enable ip-security anomaly-protection tcp fragment
Description
Enables TCP fragment checking.
Syntax Description
slot | Specifies the slot to be used. |
all | Specifies all IP addresses, or all IP addresses in a particular state. |
Default
The default is disabled.
Usage Guidelines
This command
enables TCP fragment checking. This checking takes effect for IPv4/IPv6.
When it is enabled, the switch drops TCP packets if one of following
condition is true:
-
For the first IPv4 TCP fragment (its IP offset field==0), if its TCP header is less than the minimum IPv4 TCP header allowed size.
-
For the first IPv6 TCP fragment (its IP offset field==0), if its TCP header is less than the minimum IPv6 TCP header allowed size.
-
If its IP offset field==1 (for IPv4 only).
History
This command was first available in ExtremeXOS 12.0.
Platform Availability
This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, and X695 series switches.