[c-nsp] ip virtual-reassembly drop-fragments

Juergen Marenda cnsp at marenda.net
Fri Jun 3 02:00:08 EDT 2016

Reassembling ipv4 pakets inside the router is only needed for fragmented
packets with the router as destination; in the ipv4 world, the target host
is responsible for reassembling the fragmented pakets,
even when this happens on a router between an not on the source host.

(for example, if an ipsec encapsulated packet got too big with the
additional infos, the destination router which will de-ipsec it must first
reassemble it. (global settable ipsec behavior)
On GRE-Tunnels, the ip fragments will be delivered to the destination host,
which must reassemble it.

To help with fragment-ddos, configuring a mechanism not involed will not
so you may want to use ACLs or the IOS firewall. See for example 


(not special for GRE even when the name suggests it)


-----Ursprüngliche Nachricht-----
Von: Satish Patel [mailto:satish.txt at gmail.com] 
Gesendet: Freitag, 3. Juni 2016 03:01
An: cnsp at marenda.net
Cc: Nick Hilliard; Cisco Network Service Providers
Betreff: Re: AW: [c-nsp] ip virtual-reassembly drop-fragments

Sorry typo it was "Internet"

We are getting many IP fragment DDoS so I was planning to use on outside
interface to drop all IP fragmented packet. 

Sent from my iPhone

> On Jun 2, 2016, at 10:44 AM, Juergen Marenda <cnsp at marenda.net> wrote:
> Satish Patel wrote:
>> is it safe to put on internap facing interface?
>> ip virtual-reassembly drop-fragments
> what's an "internap"?
> s/ap/et/
> Yes it is safe, but
> "no ip virtual-reassembly"
> is the best thing you can do, on every interface, and look form time 
> to time and after reloads weather it reappears.
> "virtual-reassembly" should "reassembly" fragments (in a special, 
> memory conserving way) So dropping fragments in that context must be 
> an april's first joke.
> Having too few resources,
> the theoretically good idea behind "virtual-reassembly" does not work 
> very well (in practice) esp. when it should be usefull.
> Using the "no" form on every interface where it appears automagically 
> When you configure nat, crypto, ... did help us to solve many problems.
> Juergen.

More information about the cisco-nsp mailing list