Virtual Fragment Reassembly

Packet fragmentation in most cases isn’t good, and used in quite a few network attacks because the firewall (and also Intrusion Detection Devices – IDS’) can’t get a complete picture of what is in the packet. This causes the malicious packets to traverse the firewall.

Virtual Fragment Reassembly, also known as IP Virtual Reassembly, is a feature on Cisco IOS Firewalls (some other’s as well), that causes the device to reassemble and inspect the fragmented packets before allowing it to pass through.

Why is it called Virtual?
The various fragments of the packet are never reassembled as such. In fact, the device waits for all fragments of a packet to arrive, inspects the packet as a whole (without reassembling) and takes further action.

Important Points to Consider
1. Virtual Fragment Reassembly (VFR) should only be enabled on routers that are placed in a symmetric path. If VFR is enabled on a router that is in an asymmetric path, it will not receive all fragments of a packet and hence cannot be virtually reassembled for inspection.
2. On routers that process very high amount of traffic, VFR could cause heavy impact on the performance owing to fragment reassembling and subsequent inspection.
3. When NAT is enabled on an interface, VFR is automatically enabled on that interface.


ip virtual-reassembly [max-reassemblies number] [max-fragments number] [timeout seconds] [drop-fragments]


Virtual Fragment Reassembly

The keyword max-reassemblies specifies the maximum number of packets for which the router will perform reassembly simultaneously. Use keyword max-fragments to specify the maximum number of fragments allowed per packet. And keyword timeout specifies the time within which all fragments of a packet should arrive at the interface.

Usage of the keyword drop-fragments will cause the router to drop all packets that are fragmented.

Add a Comment

Your email address will not be published. Required fields are marked *