Download 11-IP Virtual Fragment Reassembly Configuration

Table of Contents
1 Virtual Fragment Reassembly Configuration ·························································································1-1
Overview ·················································································································································1-1
Configuring Virtual Fragment Reassembly ·····························································································1-1
Displaying and Maintaining Virtual Fragment Reassembly ····································································1-2
Virtual Fragment Reassembly Configuration Example ···········································································1-2
i
1
Virtual Fragment Reassembly Configuration
When configuring virtual fragment reassembly, go to these sections for information you are interested
in:
z
Overview
z
Configuring Virtual Fragment Reassembly
Overview
To prevent each service module (such as IPSec, NAT and firewall) from processing packet fragments
that do not arrive in order, you can enable the virtual fragment reassembly feature, which can virtually
reassemble the fragments of a datagram through fragment check, sequencing and caching, ensuring
fragments arrive at each service module in order.
The virtual fragment reassembly feature can detect the following types of fragment attacks, and discard
the attack fragments for security.
z
Tiny fragment attack: The fact that the first fragment of a datagram is very small and the Layer 4
(such as TCP and UDP) header is placed into the second fragment is considered a tiny fragment
attack.
z
Overlapping fragment attack: The fact that two consecutive incoming fragments are identical is
considered an overlapping fragment attack.
z
Fragment-flood attack: The fact that the maximum number of concurrent reassemblies or the
maximum number of fragments per datagram is reached is considered a fragment-flood attack.
Configuring Virtual Fragment Reassembly
Follow these steps to configure virtual fragment reassembly:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type interface-number
—
Enable virtual fragment
reassembly
ip virtual-reassembly [ drop-fragments |
max-fragments number | max-reassemblies
number | timeout seconds ] *
Required
By default, the feature is
disabled.
z
The virtual fragment reassembly feature only applies to incoming packets on an interface.
z
The virtual fragment reassembly feature does not support load sharing, that is, the fragments of an
IP datagram cannot arrive through different interfaces.
1-1
Displaying and Maintaining Virtual Fragment Reassembly
Table 1-1 Display and maintain virtual fragment reassembly
To do…
Display information about virtual
fragment reassembly on the
interface(s)
Use the command…
display ip virtual-reassembly
[ interface interface-type
interface-number ]
Remarks
Available in any view
Virtual Fragment Reassembly Configuration Example
Network requirements
As shown in Figure 1-1, Router A connects to Host and Router B. NAT is enabled on GigabitEthernet
1/2 of Router A.
Configure virtual fragment reassembly on GigabitEthernet 1/1 of Router A.
Figure 1-1 Network diagram for virtual fragment reassembly
Configuration procedure
1)
Configure the host.
# Configure a static route to Router B. (Omitted)
2)
Configure Router A.
# Configure NAT and virtual fragment reassembly.
<RouterA> system-view
[RouterA] nat static 10.1.1.1 11.2.2.3
[RouterA] interface gigabitethernet 1/2
[RouterA-GigabitEthernet1/2] nat outbound static
[RouterA-GigabitEthernet1/2] interface gigabitethernet 1/1
[RouterA-GigabitEthernet1/1] ip virtual-reassembly
With the virtual fragment reassembly feature, Router A will check, sequence, and cache fragments that
do not arrive in order at GigabitEthernet 1/1. You can use the display ip virtual-reassembly command
to view related information.
1-2