[c-nsp] Order-of-operations question about "adjust-mss" and crypto...
Luan Nguyen
luan at netcraftsmen.net
Fri Oct 31 14:39:47 EDT 2008
The MSS tells the maximum data a host will accept in an TCP/IP datagram.
Each side reports the value to the other side and the sending will abide by
it. It's all before encryption.
So typically like you said, people put ip tcp adjust-mss 1360 on the group
member LAN interface and also set ip mtu 1400 on the WAN side hoping for
PMTUD to work its magic.
Putting both on the WAN interface should work as well, though, I don't quite
understand the backside is MPLS statement :)...the packet has to be
originated from somewhere.
There's a very good paper here on Fragmentation
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00
800d6979.shtml#t3
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net
(blog) http://ccie-security.blogspot.com/
(e) luan at netcraftsmen.net
(aim/yahoo): luancnc
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Derick Winkworth
Sent: Friday, October 31, 2008 11:52 AM
To: Rodney Dunn
Cc: cisco-nsp at puck.nether.net
Subject: [c-nsp] Order-of-operations question about "adjust-mss" and
crypto...
If you apply the "ip tcp adjust-mss" command on an interface that has a
crypto statement on it...
Does it perform the MSS adjustment on outbound packets before they are
encrypted?
Does it perform the MSS adjustment on inbound packets after they are
decrypted?
I know that this is typically placed on a tunnel interface or, for instance,
on an ethernet interface of a remote VPN site or something... but I have a
case where we have many GET encryped sub-interfaces (each in their own VRF)
which are the only logical IP interfaces on the box. The backside is MPLS
so there is no place to put the statement there... so I was just going to
apply it to the interfaces where the crypto maps are.. not sure if this will
work.
I'll probably have to lab it up I'm guessing.
Derick
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list