[c-nsp] Order-of-operations question about "adjust-mss" and crypto...

lee.e.rian at census.gov lee.e.rian at census.gov
Sat Nov 1 11:57:09 EDT 2008 

"mtu 1600" on the wan interface also works & doesn't require any changes on
the lan interfaces :)
Lee


-----cisco-nsp-bounces at puck.nether.net wrote: -----

>To: "'Derick Winkworth'" <dwinkworth at att.net>, "'Rodney Dunn'"
><rodunn at cisco.com>
>From: "Luan Nguyen" <luan at netcraftsmen.net>
>Sent by: cisco-nsp-bounces at puck.nether.net
>Date: 10/31/2008 02:39PM
>cc: cisco-nsp at puck.nether.net
>Subject: Re: [c-nsp] Order-of-operations question about "adjust-mss"
>and crypto...
>
>The MSS tells the maximum data a host will accept in an TCP/IP
>datagram.
>Each side reports the value to the other side and the sending will
>abide by
>it.  It's all before encryption.
>So typically like you said, people put ip tcp adjust-mss 1360 on the
>group
>member LAN interface and also set ip mtu 1400 on the WAN side hoping
>for
>PMTUD to work its magic.
>Putting both on the WAN interface should work as well, though, I
>don't quite
>understand the backside is MPLS statement :)...the packet has to be
>originated from somewhere.
>There's a very good paper here on Fragmentation
>http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper0
>9186a00
>800d6979.shtml#t3
>
>
>Luan Nguyen
>Chesapeake NetCraftsmen, LLC.
>www.NetCraftsmen.net
>
>(blog) http://ccie-security.blogspot.com/
>(e) luan at netcraftsmen.net
>(aim/yahoo): luancnc
>
>
>
>-----Original Message-----
>From: cisco-nsp-bounces at puck.nether.net
>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Derick
>Winkworth
>Sent: Friday, October 31, 2008 11:52 AM
>To: Rodney Dunn
>Cc: cisco-nsp at puck.nether.net
>Subject: [c-nsp] Order-of-operations question about "adjust-mss" and
>crypto...
>
>If you apply the "ip tcp adjust-mss" command on an interface that has
>a
>crypto statement on it...
>
>Does it perform the MSS adjustment on outbound packets before they
>are
>encrypted?
>Does it perform the MSS adjustment on inbound packets after they are
>decrypted?
>
>I know that this is typically placed on a tunnel interface or, for
>instance,
>on an ethernet interface of a remote VPN site or something... but I
>have a
>case where we have many GET encryped sub-interfaces (each in their
>own VRF)
>which are the only logical IP interfaces on the box.  The backside is
>MPLS
>so there is no place to put the statement there...  so I was just
>going to
>apply it to the interfaces where the crypto maps are.. not sure if
>this will
>work.
>
>I'll probably have to lab it up I'm guessing.
>
>Derick
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list