enable ip-security anomaly-protection tcp fragment

enable ip-security anomaly-protection tcp fragment {slot [ slot | all ]}

Description

Enables TCP fragment checking.

Syntax Description

slot Specifies the slot to be used.
all Specifies all IP addresses, or all IP addresses in a particular state.

Default

The default is disabled.

Usage Guidelines

This command enables TCP fragment checking. This checking takes effect for IPv4/IPv6. When it is enabled, the switch drops TCP packets if one of following condition is true:
  • For the first IPv4 TCP fragment (its IP offset field==0), if its TCP header is less than the minimum IPv4 TCP header allowed size.

  • For the first IPv6 TCP fragment (its IP offset field==0), if its TCP header is less than the minimum IPv6 TCP header allowed size.

  • If its IP offset field==1 (for IPv4 only).

History

This command was first available in ExtremeXOS 12.0.

Platform Availability

This command is only available on the Summit X440, X460, X460-G2, X480, and X670, X670-G2 platforms, whether or not included in a SummitStack, and the BlackDiamond X8 series switches, BlackDiamond 8000 c-, e-, xl-, and xm-series modules.