Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Using Fragmentation Guard

Hi,

I'd like to check on the "fragment chain" command and when is it recommended to be used?

I know that using "fragment chain 1" for example will make my PIX drop any fragmented packets that arrive to the PIX interface, and this is a feature that helps me against DoS attacks. But how can I make a judgment on the number of fragments that I should accept on my environment and how can this affect my applications? Any advice please?

Thanks,

Haitham

3 REPLIES
New Member

Re: Using Fragmentation Guard

Hi Haitham,

The fragmentation chain is set to 12 as a default. That would allow for a 16k token ring frame to be fragmented into 1500 byte pieces to be correctly processed by the PIX.

Token Ring <--> Router <--> Serial Interface (768 mtu)

In practice, the default is excessive. Although fragmentation is a normal part of IP, it is however, "uncommon". Unless you routinely communicate with remote sights that use token ring, fddi or atm (or maybe x.25), a chain of 2-4 is safer.

If after changing the chain value you cannot communicate with sites you could previously reach,onitor your syslog for the message below and increase chain value as necessary.

209005 Error Message %PIX-4-209005: Discard IP fragment set with more than number elements:

src = IP_address, dest = IP_address, proto = protocol, id = number

Explanation Too many elements are in a fragment set. The firewall disallows any IP packet that is fragmented into more than 12 fragments. Refer to the fragment command in the Cisco PIX Firewall Command Reference for more information.

Recommended Action A possible intrusion event may be in progress. If the message persists, contact the remote peer's administrator or upstream provider.

Regards,

Dave

New Member

Re: Using Fragmentation Guard

Hi Dave,

It seems you’re here talking about the “sysopt security fagguard” command, while I meant the “fragment chain 1 ” command which allows 24 fragments by default and not 12. Please refer to http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1029667 for details about the “fragment chain 1 ” command. Confusingly, I also read in the Cisco PIX Exam Cram guide that the guard allows 100 fragments per internal destination host per second

To be honest, I’m a bit confused b/ the 2 commands and how, when applying them on the same time, the PIX will react (i.e. will it allow 12 fragments, 24 or 100)… is the fragment chain command a complimentary where I can control the number of chains to permit through my PIX FW?

Thanks,

Haitham

New Member

Re: Using Fragmentation Guard

Hi,

The default changed from 12 to 24 in version 6.2.

sysopt security fraggaurd enables fragmentation inspection. The fragment size and fragment chain commands modify the bhavior of fragmentation inspection.

Regards,

Dave

172
Views
2
Helpful
3
Replies