How to clear Don't Fragment (DF) bit

Posted By teepan123 on 01/01/2013 10:28 PM

 

Before that , I need to know why F5 set DF bit in first place ?

 

 

and what the meaning of this bit ? ....and... what adverse affect when this bit is set ?

 

A quick summary

 

 

DF bit is to tell routers NOT to fragment packets. This means that if a packet is too lareg to pass across a link with a different MTU, the packet muct be dropped and a message (ICMP host unreachable) must be sent back to the source to tell them to lower their MTU (Path MTU) to the remote host.

 

 

Having DF set is usually the default. And a good thing. Without it, you have to make the assumption that the path MTU to a remote host is 512 Bytes. That means many more packets for the same amount of data. WHich lowers throughput as the overheads go up.

 

 

So why not just fragment? Because it's bad. The target host has to buffer all thise fragments for an amount of time so it can rebuild the whole packet. This takes recources. Send enough fragmented packets to a host and it's a great DOS attack. Most hosts/firewalls will/should be configured to DROP fragmented packets. So that's another downside to removing the DF flag.

 

 

Dropping your local MTU to make a remote host work is also bad. ALL the MTU's on a local subnet MUST be the same size. (OK. MOst modern hosts will actually accept inbound packets larger than the configured MTU, but there's no guarantee. And performance will suffer too).

 

 

H