Cisco Cisco Packet Data Interworking Function (PDIF)
Firewall-and-NAT Policy Configuration Mode Commands
firewall max-ip-packet-size ▀
Command Line Interface Reference, StarOS Release 16 ▄
4979
firewall max-ip-packet-size
This command configures the maximum IPv4/IPv6 packet size (after IP reassembly) allowed over Stateful Firewall.
Important:
In release 8.0, this configuration is available in the ACS Configuration Mode. In release 8.1, for
Rulebase-based Stateful Firewall configuration, this configuration is available in the ACS Rulebase Configuration
Mode. In release 8.3, this configuration is available in the ACS Rulebase Configuration Mode.
Mode. In release 8.3, this configuration is available in the ACS Rulebase Configuration Mode.
Product
PSF
Privilege
Security Administrator, Administrator
Mode
Exec > ACS Configuration > Firewall-and-NAT Policy Configuration
active-charging service service_name > fw-and-nat policy policy_name
Entering the above command sequence results in the following prompt:
[local]host_name(config-fw-and-nat-policy)#
Syntax
firewall max-ip-packet-size packet_size protocol { icmp | non-icmp }
default firewall max-ip-packet-size protocol { icmp | non-icmp }
default
Configures the default setting.
Default: 65535 bytes (for both ICMP/ICMPv6 and non-ICMP/ICMPv6)
Default: 65535 bytes (for both ICMP/ICMPv6 and non-ICMP/ICMPv6)
packet_size
Specifies the maximum packet size allowed by firewall. Any IPv6 packet with payload size greater than the
configured value will be dropped.
configured value will be dropped.
packet_size
must be an integer from 30000 through 65535.
protocol { icmp | non-icmp }
Specifies the transport protocol:
icmp
: Configuration for ICMP/ICMPv6 protocol.
non-icmp
: Configuration for protocols other than ICMP/ICMPv6.
Usage
Use this command to configure the maximum IPv4/IPv6 packet size allowed for ICMP/ICMPv6 and non-
ICMP/ICMPv6 packets to prevent packet flooding attacks to the host. Packets exceeding the configured size
will be dropped for “Jolt” and “Ping-Of-Death” attacks.
ICMP/ICMPv6 packets to prevent packet flooding attacks to the host. Packets exceeding the configured size
will be dropped for “Jolt” and “Ping-Of-Death” attacks.
Example
The following command allows a maximum packet size of
60000
for ICMP/ICMPv6 protocol: