Any specific/optimal values for max-fragments and max-reassemblies if doing "ip virtual-reassembly" on the interface ?
From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Monday, June 18, 2012 11:41 PM To: Johan Bornman Cc: CCIE Security Subject: Re: [OSL | CCIE_Security] Protecting Against Fragmentation Attacks Use the following logic with CBAC ip inspect name fw fragment maximum - for outbound ip virtual-reassembly - for inbound With regards Kings On Tue, Jun 19, 2012 at 9:10 AM, Johan Bornman <[email protected]<mailto:[email protected]>> wrote: Anthony, Thanks for your daily bit on the challenge. I am following it as I will also do my lab around the same time. I am under the impression that virtual-reassembly always has to be applied to the "outside" int when CBAC and ZBF is used. Is this correct? I am busy with a VII IPEXPERT lab where this was not done. Thanks Johan From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Anthony Sequeira Sent: 18 June 2012 03:33 PM To: [email protected]<mailto:[email protected]> Cc: CCIE Security Subject: Re: [OSL | CCIE_Security] Protecting Against Fragmentation Attacks I did not test standalone and saw no documentation that led me to believe it would work standalone. From: Alexei Monastyrnyi [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Monday, June 18, 2012 7:55 AM To: Anthony Sequeira Cc: CCIE Security Subject: Re: [OSL | CCIE_Security] Protecting Against Fragmentation Attacks Hi Anthony. Mentioning ip virtual-reassembly as a part of CBAC/ZBF, did you actually test this as a standalone feature or did you always use it as a part of your CBAC/ZBF configuration? Cheers A. On 6/18/2012 12:22 PM, Anthony Sequeira wrote: Here is a post I did today on this topic. http://blog.ipexpert.com/2012/06/17/ccie-security-challenge---day-22-of-120---fragment-attacks/<http://blog.ipexpert.com/2012/06/17/ccie-security-challenge-%E2%80%93-day-22-of-120-%E2%80%93-fragment-attacks/> See anything I am missing? Thanks in advance! _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
