I would like to tunnel IP packets over an IP network, and this IP network has 1500 MTU (regular ethernet MTU). In the cisco tunnel (and most others) the tunnel MTU ends up being 1450-something bytes. This is not acceptable, I need something that is able to split the packet up into two packets so that the tunnel MTU will be 1500. Does anyone know of a product that does this? I do not want any kind of unix/pc solution, everything that consists of PC hardware or has a harddrive is by default ruled out. -- Mikael Abrahamsson email: swmike@swm.pp.se
On Thu, 11 Jan 2001 18:44:22 +0100, Mikael Abrahamsson <swmike@swm.pp.se> said:
I would like to tunnel IP packets over an IP network, and this IP network has 1500 MTU (regular ethernet MTU). In the cisco tunnel (and most others) the tunnel MTU ends up being 1450-something bytes. This is not acceptable, I need something that is able to split the packet up into two packets so that the tunnel MTU will be 1500.
Why is it "not acceptable"? Can you configure a Path MTU of 1450 to avoid fragmenting, or run Path MTU Discovery? -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Thu, 11 Jan 2001 Valdis.Kletnieks@vt.edu wrote:
Why is it "not acceptable"? Can you configure a Path MTU of 1450 to avoid fragmenting, or run Path MTU Discovery?
<customer location 2> | our router2 | tunnel our net | tunnel our router1 | <customer location 1> | customers NATbox | customers internetconnection | another machine The "NEED TO FRAG"-ICMPs generated by our router1 when "another machine" sends packets with 1500 MTU size and DF flag set will be about RFC1918 adresses when "another machine" think's it's talking to the address of the NATbox. Breaks everything. Anyhow, P-MTUd is broken in too many places in the internet anyway. -- Mikael Abrahamsson email: swmike@swm.pp.se
I run a large global crypto WAN based on Cisco's IPSEC implementation. We've found they do some strange things with MTUs on the tunnel interfaces. The reason this happens is so the packet can contain gre or other encapsulation and encryption information without exceeding the 1500MTU you desire. Typically, the packets travel with a 1500MTU over the IP networks. If the crypto/tunnel device needs to fragment a packet to fit in the frame given the header info, it will do this. As a side note....it seems useful to make sure your border systems are setting the 1500MTU. This may be a good practice for other reasons, but it seems to cut down on confusion when troubleshooting tunnels. Other things to look out for are misconfigured MPLS tunnels in your path. craig Network Engineer Yahoo! Inc. (408)731-3572 Y!Messenger: cholland
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Mikael Abrahamsson Sent: Thursday, January 11, 2001 9:44 AM To: nanog@merit.edu Subject: IPIP-tunnel with 1500 MTU
I would like to tunnel IP packets over an IP network, and this IP network has 1500 MTU (regular ethernet MTU). In the cisco tunnel (and most others) the tunnel MTU ends up being 1450-something bytes. This is not acceptable, I need something that is able to split the packet up into two packets so that the tunnel MTU will be 1500.
Does anyone know of a product that does this? I do not want any kind of unix/pc solution, everything that consists of PC hardware or has a harddrive is by default ruled out.
-- Mikael Abrahamsson email: swmike@swm.pp.se
participants (3)
-
Craig Holland -
Mikael Abrahamsson -
Valdis.Kletnieks@vt.edu