Reassembling and offloading fragmented packets
NP7 processors support reassembling and offloading fragmented IPv4 and IPv6 packets. The NP7 processor uses defrag/reassembly (DFR) to re-assemble fragmented packets. The NP7 can re-assemble and offload packets that have been fragmented into two packets (1 header and 1 packet fragment). Traffic that has been fragmented into more that two packets is handled by the CPU.
Reassembling and offloading fragmented packets is disabled by default and all fragmented packets are handled by the CPU. If your system is processing relative large amounts of fragmented packets, you can use the following command to improve performance by reassembling and offloading them using NP7 processors:
config system npu
config ip-reassembly
set status {disable | enable}
set min_timeout <micro-seconds>
set max_timeout <micro-seconds>
end
Where:
status, enable or disable IP reassembly. IP reassembly is disabled by default.
min_timeout is the minimum timeout value for IP reassembly in the range 5 to 600,000,000 μs (micro seconds). The default min-timeout is 64 μs.
max_timeout is the maximum timeout value for IP reassembly 5 to 600,000,000 μs. The default max-timeout is 1000 μs.
The timeouts are quite sensitive and may require tuning to get best performance depending on your network and FortiGate configuration and traffic mix.
|
The CLI help uses |