[c-nsp] Order-of-operations question about "adjust-mss" and crypto...

Derick Winkworth dwinkworth at att.net
Mon Nov 3 07:16:18 EST 2008 

Indeed it does.  This is the preferred route.  Abandon dealing with fragmentation altogether.

Sadly, some MPLS access options (like ethernet access) have a limitation of 1500 byte MTUs in the cloud.

My thought is, just do the MSS adjustments at the sites with this limitation.

We are seeing some corruption of fragments with GET in 12.4(15)T5.  Thats what this is about.  So we upgraded to T7 and jacked up the MTUs wherever possible.





----- Original Message ----
From: "lee.e.rian at census.gov" <lee.e.rian at census.gov>
To: Luan Nguyen <luan at netcraftsmen.net>
Cc: Derick Winkworth <dwinkworth at att.net>; Rodney Dunn <rodunn at cisco.com>; cisco-nsp at puck.nether.net
Sent: Saturday, November 1, 2008 10:57:09 AM
Subject: Re: [c-nsp] Order-of-operations question about "adjust-mss" and crypto...

"mtu 1600" on the wan interface also works & doesn't require any changes on
the lan interfaces :)
Lee


-----cisco-nsp-bounces at puck.nether.net wrote: -----

>To: "'Derick Winkworth'" <dwinkworth at att.net>, "'Rodney Dunn'"
><rodunn at cisco.com>
>From: "Luan Nguyen" <luan at netcraftsmen.net>
>Sent by: cisco-nsp-bounces at puck.nether.net
>Date: 10/31/2008 02:39PM
>cc: cisco-nsp at puck.nether.net
>Subject: Re: [c-nsp] Order-of-operations question about "adjust-mss"
>and crypto...
>
>The MSS tells the maximum data a host will accept in an TCP/IP
>datagram.
>Each side reports the value to the other side and the sending will
>abide by
>it.  It's all before encryption.
>So typically like you said, people put ip tcp adjust-mss 1360 on the
>group
>member LAN interface and also set ip mtu 1400 on the WAN side hoping
>for
>PMTUD to work its magic.
>Putting both on the WAN interface should work as well, though, I
>don't quite
>understand the backside is MPLS statement :)...the packet has to be
>originated from somewhere.
>There's a very good paper here on Fragmentation
>http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper0
>9186a00
>800d6979.shtml#t3
>
>
>Luan Nguyen
>Chesapeake NetCraftsmen, LLC.
>www.NetCraftsmen.net
>
>(blog) http://ccie-security.blogspot.com/
>(e) luan at netcraftsmen.net
>(aim/yahoo): luancnc
>
>
>
>-----Original Message-----
>From: cisco-nsp-bounces at puck.nether.net
>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Derick
>Winkworth
>Sent: Friday, October 31, 2008 11:52 AM
>To: Rodney Dunn
>Cc: cisco-nsp at puck.nether.net
>Subject: [c-nsp] Order-of-operations question about "adjust-mss" and
>crypto...
>
>If you apply the "ip tcp adjust-mss" command on an interface that has
>a
>crypto statement on it...
>
>Does it perform the MSS adjustment on outbound packets before they
>are
>encrypted?
>Does it perform the MSS adjustment on inbound packets after they are
>decrypted?
>
>I know that this is typically placed on a tunnel interface or, for
>instance,
>on an ethernet interface of a remote VPN site or something... but I
>have a
>case where we have many GET encryped sub-interfaces (each in their
>own VRF)
>which are the only logical IP interfaces on the box.  The backside is
>MPLS
>so there is no place to put the statement there...  so I was just
>going to
>apply it to the interfaces where the crypto maps are.. not sure if
>this will
>work.
>
>I'll probably have to lab it up I'm guessing.
>
>Derick
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list