as the following:

    access-list 101 deny ip any any fragments

    Makes sense. Watch out that that ACL doesn't block everything.
  • PStefanovPStefanov Member Posts: 79 ■■□□□□□□□□
    Turgon wrote:
    PStefanov wrote:
    Thank you, dtlokee!

    After I though about it for awhile, I came to the conclusion that this command can be used instead of creating an ACL statement such as the following:

    access-list 101 deny ip any any fragments

    Makes sense. Watch out that that ACL doesn't block everything.

    Oops! You're right! Excuse my mistake. The statement above only matches the non-initial fragments and ip virtual-reassembly drop-fragments matches initial and non-initial ones.
Sign In or Register to comment.