Do I need ip tcp adjust-mss command?

Unanswered Question
Sep 25th, 2007

I my Cisco 877 ADSL router under VLAN1 the command "ip tcp adjust-mss 1452" exists, do I need this?

This 877 will be used for a VPN

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sundar.palaniappan Tue, 09/25/2007 - 06:45

It wouldn't hurt to have the command in there even if it doesn't help. PMTUD might be able to discover the maximum MTU supported on the network but PMTUD mightn't work in certain situations and that would warrant the use of this command to avoid MTU problems. This could be very true in VPN setup or when DSL/cable connection is involved.



whiteford Tue, 09/25/2007 - 06:47

also I have a "no cdp" I guess this should be turned on to cdp run?

sundar.palaniappan Tue, 09/25/2007 - 07:16

'no cdp run' disables CDP globally from the router. If you want to enable CDP then you need to remove this command.

whiteford Tue, 09/25/2007 - 07:19

Is this to enable part of the ADSL line/port?

I'm just upgrading from and 837 to a 877, the CPU is always high on the 837.

whiteford Tue, 09/25/2007 - 07:44

I am using putty to edit the config via serial cable. When I boot the router it asks for a username and password then the enable password when I want to edit the config.

Is it good practice, as our other routers only prompt for the enable password when using serial.

Via telnet all require username, password and then the enable password.

Where would I change this serial cable authentication method?

Richard Burts Tue, 09/25/2007 - 07:26


If you want to run CDP on that interface then you need to turn it on. You might want to think about whether you want to run CDP on outward facing interfaces. What benefit will you get from running CDP on an outward facing interface? What information will you expose to someone when you run CDP on an outward facing interface?

On the question of ip tcp adjust-mss, in an ideal world you would not need it. And if practice if you do not have problems with Path MTU Discovery then you do not need it. But when data is forwarded out interfaces which may insert extra fields into headers or insert extra headers into frames (and VPN will do this) then there is a possible issue with PMTUD. When people deny icmp any any in the name of security they break PMTUD. I believe it does no harm and it possibly does a lot of good. I would leave the adjust-mss in the config.

[edit] in re-reading this thread it is not clear whether the CDP is related to the outward facing interface as I assumed, the VLAN interface, or something else. Perhaps you can clarify?



whiteford Tue, 09/25/2007 - 07:33

I'm purely copy someone else's config, It's an ADSL router to be used for a site-to-site VPN to a Cisco Concentrator. On the default router config no CDP is there, on this other condifs it doesn't exist.

Richard Burts Tue, 09/25/2007 - 07:58


As far as the serial cable login is concerned, if you want to change it you would go under line console 0. I am not sure that there is much agreement on what is best, to require userID and password to login to user mode or not. My personal opinion is that if the router is in a location that is relatively secure and if you trust the people who will have physical access to the router then no userID or password for user mode is fine. If the router will be in an environment where you can not necessarily trust the people who might have physical access then a userID and password to get to user mode is probably a good thing.

If this router is for a remote location then CDP may have minimal value. CDP will not run over a VPN tunnel (unless it is IPSec with GRE). So the outward facing interface will not do much good. And the inward facing interface may not have other Cisco devices to talk to.

In general I am a proponent of turn on CDP because it is so often a useful tool. In this case I am not sure it makes much difference whether CDP is on or is off.



whiteford Tue, 09/25/2007 - 08:44

Thanks Rick,

One other thing I have noticed is that under the fast ethernet ports it is blank, I take it I don't have to add duplex full and speed 100 to the 4 ports, all I will do is put a cable into a 24 port switch where there are 8 users from this router.

I have currently got a Cisco 837 there and through out the day the cpu is nearly 100% for long periods. The line is 8mb download and 1mb upload. I've been told the 837 can't handle encryption well, also the router never uses over 1mb on the download another issue with the 837.

Hopefully the 877 will be better. I have also bought a 1841 with an ADSL port to test with as I need to upgrade some offices that use 837s. Looking at stats over the months they rarely use over 1mb on the downloads when they should.

Richard Burts Tue, 09/25/2007 - 09:13


I believe that it is correct that you do not need to add duplex or speed on the fast ethernet ports.

I do not have much experience with the 837 but I would think that the 877 would be better. I do have a good bit of experience with the 1841 and I have a very good opinion of them. They certainly ought to handle the load well.



whiteford Tue, 09/25/2007 - 09:22

Thanks, I might need your help with the 1841 unless its a similar config to a 837 and 877? Hope you get a chance to are my posts ;)


This Discussion