[c-nsp] MTU settings/GRE tunnel

Masood Ahmad Shah masood at nexlinx.net.pk
Fri Sep 21 14:28:33 EDT 2007 

Please always CC to mailing list so others can see it and share their
experience/thoughts....



Regards,
Masood Ahmad Shah


-----Original Message-----
From: Nick Kraal [mailto:nick at arc.net.my] 
Sent: Friday, September 21, 2007 10:54 PM
To: Masood Ahmad Shah
Subject: Re: [c-nsp] MTU settings/GRE tunnel

Thanks Masood for the advice. We got stuck bing time accessing some internal
web servers. Narrowed this down to MTU/MSS issues. Adjusting the MSS helped
out a lot. Will try the other pointers given.

Much appreciated and regards,

-nick/

Masood Ahmad Shah wrote:
> use 'ip tcp adjust-mss 1400' on a router seeing traffic in the clear 
> to force MSS to 1400 so IP datagram size to 1420 (of course 1400 is 
> just a guess), this will cover all TCP traffic.
> 
> Set ip mtu 1500 on GRE tunnel interface (yes 1500 bytes)..
> 
> Reasoning: 
> - - GRE encapsulation clears the DF bit UNLESS 'tunnel path-mtu-discovery'
> is set on the tunnel interface (if turned on the tunnel MTU will be 
> dynamically adjusted upon receipt of ICMP)
> - - IPsec encapsulation copies the DF and adjusts the path MTU upon 
> receipt of ICMP UNLESS 'crypto ipsec df-bit clear/set' is configured 
> in the crypto map
> - - router will fragment when forwarding to any interface whose MTU is 
> smaller than the received IP packet. This happens often when 
> forwarding to a GRE tunnel whose MTU is 1476 per default...
> 
> 
> The last point forces the router to drop all 1500-bytes packets and to 
> send an ICMP message when a DF packet is received.
> 
> 
> Regards,
> Masood Ahmad Shah
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nick Kraal
> Sent: Thursday, September 20, 2007 12:51 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] MTU settings/GRE tunnel
> 
> Dear all,
> 
> We are setting up tunnels within our network, and are using some 
> previous documented configurations for this. We will use this to 
> enable virtual P2P BGP sessions to isolate certain parts of our routing
table.
> Cheap, temporary, and fast.
> 
> interface Tunnel0
>   ip address 192.168.100.9 255.255.255.252
>   no ip unreachables
>   no ip proxy-arp
>   ip mtu 1524
>   tunnel source Loopback1
>   tunnel destination 10.10.10.10
> 
> Is there any information/advice/rule-of-thumb on setting the MTU size 
> on the tunnel interface?
> 
> Thanks in advance,
> 
> -nick/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list