Re: Jumbo MTU issue on the FWSM

Right, thanks dude! After some research on the subject, this is what I have
found out:

*FWSM:*

The FWSM has a number of processors, which handle different types of traffic
destined to the device; the CP, NP, NP1, NP2. When the FWSM module is
plugged into a host 6K, the NP1 and NP2 processors, which both have 3
internal gigabit links, form an internal etherchannel trunk to the host 6500
switch backplane. This means there would be 2 etherchannel trunk links
carrying traffic to and from the FWSM.

So when a user issues the "firewall module yyy vlan-group xxx" CLI's, this
is effectively allowing VLANS on those trunks for pushing traffic to the
FWSM. However, please note that these etherchannel links are only internal
links and therefore not configurable in any way to the user. This was found
not to be the cause of my grief though; having jumbo MTU frames supported by
the FWSM.

So, for security reasons, the FWSM would not allow a negotiation of jumbo
MTU frames across it. Yes, I do not mean when the FWSM itself is negotiating
the TCP session. To configure the FWSM to allow an MSS of greater than 1380
(default, when an MTU of 1500 is on the links), the following commands are
needed to set the min and max limits. Otherwise, the FWSM will always reset
the higher TCP MSS to the default of 1380, passing through it!

R601FWSM# sh run sysopt
sysopt connection tcpmss 8000
sysopt connection tcpmss minimum 0

*ASA:*

Now over to the ASA's. For starters, the ASA5550 does not support Jumbo MTU
frames. Only the ASA5580 and ASA5585-X do. In addition to the above command,
as pointed out earlier by Frog, the following CLI is also needed on the ASA.

ASA-5580(config)# sh run jumbo-frame reservation
jumbo-frame reservation

Anyway, I am all good and sorted out now. Hope this information is somewhat
useful to someone out here! And apologies the subject has no "OT" ;-)

Sadiq

On Tue, Jan 11, 2011 at 2:04 PM, Radioactive Frog <pbhatkoti_at_gmail.com>wrote:

> Have you tried bypassing jumbo frame?*
>
> *jumbo-frame reservation
>
> above command is in ASA.
>
> Also it looks like there is a limit on the size of jumbo frame that FWSM
> can support (I thinks something 8400?)
> *
> *
> On Tue, Jan 11, 2011 at 11:18 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
>
>> Guys,
>>
>> Just came across something weird which I cant make out and a few searches
>> haven't returned any meaningful results either. Guessing someone out here
>> might be of help please.
>>
>> I am trying to configure jumbo MTU on my network. All other parts of the
>> network are doing jumbo frames successfully but my FWSM (outside). The
>> FWSM
>> outside interface keeps fragmenting my IP packets (despite the configured
>> large MTU on all its interfaces). This made me suspect the host 6509 doing
>> something rather unpleasant. All IP and L2 interfaces are in fact
>> configured
>> with the right MTU size.
>>
>> So I came across a mismatch (from "show vlan mtu" output), see below. I
>> then
>> did a "show spanning-tree vlan 17" to find out an arbitrary port-channel
>> interfaces in my spanning tree domain, which are neither configured nor
>> accessible from any part of the host 6509 configuration. It appears that
>> these arbitrary interfaces have a lower MTU, which might be responsible
>> for
>> the misbehavior I am seeing.
>>
>> Can someone please tell me what these do and if they are infact
>> configurable?
>>
>> Thanks as usual!
>>
>> Sadiq
>>
>> ###################################################################
>>
>> Please see below:
>>
>> R601#
>> R601#
>> R601#sh span vlan 17
>>
>> VLAN0017
>> Spanning tree enabled protocol rstp
>> Root ID Priority 24593
>> Address 0005.5f91.d800
>> This bridge is the root
>> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
>>
>> Bridge ID Priority 24593 (priority 24576 sys-id-ext 17)
>> Address 0005.5f91.d800
>> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
>> Aging Time 480
>>
>> Interface Role Sts Cost Prio.Nbr Type
>> ------------------- ---- --- --------- --------
>> --------------------------------
>> Te9/3 Desg FWD 2 128.1027 P2p
>> Po306 Desg FWD 3 128.1666 P2p Edge
>> Po310 Desg FWD 3 128.1667 P2p Edge
>> Po311 Desg FWD 3 128.1668 P2p Edge
>>
>> R601#
>> R601#sh vlan mtu
>>
>> VLAN SVI_MTU MinMTU(port) MaxMTU(port) MTU_Mismatch
>> ---- ------------- ------------- ------------ ------------
>> 1 1500 1500 (Gi3/1 ) 9000 (Te9/3 ) Yes
>>
>> .....
>>
>> 17 8500(TooBig) 1500 (Po306 ) 9000 (Te9/3 ) Yes
>> 18 - 1500 (Po306 ) 9000 (Te9/3 ) Yes
>> 19 - 1500 (Po306 ) 9000 (Te9/3 ) Yes
>>
>> .....
>>
>> R601#
>> R601#
>> R601#
>> R601#show mod
>> R601#show mod
>> Mod Ports Card Type Model Serial
>> No.
>> --- ----- -------------------------------------- ------------------
>> -----------
>> 1 6 Firewall Module WS-SVC-FWM-1
>> SAD080803FL
>> 2 6 Firewall Module WS-SVC-FWM-1
>> SAD102105VN
>> 3 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX
>> SAL1106GBZ6
>> 4 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC
>> SAD0541041G
>> 5 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL
>> SAL1103E6YD
>> 6 6 Firewall Module WS-SVC-FWM-1
>> SAD07170252
>> 7 6 Firewall Module WS-SVC-FWM-1
>> SAD071202GX
>> 8 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE
>> SAL114998VQ
>> 9 8 CEF720 8 port 10GE with DFC WS-X6708-10GE
>> SAL1215LWZC
>>
>> Mod MAC addresses Hw Fw Sw
>> Status
>> --- ---------------------------------- ------ ------------ ------------
>> -------
>> 1 0003.feae.2b58 to 0003.feae.2b5f 3.0 7.2(1) 4.0(12)
>> ShutDown
>> 2 0017.95a3.e578 to 0017.95a3.e57f 4.0 7.2(1) 3.1(10)0 Ok
>> 3 001a.6c97.cb34 to 001a.6c97.cb63 2.5 12.2(14r)S5 12.2(33)SXI3 Ok
>> 4 00d0.c0d6.aba4 to 00d0.c0d6.abb3 3.0 6.1(3) 12.2(33)SXI3 Ok
>> 5 0017.9444.4c1c to 0017.9444.4c1f 5.3 8.4(2) 12.2(33)SXI3 Ok
>> 6 0002.fcbe.1634 to 0002.fcbe.163b 2.0 7.2(1) 3.1(10)0 Ok
>> 7 0003.feab.3462 to 0003.feab.3469 1.1 7.2(1) 3.1(10)0 Ok
>> 8 001c.585c.a368 to 001c.585c.a36b 2.6 12.2(14r)S5 12.2(33)SXI3 Ok
>> 9 001d.4577.ae18 to 001d.4577.ae1f 1.4 12.2(18r)S1 12.2(33)SXI3 Ok
>>
>> Mod Sub-Module Model Serial Hw
>> Status
>> ---- --------------------------- ------------------ ----------- -------
>> -------
>> 3 Centralized Forwarding Card WS-F6700-CFC SAL1103EL86 2.1 Ok
>> 5 Policy Feature Card 3 WS-F6K-PFC3BXL SAL1101D02A 1.8 Ok
>> 5 MSFC3 Daughterboard WS-SUP720 SAL1103E9E9 2.6 Ok
>> 8 Centralized Forwarding Card WS-F6700-CFC SAL11488UNG 4.0 Ok
>> 9 Distributed Forwarding Card WS-F6700-DFC3C SAL1215M317 1.0 Ok
>>
>> Mod Online Diag Status
>> ---- -------------------
>> 1 Pass
>> 2 Pass
>> 3 Pass
>> 4 Pass
>> 5 Pass
>> 6 Pass
>> 7 Pass
>> 8 Pass
>> 9 Pass
>>
>>
>> --
>> CCIEx2 (R&S|Sec) #19963
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net