[c-nsp] ip virtual-reassembly
John Ferlito
johnf at beagle.com.au
Mon Oct 24 19:20:36 EDT 2005
On Mon, Oct 24, 2005 at 11:35:56AM -0400, Dave Temkin wrote:
> Is anyone aware why this was added in more recent (12.3T) IOS versions?
> Was this a feature that was enabled behind the scenes before and they just
> added a command for it, or is it new functionality? It now gets put on an
> interface that you place "ip nat inside" or ""outside" on
>
>
> All of the documentation I can find makes it sound like you only need it
> if you're doing NAT and CBAC or IOS Firewall together, and not just NAT by
> itself. I see it causing about a 15% performance hit if I leave it
> enabled.
I turn it off on all our customer CPE as it tends to cause issues with
reordered fragments.
If you receive fragment 2 first the router marks this as being from
public to public since it has no TCP header to reference. The first fragment then
comes in and gets marked as being from public to private. The two
fragments then never get put back together as it looks like they are
from different packets.
You would think this wouldn't be a huge problem but we were seeing
sites that were consistently doing the above.
There is a document in the TAC that explains why the above happens,
can't find it at the moment. I suppose if the reassembly happened and
then the packet got pushed through the NAT code it would fix the
problem but maybe thats not possible.
--
John Ferlito
Director
Beagle Internet
ph: +61 (0) 2 9808 2547
fax: +61 (0) 2 9877 5355
mob: +61 (0) 410 519 382
http://www.beagle.com.au/
More information about the cisco-nsp
mailing list