Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

DMVPN tunnel on a spoke (ADSL ISP)

Hi Everyone,

I am wondering if I can potentially use same ip mtu value and same ip tcp mss size both on Tunnel interface and Fastethernet WAN interface on my DMVPN spoke routers? WAN interface is facing an ADSL modem supplied by ISP.

I.e. something like:

Interface FastEthernet 4

ip mtu 1400

ip tcp adjust-mss 1360

....

Interface Tunnel0

ip mtu 1400

ip tcp adjust-mss 1360

Will this be causing any issues with fragmentation for DMVPN?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

DMVPN tunnel on a spoke (ADSL ISP)

Yes the major impact is fragmentation and thus performance.

I think what you're describing is OK and as mentioned turning tunnel PMTUD will take care of some scenarios.

Think of it like this (it's a simplification, but I think a fitting one).

A 1400 byte packat arrives from LAN , we perform route lookup, it points through tunnel interface. We perform check, "do we need to fragment this packet?". The answer is "no" because it fits in the MTU.

We perform encapsulation (dicated by features applied on tunnel interface), adding GRE + IPsec (GRE header, IPsec header and padding).

Now we take this encapsulated packet and check routing post encapuslation, it will point out through fa4 interface.

Does this packet feet into MTU of 1400. "No", we need to fragmed if it's allowed.

5 REPLIES
Cisco Employee

DMVPN tunnel on a spoke (ADSL ISP)

It's for sure not recommended.

What you can do is to enable "tunnel path-mtu-discovery" on the tunnel interface which actually might help mitigating a few different problems you might face. (I'm considering you're running a fairly recent version of IOS) .

You can safely lowering MSS to something around 1300 bytes on tunnel interface. Most of the time you will not see big problems with big UDP packets in modern protocols (with notable exception of Kerberos).

M.

New Member

DMVPN tunnel on a spoke (ADSL ISP)

Thanks Marcin,

So you are saying that having the same ip mtu settings on both WAN and Tunnel interface will cause more fragmentation than expected? Even if I am using transport mode for IPSEC and there is no additional IP headers added again?

Or Is there ESP header being added on FE4 interface that would have caused fragmentation in case if large enough (1360) packet arrives on the Tunnel interface and both MTUs are 1400? The only impact of this is just having more fragmentation than expected on the DMVPN side of things right?

I might increase ip mtu up to 1452 on the FE4 interface and this should be ok for DMVPN then and for internet access for internal LAN users - there is split tunneling in place and we are allowing internal users to access internet on the same router. Since ADSL modem does PPPoE I need to lower the MTU on the FE4 interface.

Cisco Employee

DMVPN tunnel on a spoke (ADSL ISP)

Yes the major impact is fragmentation and thus performance.

I think what you're describing is OK and as mentioned turning tunnel PMTUD will take care of some scenarios.

Think of it like this (it's a simplification, but I think a fitting one).

A 1400 byte packat arrives from LAN , we perform route lookup, it points through tunnel interface. We perform check, "do we need to fragment this packet?". The answer is "no" because it fits in the MTU.

We perform encapsulation (dicated by features applied on tunnel interface), adding GRE + IPsec (GRE header, IPsec header and padding).

Now we take this encapsulated packet and check routing post encapuslation, it will point out through fa4 interface.

Does this packet feet into MTU of 1400. "No", we need to fragmed if it's allowed.

Bronze

Re: DMVPN tunnel on a spoke (ADSL ISP)

why configure physical interface with mtu 1400 since you are using tunnel interface?

Sent from Cisco Technical Support iPhone App

Cisco Employee

DMVPN tunnel on a spoke (ADSL ISP)

The fe4 MTU is dictated by capabilities of ADSL (I would assume).

507
Views
0
Helpful
5
Replies
CreatePlease to create content