IPSEC, GRE, port channel, and MTU Questions

Unanswered Question
Nov 13th, 2008

I have an ASR1004 and am trying to load-balance a 1.5G data rate over two 1-Gig ports using IPSEC, but I have a few questions.

1. Can GRE support a 9K mtu w/o fragmenting

2. Can you run IPSEC on a port channel

3. Can the ASR load-balance per- S&D on a this logical interface?

I currently have two separate tunnels, one on each outbound gig interface and with OSPF running between them using OSPF/GRE. However, I can't get a 7000 mtu w/ the DF bit set through to the distant end. I am guessing this is because of the GRE interface.

So is it possible to run IPSEC on a port channel and have this load balance per S&D? I need to use the BW of both ports.

Thanks for the help!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Thu, 11/13/2008 - 23:03

Hello Donald,

if you are running OSPF within GRE and then incapsulated in IPSec you should already be able to load balance over them because OSPF supports equal cost load balancing.

This should be easy to achieve and avoids to be dependent on implementation like it could be if using a L3 port-channel: after encapsulation you have only the IPSec flow so load-balancing depends on when the load sharing decision is taken before or after IPSec encapsulation (that is done on the ESP by the way).

If there is a single IP flow of 1.5 Gbps this doesn't provide load balancing with default settings.

In this case you could try to enable per packet cef load balancing (if available on ASR1004)

About the other MTU questions: both GRE and IPSec are performed on ASR1004 by dedicated hardware (Embedded Service Processors (ESPs)) that has its own specifications so it is possible that there is a limit on MTU lower then the MTU that you can set on the physical and tunnel interfaces.

So in this case we are really entering in the implementantion field.

the GRE will add its own overhead, at least 24 bytes, so the payload size is reduced this is sure and your ping test can fail.

Hope to help

Giuseppe

donaldspry Fri, 11/14/2008 - 10:41

So GRE MTU size is a per-implementation feature and not a restriction of the protocol itself?

Also, what is the relationship between "ip load-sharing" and the OSPF load balancing? Does the "ip load-sharing" make the decision on how to put the data on the wire then OSPF sends that data to the destination - equal cost?

DJ

Giuseppe Larosa Fri, 11/14/2008 - 11:31

Hello Donald,

about GRE: you can agree that using packets of 7,000 bytes is not so common in current networks so I suppose you can face a limitation of ESP hardware on your ASR.

load balancing:

my understanding is the opposite:

the CEF switching decides how to use the equal cost paths to forward packets according to the algorithm in use (load sharing commands)

the forwarding paths have been inserted by OSPF in the routing table and indirectly in the CEF table. (CEF is topology driven)

So load balancing doesn't depend from the routing protocol you use, but each protocol can have some specific characteristics/requirements to support it.

( for example EIGRP can perform a weigthed load balancing over unequal cost paths, BGP needs explicit configuration).

Hope to help

Giuseppe

Actions

This Discussion