Dealing with fragments
Most network professionals are familiar with fragmenting packets. In many cases, this is necessitated by changes in the Maximum Transmission Unit or MTU size of layer 2 protocols, as a packet passes across different networks. For instance, Ethernet's MTU is 1518 Bytes and Token Ring's MTU is commonly set to 4096, so a big frame originated from a Token Ring network couldn't be passed whole across an Ethernet segment.
In the good old days, when all we had to worry about was file and print sharing, the larger MTU yielded more efficiency and greater performance. However, it's commonly understood that when VoIP or other time-sensitive traffic is in use, these packets can get stuck behind a big packet in the queues on routers and switches and cause enough jitter to be noticeable to people using the phones.
So fragmentation busts these large packets into several smaller ones and IP tracks these fragments by using several fields in the IP header, so that the destination host can reassemble the fragments. However, IP leaves out some very important info when it does this. Namely, only the first packet in a series of fragmented packets will contain the layer 4 and higher protocol information. (Note that IP fragmentation is very different from Frame-Relay fragmentation and interleaving.)
This is a common issue in security circles because firewalls and similar devices have problems identifying fragments and taking the appropriate actions. But it's also a problem for network engineers using VoIP for a similar reason: when you assign QoS info based on information like the UDP or TCP port, you will usually only set the first fragment and miss all the rest of the fragments.
Fortunately, VoIP packets are usually small and rarely (never) fragmented, but many people choose to lower the priority of other traffic, rather than raising the priority of voice traffic. If you're using a scheme like this to prioritize your traffic, keep in mind how fragments will affect your scheme. In any case, setting the first fragment to a different priority than the rest of the fragments is likely to result in out-of-order fragments and potentially, some retransmissions.
You can use access-lists to permit or deny packets using the "fragments" keyword, with a statement like:
access-list 101 deny ip any any fragments
Although different networks have different requirements, you can use this command to deny any fragmented packets from being forwarded on a given interface, or you can use it when you are prioritizing your traffic.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.