From: Sergey Golovanov (sergey.golovanov@iementor.com)
Date: Wed Apr 04 2007 - 18:27:02 ART
Actually, barely any networks in the enterprise world rely on PMTU anymore.
If you are concerned with an MTU bottleneck in the middle of the
communication path, for example GRE tunnels, you'd normally use "ip tcp
adjust-mss" set to your IP MTU - 40. So for example, let's say you have a
gre tunnel somewhere in the middle. The IP mtu would normally be set to 1476
(1500 - 20 IP header - 4 GRE header), and tcp adjust-mss would be set to
1436 (1476 - 40 IP+TCP header). With this configuration these problems don't
matter anymore:
1. PMTU is not needed (tcp only)
2. Doesn't matter what MTU the server or client are using (tcp only)
3. Doesn't matter what MSS the server or client are using (tcp only)
4. Doesn't matter if the server or client are using DF bit (tcp only)
All these issues are resolved with tcp adjust-mss.... the only problem is
that it applies only to TCP traffic. The issue remains with UDP traffic. But
it's not a big deal. If UDP for some reason sends large MTU packet, it would
get fragmented. I don't know of any applications that set DF-bit and that
use full size 1500 ip packet. I don't know of any... except for one :)
Microsoft Kerberos authentication on Windows 2000 (I think it's only on
Win2K) will use UDP by default (I believe on Win2003 they changed to TCP for
default setting), and it will set the DF bit. Well, it's not a problem....
until your AD transactions (resulted from the user database size etc) reach
certain size and the packet ends up being above the "bottleneck" MTU. The
difficult way to fix it is to tell your server guys to switch Kerberos from
UDP to TCP... but it might be difficult in large environments. The other way
to fix it, of course, is to use the route-map and clear df-bit on all UDP
traffic.
Hope this helps
--------------------------------------------------------------------
Sergey Golovanov, CCIEx5 (R&S/Security/Voice/Service Provider/Storage)
"Please, don't ask me for my ccie #, there are reasons why I can't release
it"
ieMentor Instructor and Content Developer
sergey.golovanov@iementor.com
http://www.iementor.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
johngibson1541@yahoo.com
Sent: Wednesday, April 04, 2007 9:54 AM
To: ccielab@groupstudy.com
Subject: Re: Re: routers don't fragment any packet. End hosts all MUST have
path MTU discovery ?
No. Something is not right here.
I am so shocked to learn that path MTU discovery protocol uses ICMP.
Many enterprise networks block all ICMP packets. How could this path MTU
discovery thing ever work in our public Internet ?
What are we doing ? I am totally lost.
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:34 ART