[c-nsp] ip virtual-reassembly drop-fragments

Satish Patel satish.txt at gmail.com
Thu Jun 2 21:00:56 EDT 2016

Sorry typo it was "Internet"

We are getting many IP fragment DDoS so I was planning to use on outside interface to drop all IP fragmented packet. 

Sent from my iPhone

> On Jun 2, 2016, at 10:44 AM, Juergen Marenda <cnsp at marenda.net> wrote:
> Satish Patel wrote:
>> is it safe to put on internap facing interface?
>> ip virtual-reassembly drop-fragments
> what's an "internap"?
> s/ap/et/
> Yes it is safe, but
> "no ip virtual-reassembly"
> is the best thing you can do, on every interface, 
> and look form time to time and after reloads weather it reappears.
> "virtual-reassembly" should "reassembly" fragments (in a special, memory
> conserving way)
> So dropping fragments in that context must be an april's first joke.
> Having too few resources, 
> the theoretically good idea behind "virtual-reassembly" does not work very
> well (in practice) 
> esp. when it should be usefull.
> Using the "no" form on every interface where it appears automagically
> When you configure nat, crypto, ... did help us to solve many problems.
> Juergen.

More information about the cisco-nsp mailing list