802.1x and Radius Fragmentation

brian_tehan · ‎02-04-2007

Hello we look after a large Enterprise network and wish to deploy certificate-based 802.1x enterprise-wide. The network uses encryption over a multi-layer architecture. We see a Radius issue on congested links because the EAP conversations are quite large (certificate exchange). Thus a 7000 byte PDU is fragmented into 1500 bytes, then each of these is fragmented into 1400 bytes over the encrypted links, we may then have 10 fragments, some of which are lost on congested links.

We wanted to use "IP MTU 1400" on the management interface on the 3560s and 3750s but this command is "not supported". It seems strange that this command is not available - not sure why. In this case, is there any other alternative to force the Radius traffic from the switch to 1400 bytes to avoid fragmentation and thus loss of data.

thanks,

Netdesign

b.hsu · ‎02-09-2007

You cannot change the MTU for individual interface. You must set the MTU globally. Reset the switch afterwards for the MTU change to take effect.

http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_example09186a008010edab.shtml#c3

brian_tehan · ‎02-11-2007

Thanks but I don't want to change the MTU on the physical interfaces. I need to change the MTU on the management VLAN so it doesn't source UDP (Radius) traffic larger than 1400 bytes.

Anyway, looks like Cisco can't do it even though it should be a feature. I guess we'll have to request a change - it's for a very large customer rollout.

regards,