[c-nsp] MPLS VPN over mGRE - PMTUD?

Benjamin Lovell belovell at cisco.com
Wed Sep 29 21:39:19 EDT 2010 

The problem with ICMP frag needed is some apps(read Microsoft) just  
flat out fail when frag happens and set the DF bit to be sure it does  
not. ICMP frag needed or not they will just fail over and over. They  
may have gotten better with this since the last time I cared(somewhere  
in between one and two years ago).

Increasing the MTU on core will not help if you can't raise the tunnel  
MTU to match core interface minus encap overhead. You will still frag  
on tunnel ingress.

I can see one of two possible ways to get around this, each with their  
own caveats.

tcp mss-adj is one which obviously only useful for TCP connections.  
The other caveat is that mss-adj will cause the first packet in each  
direction to be punted to CPU so large number of session setup could  
be an issue.

I can't remember the exact details as I only had 2nd hand involvement  
in the MPLS MTU thing, they made a quick change which, for technical  
implementation reasons, only lets you set MPLS MTU to MAX(like 9K or  
44K or something huge).  You could do this and assume that post  
fragmentation is your best bet if you are using IPSEC and have IPSEC  
platform that can handle the frag reassembly load which will then  
cause everything to be reassembled before hitting the GRE / MPLS / app  
layer. GRE and IPSEC take a performance hit with frag but this is  
better than MPLS frag which is explicitly disallowed and not supported  
in a number of specs and implementations.

Caveats and trade offs can be quite different from platform to  
platform so I would recommend some validation testing whichever way  
you decide to go.


-Ben



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           .            .          Benjamin Lovell
           |            |          AS Video Practice
          |||          |||         Cisco Customer Advocacy
        .|||||.      .|||||.       Research Triangle Park, NC
     .:|||||||||:..:|||||||||:.    Email:  belovell at cisco.com
              cisco            desk:919.392.8255 cell:203.509.1562
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



On Sep 29, 2010, at 7:15 PM, Alasdair McWilliam wrote:

> Thanks for the heads up on that.
>
> My 'PE' routers will be 7200-NPE400 FE in/out or ASR1k GbE in/out  
> (and possibly ISR 3945s if/when the feature is available..) all with  
> standard 1500MTU. Inside LAN interfaces will be subinterfaces (one  
> per VRF) and outside WAN interfaces will be access ports running IGP  
> into IP core. Providing I can ensure ICMP Unreachables through the  
> client/server end to end path, I guess I should be OK. Would you  
> recommend setting anything like mss adjust on the inside sub- 
> interfaces if I can't? (Or as well as?!)
>
> Do you (or anyone...) think there would be any noticeable  
> performance penalty (latency, throughput) with this scenario?
>
> I have not yet investigated the possibility of simply increasing the  
> MTU on all my outside core interfaces but that is most likely out of  
> my control!
>
> Any help/comments/suggestions appreciated! :-)
>
> Cheers
> Al
>
>
> On 29 Sep 2010, at 21:40, Benjamin Lovell wrote:
>
>> If you are looking to do this for setting the MPLS MTU dynamically  
>> then I don't think this will help as starting with our forwarding  
>> infrastructure rewrite in 12.4(20)T (I would need to check to be  
>> sure when/if in other code trains) we lost the ability to set the  
>> MPLS MTU on tunnel interfaces.
>>
>> See CSCth11646.
>>
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>           .            .          Benjamin Lovell
>>           |            |          AS Video Practice
>>          |||          |||         Cisco Customer Advocacy
>>        .|||||.      .|||||.       Research Triangle Park, NC
>>     .:|||||||||:..:|||||||||:.    Email:  belovell at cisco.com
>>              cisco            desk:919.392.8255 cell:203.509.1562
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> On Sep 29, 2010, at 3:17 PM, Alasdair McWilliam wrote:
>>
>>> Hi List,
>>>
>>> Apologies if this is hidden in the list somewhere, but I've done a  
>>> bit of Googling and can't find too much.. so here goes!
>>>
>>> I'm looking at implementing an MPLS VPN over mGRE solution to  
>>> facilitate routing instance segregation across multiple,  
>>> geographically separate sites, across a third party Layer 3  
>>> infrastructure. (12.2SRE for 7200, IOS-XE 3 for ASR1k and looks to  
>>> be coming into ISR G2 in 15.1T.) However given the mix of GRE  
>>> encapsulation to provide the PE-PE connectivity, I'm a bit worried  
>>> that apps might have a hissy fit.
>>>
>>> My question is, does anyone know if it's possible to enable PMTUD  
>>> with this feature? I've got it setup in a lab and the Tunnel0 and  
>>> Tunnel1 interfaces cannot be directly modified from the CLI (they  
>>> don't appear in config either...)
>>>
>>> The next best thing I can see would be Dynamic L3 VPNs over mGRE,  
>>> but that isn't available on the platforms I use, and I really  
>>> don't want to go as far as to enable full blown MPLS over point to  
>>> point GRE tunnels if I can at all avoid it!
>>>
>>> Any tips? :-)
>>>
>>> Cheers
>>> Al
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>

More information about the cisco-nsp mailing list