Fragmentation
Fragmentation of IP packets is handled differently depending on the version of the IOS you are running on the router. The following discusses two options available on an IOS Firewall for handling fragmented packets:
-
Without Virtual Reassembly Option Before version 12.3(8) T, this Virtual Reassembly of fragmented packets was not available. The router maintains a table of fragmented IP packets. It protects aggressively by dropping secondary fragments unless the first fragment is seen. It also drops fragments that make total IP length greater than 65535. If there are fewer than 32 entries free in the table, configured timeout value is internally halved, and if there are fewer than 16 entries free in the table, timeout is set to 1 second. Fragmented packets are not inspected for L4 and L7 inspection.
-
With Virtual Reassembly Option As discussed earlier, before version 12.3(8) T, CBAC could not identify the contents of the IP fragments nor could it gather port information from the fragment. These inabilities allowed the fragments to pass through the network without being examined, or without dynamic access control list (ACL) creation. From version 12.3(8) T and above, virtual fragmentation reassembly (VFR) enables the Cisco IOS Firewall to create the appropriate dynamic ACLs, thereby protecting the network from various fragmentation attacks. VFR is on by default when NAT is configured on an interface. Otherwise, you can turn it on/off with the following commands under the interface.