Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

How IPSec Overhead effects MTU ?

Hi,

I have seen all capabilities/combinations of IPsec with different security algorithms and modes, but i have the question, how much overhead is added finally to a packet and how this effects MTU (eg MTU for Ethernet frame is 1400 Bytes ) on each case?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Community Member

Re: How IPSec Overhead effects MTU ?

Since it varies I dunno how to answer. Here is a great article explaining it..

http://www.iphelp.ru/doc/3/Cisco.Press.Comparing.Designing.and.Deploying.VPNs.Apr.2006/1587051796/ch07lev1sec4.html

If you didn't know:

You can test out the mtu with the ping command. #ping 192.168.0.1 size 1423 df-bit

Community Member

Re: How IPSec Overhead effects MTU ?

you can set it on the pc for sure.

you can set it on the router too but cisco say's.

set

Outer IP header will have the DF bit set; however, the router may fragment the packet if the original packet had the DF bit cleared.

I guess you could try and see how it works. Let me know as i just found this article

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftdfipsc.html

4 REPLIES
Community Member

Re: How IPSec Overhead effects MTU ?

Since it varies I dunno how to answer. Here is a great article explaining it..

http://www.iphelp.ru/doc/3/Cisco.Press.Comparing.Designing.and.Deploying.VPNs.Apr.2006/1587051796/ch07lev1sec4.html

If you didn't know:

You can test out the mtu with the ping command. #ping 192.168.0.1 size 1423 df-bit

Community Member

Re: How IPSec Overhead effects MTU ?

Thanks,this is what i was looking for. I didn't knew this command. I know about DF-bit but i didn't knew how to use it.

i suppose that "df-bit" part of the command sets "Don't Fragmented" bit to 1....

What if i want to set this bit to 1 permanent for all outgoing packets on a single inerface?

Community Member

Re: How IPSec Overhead effects MTU ?

you can set it on the pc for sure.

you can set it on the router too but cisco say's.

set

Outer IP header will have the DF bit set; however, the router may fragment the packet if the original packet had the DF bit cleared.

I guess you could try and see how it works. Let me know as i just found this article

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftdfipsc.html

Community Member

Re: How IPSec Overhead effects MTU ?

Hi,

Xmm... Interesting theory. I'll try it and i 'll let you know. .

Thanks,

John

2008
Views
0
Helpful
4
Replies
CreatePlease to create content