[c-nsp] MTU settings/GRE tunnel

Nick Kraal nick at arc.net.my
Sun Sep 23 21:55:33 EDT 2007 

Noted with thanks.

Best regards,

-nick/

Masood Ahmad Shah wrote:
> Please always CC to mailing list so others can see it and share their
> experience/thoughts....
> 
> 
> 
> Regards,
> Masood Ahmad Shah
> 
> 
> -----Original Message-----
> From: Nick Kraal [mailto:nick at arc.net.my] 
> Sent: Friday, September 21, 2007 10:54 PM
> To: Masood Ahmad Shah
> Subject: Re: [c-nsp] MTU settings/GRE tunnel
> 
> Thanks Masood for the advice. We got stuck bing time accessing some internal
> web servers. Narrowed this down to MTU/MSS issues. Adjusting the MSS helped
> out a lot. Will try the other pointers given.
> 
> Much appreciated and regards,
> 
> -nick/
> 
> Masood Ahmad Shah wrote:
>> use 'ip tcp adjust-mss 1400' on a router seeing traffic in the clear 
>> to force MSS to 1400 so IP datagram size to 1420 (of course 1400 is 
>> just a guess), this will cover all TCP traffic.
>>
>> Set ip mtu 1500 on GRE tunnel interface (yes 1500 bytes)..
>>
>> Reasoning: 
>> - - GRE encapsulation clears the DF bit UNLESS 'tunnel path-mtu-discovery'
>> is set on the tunnel interface (if turned on the tunnel MTU will be 
>> dynamically adjusted upon receipt of ICMP)
>> - - IPsec encapsulation copies the DF and adjusts the path MTU upon 
>> receipt of ICMP UNLESS 'crypto ipsec df-bit clear/set' is configured 
>> in the crypto map
>> - - router will fragment when forwarding to any interface whose MTU is 
>> smaller than the received IP packet. This happens often when 
>> forwarding to a GRE tunnel whose MTU is 1476 per default...
>>
>>
>> The last point forces the router to drop all 1500-bytes packets and to 
>> send an ICMP message when a DF packet is received.
>>
>>
>> Regards,
>> Masood Ahmad Shah
>>
>>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net 
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nick Kraal
>> Sent: Thursday, September 20, 2007 12:51 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] MTU settings/GRE tunnel
>>
>> Dear all,
>>
>> We are setting up tunnels within our network, and are using some 
>> previous documented configurations for this. We will use this to 
>> enable virtual P2P BGP sessions to isolate certain parts of our routing
> table.
>> Cheap, temporary, and fast.
>>
>> interface Tunnel0
>>   ip address 192.168.100.9 255.255.255.252
>>   no ip unreachables
>>   no ip proxy-arp
>>   ip mtu 1524
>>   tunnel source Loopback1
>>   tunnel destination 10.10.10.10
>>
>> Is there any information/advice/rule-of-thumb on setting the MTU size 
>> on the tunnel interface?
>>
>> Thanks in advance,
>>
>> -nick/
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list