Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1384
Views
0
Helpful
5
Replies

DMVPN tunnel on a spoke (ADSL ISP)

Go to solution
Ruterford
Level 1
Level 1

‎09-08-2013 07:34 AM - edited ‎02-21-2020 07:08 PM

Hi Everyone,

I am wondering if I can potentially use same ip mtu value and same ip tcp mss size both on Tunnel interface and Fastethernet WAN interface on my DMVPN spoke routers? WAN interface is facing an ADSL modem supplied by ISP.

I.e. something like:

Interface FastEthernet 4

ip mtu 1400

ip tcp adjust-mss 1360

....

Interface Tunnel0

ip mtu 1400

ip tcp adjust-mss 1360

Will this be causing any issues with fragmentation for DMVPN?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Ruterford

‎09-10-2013 01:38 AM

Yes the major impact is fragmentation and thus performance.

I think what you're describing is OK and as mentioned turning tunnel PMTUD will take care of some scenarios.

Think of it like this (it's a simplification, but I think a fitting one).

A 1400 byte packat arrives from LAN , we perform route lookup, it points through tunnel interface. We perform check, "do we need to fragment this packet?". The answer is "no" because it fits in the MTU.

We perform encapsulation (dicated by features applied on tunnel interface), adding GRE + IPsec (GRE header, IPsec header and padding).

Now we take this encapsulated packet and check routing post encapuslation, it will point out through fa4 interface.

Does this packet feet into MTU of 1400. "No", we need to fragmed if it's allowed.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎09-09-2013 04:56 AM

It's for sure not recommended.

What you can do is to enable "tunnel path-mtu-discovery" on the tunnel interface which actually might help mitigating a few different problems you might face. (I'm considering you're running a fairly recent version of IOS) .

You can safely lowering MSS to something around 1300 bytes on tunnel interface. Most of the time you will not see big problems with big UDP packets in modern protocols (with notable exception of Kerberos).

M.

0 Helpful

Go to solution
Ruterford
Level 1
Level 1
In response to Marcin Latosiewicz

‎09-09-2013 05:03 PM

Thanks Marcin,

So you are saying that having the same ip mtu settings on both WAN and Tunnel interface will cause more fragmentation than expected? Even if I am using transport mode for IPSEC and there is no additional IP headers added again?

Or Is there ESP header being added on FE4 interface that would have caused fragmentation in case if large enough (1360) packet arrives on the Tunnel interface and both MTUs are 1400? The only impact of this is just having more fragmentation than expected on the DMVPN side of things right?

I might increase ip mtu up to 1452 on the FE4 interface and this should be ok for DMVPN then and for internet access for internal LAN users - there is split tunneling in place and we are allowing internal users to access internet on the same router. Since ADSL modem does PPPoE I need to lower the MTU on the FE4 interface.

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Ruterford

‎09-10-2013 01:38 AM

Yes the major impact is fragmentation and thus performance.

I think what you're describing is OK and as mentioned turning tunnel PMTUD will take care of some scenarios.

Think of it like this (it's a simplification, but I think a fitting one).

A 1400 byte packat arrives from LAN , we perform route lookup, it points through tunnel interface. We perform check, "do we need to fragment this packet?". The answer is "no" because it fits in the MTU.

We perform encapsulation (dicated by features applied on tunnel interface), adding GRE + IPsec (GRE header, IPsec header and padding).

Now we take this encapsulated packet and check routing post encapuslation, it will point out through fa4 interface.

Does this packet feet into MTU of 1400. "No", we need to fragmed if it's allowed.

0 Helpful

Go to solution
Shaoqin Li
Level 3
Level 3

‎09-09-2013 08:23 AM

why configure physical interface with mtu 1400 since you are using tunnel interface?

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Shaoqin Li

‎09-09-2013 09:19 AM

The fe4 MTU is dictated by capabilities of ADSL (I would assume).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents