[c-nsp] ip virtual-reassembly drop-fragments

Juergen Marenda cnsp at marenda.net
Fri Jun 3 02:32:18 EDT 2016

Ok, i found a document stating that "ip virtual..." is good for DDOS
and does not help in reassembling in memory-efficient way 
what I learned from reading Cisco-doc when I first saw that command
appearing on my router's configs.
May be that this is evolution of functionality.

having it active on route-only routers (without "drop-fragments")
does have (massive) negative impact on the traffic between 
(for example) the firwalls behind those routers
using ipsec-tunnels (sending ip/esp packets, often fragmented )
(PMTU does not help since that is no ip/tcp traffic).

Seeing this (also in setups with no connection to the internet so "DDOS" is
not there) 
brought me to the recommendation to disable that feature.

Sorry for any confusion I may have created,


More information about the cisco-nsp mailing list