Virtual Fragmentation Reassembly (VFR)
Before the accomplishing of the Virtual Fragmentation Reassembly (VFR) feature, the IOS Firewall (CBAC) could not
identify the capacity of the IP bits or accumulate any anchorage advice from the burst packets. This shortcoming
allowed all burst packets to bypass the firewall checks and get through the arrangement after actuality inspected.
Before the VFR affection was available, several accepted fragment-type attacks could succeed. (Examples accommodate Tiny Fragment
attack, Overlapping Fragment attack, and the Buffer Overflow advance that sends a ample cardinal of abridged IP fragments
to baffle the firewall.) The VFR affection provides the adequacy to browse into the burst packets to analysis the connection
information and actualize the agnate activating ACL entries, appropriately attention the arrangement from assorted fragmentation
attacks.
To accredit VFR, use the ip virtual-reassembly command from the interface agreement mode. Example 5-6 shows how to
configure VFR with a best cardinal of 100 IP datagrams to be reassembled at any accustomed time and a best number
of 20 bits accustomed per IP datagram (fragment set). The abeyance of 5 abnormal specifies that if all the fragment packets
are not accustomed aural the defined time, the IP datagram and all its bits will be dropped.
This affection was alien in IOS Version 12.3(8)T.
Example 5-6. Virtual Fragmentation Reassembly (VFR) Agreement Example
interface Fastethernet0/0
ip audit
ip virtual-reassembly max-reassemblies 100 max-fragments 20 abeyance 5
!