Re: [c-nsp] IPv4 fragmented packets on SUP720-3BXL
On Tue, 10 Nov 2009, Gert Doering wrote: No. Routers will never reassemble transit traffic. Never is a strong word. It seems ip virtual-reassembly do it. It looks like it at least reassembles them in memory and delays them before forwarding them (as fragments) from the debug and counters. On a virtual 7200: Router#show ip virtual-reassembly fa1/0 FastEthernet1/0: Virtual Fragment Reassembly (VFR) is ENABLED... Concurrent reassemblies (max-reassemblies): 16 Fragments per reassembly (max-fragments): 32 Reassembly timeout (timeout): 3 seconds Drop fragments: OFF Current reassembly count:0 Current fragment count:0 Total reassembly count:23 Total reassembly timeout count:3 Not that you'd want to do it, but still. - typedef struct me_s { char name[] = { Thomas Habets }; char email[] = { tho...@habets.pp.se }; char kernel[]= { Linux }; char *pgpKey[] = { http://www.habets.pp.se/pubkey.txt; }; char pgp[] = { A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854 }; char coolcmd[] = { echo '. ./_. ./_'_;. ./_ }; } me_t; ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv4 fragmented packets on SUP720-3BXL
On 2009-11-11 12:00, Thomas Habets wrote: On Tue, 10 Nov 2009, Gert Doering wrote: No. Routers will never reassemble transit traffic. Never is a strong word. It seems ip virtual-reassembly do it. It looks like it at least reassembles them in memory and delays them before forwarding them (as fragments) from the debug and counters. On a virtual 7200: Sure. But that functionality is not found on core routers, but on border routers running CBAC/ZBFW or IPS functionalities, that need a whole packet to do it's work on it. As Gert noted, fragmented IP packet is forwarded in hardware (or normally) as long as it contains valid header information. -- Everything will be okay in the end. | Łukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv4 fragmented packets on SUP720-3BXL
There is nothing special about *forwarding* fragmented packets - unless you have an ACL or anything else that wants to look at Layer 4 info. That would be Netflow or some QoS policy attached to the interface, for instance? I guess the router should reassembly the fragmented packets before applying any policing on the traffic arriving on the interface... Am I right? It assumes that any fragment matches clauses with L4 info, because it lacks stateful context from the first fragment to eval it. Rubens ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IPv4 fragmented packets on SUP720-3BXL
Hi list, I would like to know whether SUP720-3BXL supports IPv4 fragmented packets in hardware or not. If it can be supported in hardware, in which cases would the PFC3 punt the IPv4 fragmented packets to MSFC? Unfortunately I could not find/receive a good reference about it so far. Thanks. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv4 fragmented packets on SUP720-3BXL
Leonardo, Do you mean the ability to fragment packets when traversing to smaller MTU links, or matching fragmented packets in ACLs (fragment ACL clause) ? On my experience it doesn't support the former, and the later is PFC-supported but not available on every IOS release. Rubens On Tue, Nov 10, 2009 at 5:31 PM, Leonardo Gama Souza leonardo.so...@nec.com.br wrote: Hi list, I would like to know whether SUP720-3BXL supports IPv4 fragmented packets in hardware or not. If it can be supported in hardware, in which cases would the PFC3 punt the IPv4 fragmented packets to MSFC? Unfortunately I could not find/receive a good reference about it so far. Thanks. ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IPv4 fragmented packets on SUP720-3BXL
Hi, There is nothing special about *forwarding* fragmented packets - unless you have an ACL or anything else that wants to look at Layer 4 info. That would be Netflow or some QoS policy attached to the interface, for instance? I guess the router should reassembly the fragmented packets before applying any policing on the traffic arriving on the interface... Am I right? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv4 fragmented packets on SUP720-3BXL
There is nothing special about *forwarding* fragmented packets - unless you have an ACL or anything else that wants to look at Layer 4 info. That would be Netflow or some QoS policy attached to the interface, for instance? Normal ACL or possible a QoS policy based on an ACL. I guess the router should reassembly the fragmented packets before applying any policing on the traffic arriving on the interface... Am I right? No. Each fragment is matched against the ACL on its own. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv4 fragmented packets on SUP720-3BXL
Hi, On Tue, Nov 10, 2009 at 06:20:13PM -0200, Leonardo Gama Souza wrote: There is nothing special about *forwarding* fragmented packets - unless you have an ACL or anything else that wants to look at Layer 4 info. That would be Netflow or some QoS policy attached to the interface, for instance? I guess the router should reassembly the fragmented packets before applying any policing on the traffic arriving on the interface... Am I right? No. Routers will never reassemble transit traffic. (Some firewall devices do, so maybe the IOS firewalling feature set will do funny things with fragments, but normal IOS will never ever reassemble packets not destined to itself) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgphuc0qcu7ph.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/