Reassembling and offloading fragmented packets
When enabled, NP7 processors uses defrag/reassembly (DFR) to re-assemble fragmented packets. The NP7 can re-assemble and offload packets that have been fragmented into two packets (1 header and 1 packet fragment). Traffic that has been fragmented into more than two packets is handled by the CPU.
The DFR uses a de-fragmentation table with 512 entries per NP7 processor. The table is used as a buffer and every fragmented packet is entered into the table as de-frag context with Source IP, Destination IP, and context ID. If there is no match and the table is not full the context is stored and pending min_timeout and max_timeout timers are started. When the second fragment is received, it is matched with the the corresponding fragment in the table. The reassembled packet is then sent to its destination by the NP7 processor.
Reassembling and offloading fragmented packets is disabled by default and all fragmented packets are handled by the CPU. If your system is processing relative large amounts of fragmented packets, you can use the following command to improve performance by enabling fragmented packet reassembly for NP7 processors.
config system npu
config ip-reassembly
set status {disable | enable}
set min_timeout <micro-seconds>
set max_timeout <micro-seconds>
end
Where:
status, enable or disable IP reassembly. IP reassembly is disabled by default.
min_timeout is the minimum timeout value for IP reassembly in the range 5 to 600,000,000 μs (micro seconds). The default min-timeout is 64 μs.
max_timeout is the maximum timeout value for IP reassembly 5 to 600,000,000 μs. The default max-timeout is 1000 μs.
The timeouts are quite sensitive and may require tuning to get best performance depending on your network and FortiGate configuration and traffic mix.
|
The CLI help uses |