enable ip-security anomaly-protection tcp fragment

enable ip-security anomaly-protection tcp fragment {slot [ slot | all ]}

Description

Enables TCP fragment checking.

Syntax Description

slot Specifies the slot to be used.
all Specifies all IP addresses, or all IP addresses in a particular state.

Default

The default is disabled.

Usage Guidelines

This command enables TCP fragment checking. This checking takes effect for IPv4/IPv6. When it is enabled, the switch drops TCP packets if one of following condition is true:
  • For the first IPv4 TCP fragment (its IP offset field==0), if its TCP header is less than the minimum IPv4 TCP header allowed size.

  • For the first IPv6 TCP fragment (its IP offset field==0), if its TCP header is less than the minimum IPv6 TCP header allowed size.

  • If its IP offset field==1 (for IPv4 only).

History

This command was first available in ExtremeXOS 12.0.

Platform Availability

This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, X670-G2, X690, X695, X870, 5320, 5420, and 5520 series switches.