[c-nsp] L2TPv3 and VLANs

Andrew Yourtchenko ayourtch at cisco.com
Fri Jun 19 12:52:09 EDT 2009



On Fri, 19 Jun 2009, Benny Amorsen wrote:

> "Paul Stewart" <paul at paulstewart.org> writes:
>
>> On a related note to the PS below... we have tested lt2tpv3 on a few
>> different boxes running various IOS images and on each of the devices we did
>> test we seen the same behavior.  This means something is either broke in the
>> code in my opinion or that we are doing something wrong.  Typically that
>> means the second option in our case (lol) but I did get a fair amount of
>> feedback offline from folks with similar problems....;)
>
> Generally problems with PMTU are caused by people blocking ICMP in their

Somehow yesterday I correlated the original "UDP not working" comment to 
the "replies off list" and was thinking that we don't fragment the 
UDP correctly - since I assumed the PMTUD blackholing problem to be 
reasonably well known. Sorry, my bad.

> (usually PIX/ASA) firewalls. If you control the whole path, you can make
> sure that you're not one of the culprits.
>
> On the other hand, if you're trying to reach the Internet through
> tunnels with non-1500-byte MTU, you'll just have to accept that it won't
> work. You can MSS adjust for TCP traffic though or you can lower your
> interface or route MTU as workarounds. The only real fix is either
> PIX/ASA administrators getting a clue, or Cisco getting a clue. Not
> particularly likely.

Given the existence of http://www.kb.cert.org/vuls/id/222750, it's 
impossible to claim a simple and single answer for all, IMHO. I wish I 
could just say "fix your systems and don't bother to block the type 3 
code 4", and the things would magically work. But there're always 
"more urgent things that need to be done yesterday" - so we are where we 
are.

OTOH, to create a blackhole, you don't need a firewall or a firewall 
administrator, for that reason - "no ip unreachables" does this job pretty 
well too.

>
>
> /Benny
>
> (Yes, I'm bitter.)
>

Have a good weekend.

cheers,
andrew


More information about the cisco-nsp mailing list