[c-nsp] ip virtual-reassembly drop-fragments
Juergen Marenda
cnsp at marenda.net
Fri Jun 3 02:32:18 EDT 2016
Ok, i found a document stating that "ip virtual..." is good for DDOS
prevention
http://blog.ine.com/2008/11/05/dealing-with-fragmented-traffic/
and does not help in reassembling in memory-efficient way
what I learned from reading Cisco-doc when I first saw that command
appearing on my router's configs.
May be that this is evolution of functionality.
Nevertheless,
having it active on route-only routers (without "drop-fragments")
does have (massive) negative impact on the traffic between
(for example) the firwalls behind those routers
using ipsec-tunnels (sending ip/esp packets, often fragmented )
(PMTU does not help since that is no ip/tcp traffic).
Seeing this (also in setups with no connection to the internet so "DDOS" is
not there)
brought me to the recommendation to disable that feature.
Sorry for any confusion I may have created,
Juergen.
More information about the cisco-nsp
mailing list