Purpose of ip virtual assembly

Answered Question
Feb 11th, 2009
User Badges:
  • Purple, 4500 points or more

I've seen this enabled by default on routers, but when would you want to disable it?


Thanks,


John

Correct Answer by Jon Marshall about 8 years 4 months ago

Okay :-)


I don't have a list of all the features that use virtual reassembly but the 2 that spring to mind are firewalls and NAT.


Put simply it's to do with IP fragments (apologies if i'm telling you something you already know here). When you configure "ip virtual-reassembly" it tells the router that rather than forward the fragments on as it would normally it needs to reassemble the packet.


Obviously one of the primary uses of this is with firewalls. So if you have the IOS stateful firewall running then you would want this enabled. Also if you configure NAT under any interface ip virtual-assembly is automatically enabled as far as i know.


My understanding of it was that it was disabled by default and if a feature that needed it was turned on then it too would be automatically turned on.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 02/11/2009 - 09:33
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


Do you mean "ip virtual-reassembly" ?


Jon

Correct Answer
Jon Marshall Wed, 02/11/2009 - 09:41
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Okay :-)


I don't have a list of all the features that use virtual reassembly but the 2 that spring to mind are firewalls and NAT.


Put simply it's to do with IP fragments (apologies if i'm telling you something you already know here). When you configure "ip virtual-reassembly" it tells the router that rather than forward the fragments on as it would normally it needs to reassemble the packet.


Obviously one of the primary uses of this is with firewalls. So if you have the IOS stateful firewall running then you would want this enabled. Also if you configure NAT under any interface ip virtual-assembly is automatically enabled as far as i know.


My understanding of it was that it was disabled by default and if a feature that needed it was turned on then it too would be automatically turned on.


Jon

John Blakley Wed, 02/11/2009 - 09:47
User Badges:
  • Purple, 4500 points or more

Thanks Jon. So, are you saying that the router will hold all packets that belongs to a session before forwarding to its destination in/out bound? It makes sense why it would be enabled for CBAC.


John

Jon Marshall Wed, 02/11/2009 - 10:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

John


"So, are you saying that the router will hold all packets that belongs to a session before forwarding to its destination in/out bound?"


Yes, altho that does raise an interesting point. My understanding is that it does reassemble the packet to check against firewall rules etc.. but that the actual fragments are what it forwards on ie. it only reassembles the packet for inspection, it doesn't actually reassemble it and then transmit the whole packet, hence the "virtual" bit.


Jon

John Blakley Wed, 02/11/2009 - 11:07
User Badges:
  • Purple, 4500 points or more

Ah, well that makes even more sense :)

Actions

This Discussion