02-11-2009 09:19 AM - edited 03-04-2019 03:31 AM
I've seen this enabled by default on routers, but when would you want to disable it?
Thanks,
John
Solved! Go to Solution.
02-11-2009 09:41 AM
Okay :-)
I don't have a list of all the features that use virtual reassembly but the 2 that spring to mind are firewalls and NAT.
Put simply it's to do with IP fragments (apologies if i'm telling you something you already know here). When you configure "ip virtual-reassembly" it tells the router that rather than forward the fragments on as it would normally it needs to reassemble the packet.
Obviously one of the primary uses of this is with firewalls. So if you have the IOS stateful firewall running then you would want this enabled. Also if you configure NAT under any interface ip virtual-assembly is automatically enabled as far as i know.
My understanding of it was that it was disabled by default and if a feature that needed it was turned on then it too would be automatically turned on.
Jon
02-11-2009 09:33 AM
John
Do you mean "ip virtual-reassembly" ?
Jon
02-11-2009 09:34 AM
Yes. :)
02-11-2009 09:41 AM
Okay :-)
I don't have a list of all the features that use virtual reassembly but the 2 that spring to mind are firewalls and NAT.
Put simply it's to do with IP fragments (apologies if i'm telling you something you already know here). When you configure "ip virtual-reassembly" it tells the router that rather than forward the fragments on as it would normally it needs to reassemble the packet.
Obviously one of the primary uses of this is with firewalls. So if you have the IOS stateful firewall running then you would want this enabled. Also if you configure NAT under any interface ip virtual-assembly is automatically enabled as far as i know.
My understanding of it was that it was disabled by default and if a feature that needed it was turned on then it too would be automatically turned on.
Jon
02-11-2009 09:47 AM
Thanks Jon. So, are you saying that the router will hold all packets that belongs to a session before forwarding to its destination in/out bound? It makes sense why it would be enabled for CBAC.
John
02-11-2009 10:25 AM
John
"So, are you saying that the router will hold all packets that belongs to a session before forwarding to its destination in/out bound?"
Yes, altho that does raise an interesting point. My understanding is that it does reassemble the packet to check against firewall rules etc.. but that the actual fragments are what it forwards on ie. it only reassembles the packet for inspection, it doesn't actually reassemble it and then transmit the whole packet, hence the "virtual" bit.
Jon
02-11-2009 11:07 AM
Ah, well that makes even more sense :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide