I am testing Checkpoint Firewall NG FP3 on SecurePlatform.
My routers (1600's,2500's, 2600's, and 4700) are connected to a 2950T-24 switch, each on separate vlans.
I connect to this switch with my new firewall via a 802.1q trunk. The "real" interface on this firewall is set to an mtu of 1500, with the sub interfaces being automatically configured to 1492. I cannot adjust the mtu on the firewall interfaces above 1500 (software limit).
I cannot ping greater than a size of 1468 through the new firewall to the routers (or beyond the routers) on the 2950.
Pinging on the "native"/untagged vlan works fine with any size packet.
Judging by the traffic I captured, the outgoing ping works fine, but the echo doesn't get back.
Where should I change the MTU?
On the 2950 Trunk port ?(can't change mtu on the default vlan).
On the 2950's ports connected to router?
On router ethernet interfaces?
On Router Serial Interfaces?
The only success I've had so far on livelinks is by decreasing the mtu on the remote host (via editing windows registry), not a desirable option.
Any help will be appreciated.
Output of a failed ping (ping -s 1470 192.168.108.2)
Not too sure if i am reading your question correctly, but here it goes.
Firstly the 2950 can support a max MTU of 1530 bytes, this is not IP MTU but just frame layer MTU.
Now looking at your scenarios, everything passes the Firewall or points towards thte firewall, i have also noticed the from the no echo reply in the failed ping you are not getting in ICMP error messages back which is default for most decent firewalls.
Bear in mind that the MTU is you packet size+20bytes(IP Hdr with no options)+14bytes(MAC leve)+8bytes(Preamble)+4bytes (CRC). So if you add these up (1516 bytes) you will see you are hitting the Firewall and any MTU for ethernet.
Note: that the premable is not normally counted but i find this a safety net, even if you take away the 8 bytes of preamble you are stull over the 1500 byte Mark.
Also NT and most win OS's can have pathMTU discvery configured and thus should be able to discover the MAX frame/data size that an app can send
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...