Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All
Configuring Fragmentation Control for MS-DPC and MS-PIC Service Interfaces.
Two configuration options are available to prevent excessive consumption of computational CPU cycles on a services PIC caused by the handling of large numbers of fragmented packets. Such fragment handling can be exploited in DOS attacks. The fragment-limit option establishes a maximum number of fragments for a packet. When this number is exceeded, the packet is dropped. The reassembly-timeout specifies the maximum time from the receipt of the first and latest fragments in a packet. When the number is exceeded, the packet is dropped.
To configure fragmentation control for MS-DPC and MS-PIC service interfaces:
- In configuration mode, go to the [edit interfaces interface-name services-options hierarchy level.edit interfaces interface-name services-options
- Configure the fragment limit.[ edit services interface-name services-options]set fragment=limit number-of-fragments
- Configure the reassembly timeout.[ edit services interface-name services-options]set reassembly-timeout number-of-fragments
