Purpose of ip virtual assembly

Answered Question
Feb 11th, 2009

I've seen this enabled by default on routers, but when would you want to disable it?

Thanks,

John

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 11 months ago

Okay :-)

I don't have a list of all the features that use virtual reassembly but the 2 that spring to mind are firewalls and NAT.

Put simply it's to do with IP fragments (apologies if i'm telling you something you already know here). When you configure "ip virtual-reassembly" it tells the router that rather than forward the fragments on as it would normally it needs to reassemble the packet.

Obviously one of the primary uses of this is with firewalls. So if you have the IOS stateful firewall running then you would want this enabled. Also if you configure NAT under any interface ip virtual-assembly is automatically enabled as far as i know.

My understanding of it was that it was disabled by default and if a feature that needed it was turned on then it too would be automatically turned on.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 02/11/2009 - 09:41

Okay :-)

I don't have a list of all the features that use virtual reassembly but the 2 that spring to mind are firewalls and NAT.

Put simply it's to do with IP fragments (apologies if i'm telling you something you already know here). When you configure "ip virtual-reassembly" it tells the router that rather than forward the fragments on as it would normally it needs to reassemble the packet.

Obviously one of the primary uses of this is with firewalls. So if you have the IOS stateful firewall running then you would want this enabled. Also if you configure NAT under any interface ip virtual-assembly is automatically enabled as far as i know.

My understanding of it was that it was disabled by default and if a feature that needed it was turned on then it too would be automatically turned on.

Jon

John Blakley Wed, 02/11/2009 - 09:47

Thanks Jon. So, are you saying that the router will hold all packets that belongs to a session before forwarding to its destination in/out bound? It makes sense why it would be enabled for CBAC.

John

Jon Marshall Wed, 02/11/2009 - 10:25

John

"So, are you saying that the router will hold all packets that belongs to a session before forwarding to its destination in/out bound?"

Yes, altho that does raise an interesting point. My understanding is that it does reassemble the packet to check against firewall rules etc.. but that the actual fragments are what it forwards on ie. it only reassembles the packet for inspection, it doesn't actually reassemble it and then transmit the whole packet, hence the "virtual" bit.

Jon

Actions

This Discussion