> I'm experiencing problems with fragmentation due to GRE tunnel overhead:
> the way I understand it, the MTU if a GRE tunnel will always be less than
> the MTU of the underlying IP cloud due to the IP encapsulation overhead (in
> our case 1500 bytes). So 1500 byte packets attempting to travers the tunnel
> will be fragmented.
Correct.
> We're trying to use GRE tunnels extensivly in a VPN service offering, and
> it seems that there is a lot of critical traffic with 1500 byte packets and
> with the DF bit set. So it doesn't get through the VPN tunnels. The
> critical packet length is 1472 bytes.
>
> We see this on a variety of platforms (from 2500 to 7507) and a variety of
> IOS releases (11.1(18)CC, 11.1(2), 11.2(5).
> Thinking about it, this problem is to be expected...but it seems to render
> GRE tunnels unuseable in a VPN environment. But I know lots of people are
> using GRE for this or similar applications...so what am I missing here.
We use some GRE tunnels, but I only do it when I absolutely have to because
I hate to reduce the effective MTU.
But are you really seeing so many applications that break on this? It
seems to be those applications are broken. Most applications which send
large packets with DF set do so in order to implement path MTU discovery
anyway, which will work through the tunnel.
-Phil
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:14 EDT