R3303-HP 6600/HSR6600 Routers Layer 3 - IP Services Configuration Guide
126
• Tiny fragment attack—If the first fragment of an incoming datagram is very small and the Layer 4
(such as TCP and UDP) header is placed into the second fragment, the datagram is considered a
tiny fragment attack.
• Overlapping fragment attack—If two consecutive incoming fragments are identical or overlap
each other, they are considered an overlapping fragment attack.
• Fragment-flood attack—If the number of concurrent reassemblies or the number of fragments per
datagram exceeds the upper limits, the reassemblies or fragments are considered a fragment-flood
attack.
Configuration guidelines
• The IP virtual fragment reassembly feature only applies to incoming packets on an interface.
• The IP virtual fragment reassembly feature does not support load sharing. The fragments of an IP
datagram cannot arrive through different interfaces.
Configuration procedure
To configure IP virtual fragment reassembly:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type interface-number N/A
3. Enable IP virtual fragment
reassembly.
ip virtual-reassembly [ drop-fragments |
max-fragments number | max-reassemblies
number | timeout seconds ] *
By default, the feature is
disabled.
Configuration example
Network requirements
As shown in Figure 53, configure devices as follows:
• Router A connects to Host and Router B.
• NAT is enabled on GigabitEthernet 3/0/2 of Router A.
• Configure IP virtual fragment reassembly on GigabitEthernet 3/0/2 of Router A.
Figure 53 Network diagram
Configuration procedure
1. Configure the host:
# Configure a route so that the Host, Router A, and Router B can communicate with each other.
(Details not shown.)
Host
10.1.1.1/8
Router A
GE3/0/1
10.1.1.2/8
Router B
GE3/0/1
11.2.2.1/8
GE3/0/2
11.2.2.2/8