Re: Re: routers don't fragment any packet. End hosts all MUST

From: Bit Gossip (bit.gossip@chello.nl)
Date: Sat May 19 2007 - 09:05:55 ART

• Next message: Mounir Mohamed: "Re: www.cisco.com and www.cisco.com/univercd down ?"
• Previous message: John Gibson: "Re: RE: www.cisco.com and www.cisco.com/univercd down ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Sergey, group,
I played a little bit with 'ip tcp adjust-mss xxx' and it seems to do the
job. What instead I can not have it working is 'ip tcp mss xxx'.
I have configured 'ip tcp mss 1024' on a router then I originate and/or
terminate telnet session on that router, but i see that it keep advertising
mss=536 which is the default value. Any idea why?
Thanks,
bit.

Rack1R3#show run | in mss
ip tcp mss 1024

Rack1R3#debug ip tcp transactions
TCP special event debugging is on
Rack1R3#telnet 192.10.1.253
Trying 192.10.1.253 ... Open
Fedora Core release 4 (Stentz)
Kernel 2.6.17-1.2142_FC4smp on an i686
login:

*May 19 14:05:54.352: TCP: Random local port generated 39721
*May 19 14:05:54.356: TCB65A4B28C created
*May 19 14:05:54.356: TCB65A4B28C setting property TCP_TOS (11) 641C3E60
*May 19 14:05:54.356: TCB65A4B28C bound to UNKNOWN.39721
*May 19 14:05:54.356: TCP: sending SYN, seq 2421784133, ack 0
*May 19 14:05:54.356: TCP0: Connection to 192.10.1.253:23, advertising MSS
536
*May 19 14:05:54.356: TCP0: state was CLOSED -> SYNSENT [39721 ->
192.10.1.253(23)]
*May 19 14:05:54.372: TCP0: state was SYNSENT -> ESTAB [39721 ->
192.10.1.253(23)]
*May 19 14:05:54.372: TCP: tcb 65A4B28C connection to 192.10.1.253:23, peer
MSS 500, MSS is 500
*May 19 14:05:54.372: TCB65A4B28C connected to 192.10.1.253.23

----- Original Message -----
From: "Sergey Golovanov" <sergey.golovanov@iementor.com>
To: <johngibson1541@yahoo.com>; <ccielab@groupstudy.com>
Sent: Wednesday, April 04, 2007 11:27 PM
Subject: RE: Re: routers don't fragment any packet. End hosts all MUST have
path MTU discovery ?

> Actually, barely any networks in the enterprise world rely on PMTU
anymore.
> If you are concerned with an MTU bottleneck in the middle of the
> communication path, for example GRE tunnels, you'd normally use "ip tcp
> adjust-mss" set to your IP MTU - 40. So for example, let's say you have a
> gre tunnel somewhere in the middle. The IP mtu would normally be set to
1476
> (1500 - 20 IP header - 4 GRE header), and tcp adjust-mss would be set to
> 1436 (1476 - 40 IP+TCP header). With this configuration these problems
don't
> matter anymore:
>
> 1. PMTU is not needed (tcp only)
> 2. Doesn't matter what MTU the server or client are using (tcp only)
> 3. Doesn't matter what MSS the server or client are using (tcp only)
> 4. Doesn't matter if the server or client are using DF bit (tcp only)
>
> All these issues are resolved with tcp adjust-mss.... the only problem is
> that it applies only to TCP traffic. The issue remains with UDP traffic.
But
> it's not a big deal. If UDP for some reason sends large MTU packet, it
would
> get fragmented. I don't know of any applications that set DF-bit and that
> use full size 1500 ip packet. I don't know of any... except for one :)
> Microsoft Kerberos authentication on Windows 2000 (I think it's only on
> Win2K) will use UDP by default (I believe on Win2003 they changed to TCP
for
> default setting), and it will set the DF bit. Well, it's not a problem....
> until your AD transactions (resulted from the user database size etc)
reach
> certain size and the packet ends up being above the "bottleneck" MTU. The
> difficult way to fix it is to tell your server guys to switch Kerberos
from
> UDP to TCP... but it might be difficult in large environments. The other
way
> to fix it, of course, is to use the route-map and clear df-bit on all UDP
> traffic.
>
> Hope this helps
>
> --------------------------------------------------------------------
> Sergey Golovanov, CCIEx5 (R&S/Security/Voice/Service Provider/Storage)
> "Please, don't ask me for my ccie #, there are reasons why I can't release
> it"
> ieMentor Instructor and Content Developer
> sergey.golovanov@iementor.com
> http://www.iementor.com
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> johngibson1541@yahoo.com
> Sent: Wednesday, April 04, 2007 9:54 AM
> To: ccielab@groupstudy.com
> Subject: Re: Re: routers don't fragment any packet. End hosts all MUST
have
> path MTU discovery ?
>
> No. Something is not right here.
>
> I am so shocked to learn that path MTU discovery protocol uses ICMP.
>
> Many enterprise networks block all ICMP packets. How could this path MTU
> discovery thing ever work in our public Internet ?
>
> What are we doing ? I am totally lost.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Mounir Mohamed: "Re: www.cisco.com and www.cisco.com/univercd down ?"
• Previous message: John Gibson: "Re: RE: www.cisco.com and www.cisco.com/univercd down ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:21 ART