Re: Packet fragmentation question...

From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Fri Jul 07 2006 - 02:37:10 ART

• Next message: Leon van Dongen: "Re: reference sites for CCIE [7:111526]"
• Previous message: san: "Re: ip ospf database-filter all out"
• Maybe in reply to: Tony Paterra: "Packet fragmentation question..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Tony,

technically, first fragment has FO=0 (fragment offset), and M flag (more
fragments)
set to 1. I'm not aware of a simple way to filter "initial" fragments with
just
access-list. But AFAIK you can do this with 12.3(8)T new interface feature,
"ip virtual-reassembly drop-fragments".

 It seems to drop *all* the fragmented packets (including initials).

Rack1R3#show ip virtual-reassembly
Ethernet0/1:
   Virtual Fragment Reassembly (VFR) is ENABLED...
   Concurrent reassemblies (max-reassemblies): 16
   Fragments per reassembly (max-fragments): 32
   Reassembly timeout (timeout): 3 seconds
   Drop fragments: ON

   Current reassembly count:0
   Current fragment count:0
   Total reassembly count:5
   Total reassembly timeout count:0

HTH

2006/7/7, Tony Paterra <apaterra@gmail.com>:
>
> All, a question on packet fragmentation... How can I deny all
> fragmented packets on an interface? My first reaction was to build an
> access list along the lines of the following...
>
> access-list 100 deny ip any any fragments
> access-list 100 permit ip any any
>
> But then when I thought about it some more... I realized that this
> would still allow initial fragments through (and then catch everything
> after it with a non-zero offset). I know how to deny non-initial
> fragments (above), but I'm not sure how to handle initial fragmented
> packets. Pardon the somewhat simple question, but what defines a
> "fragmented" packet? Is it just a packet that has a non-zero offset
> in it's L3 header (i.e. inial fragments with a zero-offset are not
> considered "fragmented")?
>
> Adios,
> --
> Tony Paterra
> apaterra@gmail.com
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
Petr Lapukhov, CCIE #16379
petr@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Outside US: 775-826-4344

• Next message: Leon van Dongen: "Re: reference sites for CCIE [7:111526]"
• Previous message: san: "Re: ip ospf database-filter all out"
• Maybe in reply to: Tony Paterra: "Packet fragmentation question..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:46 ART