IP_VFR-4-FRAG_TABLE_OVERFLOW
IP虛擬分片重組
爲了避免每個業務模塊(如:IPSec、NAT和防火牆)單獨處理後片先到(報文分片後)這種情況而導致複雜度過高,設備需要收到IP報文後就對分片報文進行虛擬分片重組。IP虛擬分片重組功能可以對分片報文進行檢驗、排序和緩存,保證後續業務模塊處理的都是順序正確的分片報文。
同時,IP虛擬分片重組功能還可以對下面幾種分片***進行檢測。如果檢測到分片***,則設備會丟棄收到的分片報文,從而提高了設備的安全性。
問題
*Nov 15 18:03:26.431: %IP_VFR-4-FRAG_TABLE_OVERFLOW: FastEthernet0/0: the fragment table has reached its maximum threshold 16
------------------------
官方提示
Recommended Action: Increase the maximum number of datagrams that can be reassembled
by entering the ip virtual-reassembly max-reassemblies number command, with number
being the maximum number of datagrams that can be reassembled at any one time.
--------------------------
具體操作
ip virtual-reassembly max-reassemblies 1024
*Nov 15 18:03:26.431: %IP_VFR-4-FRAG_TABLE_OVERFLOW: FastEthernet0/0: the fragment table has reached its maximum threshold 16
------------------------
官方提示
Recommended Action: Increase the maximum number of datagrams that can be reassembled
by entering the ip virtual-reassembly max-reassemblies number command, with number
being the maximum number of datagrams that can be reassembled at any one time.
--------------------------
具體操作
ip virtual-reassembly max-reassemblies 1024
近期單位路由器經常提示如下錯誤,並且網絡速度明顯降低:
%IP_VFR-4-FRAG_TABLE_OVERFLOW: FastEthernet0: the fragment table has reached its maximum threshold 16
經查,是受到了網絡碎片***。採取以下措施,效果明顯:
1. 在端口提高包重組能力:
int f0
ip virtual-reassembly max-reassemblies 1024
2. 在端口加acl攔截***包:
int f0
ip access-group 120 in
ip access-group 120 out
access-list 120
從此cpu利用率恢復正常,網速也得到恢復。
=====================================================================================