This feature was introduced in IOS Version 12.3(7)T.
Virtual Fragmentation Reassembly (VFR)
Before the implementation of the Virtual Fragmentation Reassembly (VFR) feature, the IOS Firewall (CBAC) could not
identify the contents of the IP fragments or gather any port information from the fragmented packets. This shortcoming
allowed all fragmented packets to bypass the firewall checks and get through the network without being inspected.
Before the VFR feature was available, several known fragment-type attacks could succeed. (Examples include Tiny Fragment
attack, Overlapping Fragment attack, and the Buffer Overflow attack that sends a large number of incomplete IP fragments
to thwart the firewall.) The VFR feature provides the capability to scan into the fragmented packets to check the connection
information and create the corresponding dynamic ACL entries, hence protecting the network from various fragmentation
attacks.
To enable VFR, use the ip virtual-reassembly command from the interface configuration mode. Example 5-6 shows how to
configure VFR with a maximum number of 100 IP datagrams to be reassembled at any given time and a maximum number
of 20 fragments allowed per IP datagram (fragment set).
Pages:
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234