Re: Fragmentation DMVPN (GRE over IPSec) from Joseph L. Brunner on 2011-06-09 (Ccielab archives 06/2011)

From: Joseph L. Brunner <joe_at_affirmedsystems.com>
Date: Fri, 10 Jun 2011 02:29:47 +0000

Lower it on the server using the setmtu.exe utility that comes with the vpn client...

Of course the tcp adjust-mss won't touch udp. You can also do it at the application level if your programmers are up to spec.

Joe

From: Radioactive Frog [mailto:pbhatkoti_at_gmail.com]
Sent: Thursday, June 09, 2011 10:27 PM
To: Charles Zhuang <charleszhuangau_at_gmail.com>
Cc: Joseph L. Brunner; ccielab_at_groupstudy.com <ccielab_at_groupstudy.com>
Subject: Re: Fragmentation DMVPN (GRE over IPSec)

I have had issues with larger UDP packet too after lowering value to 1300
... Chales is right!

On Fri, Jun 10, 2011 at 12:24 PM, Charles Zhuang <charleszhuangau_at_gmail.com<mailto:charleszhuangau_at_gmail.com>> wrote:
Hi Joseph,

Thanks for ur reply. TCP-adjust have already been used. But large UDP
packets still need to be fragmented.

Cheers

Charles

-----Original Message-----
From: Joseph L. Brunner [mailto:joe_at_affirmedsystems.com<mailto:joe_at_affirmedsystems.com>]
Sent: Friday, 10 June 2011 11:42 AM
To: Charles Zhuang; ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Subject: RE: Fragmentation DMVPN (GRE over IPSec)

Wrong... prevent fragmentation in the first place...

Lower all servers to 1300 MTU and or use ip tcp adjust-mss on the server
facing interface of all routers...

Come on man!

-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com> [mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
Charles Zhuang
Sent: Thursday, June 09, 2011 8:21 PM
To: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Subject: Fragmentation DMVPN (GRE over IPSec)

Hi Guys,

To use crypto ipsec fragmentation before-encryption (LAF) will have better
performance according to Cisco.

http://www.cisco.com/en/US/docs/ios/12_1/12_1e11/feature/guide/lookaheadfrag
.html<http://www.cisco.com/en/US/docs/ios/12_1/12_1e11/feature/guide/lookaheadfrag%0A.html>

But I tried both ( before & after) and it seems to me after is slightly
better ( CPU utilization). Don't know why. There is another Cisco link
explaining after-encryption, but the condition is crypto map applied on both
physical and tunnel interfaces.

http://www.cisco.com/en/US/ts/fn/620/fn62394.html

Not sure if anyone has any experience on this... What is the best practise
in DMVPN phase 1 environment.

Thanks

Charles

Blogs and organic groups at http://www.ccie.net
Received on Fri Jun 10 2011 - 02:29:47 ART

This archive was generated by hypermail 2.2.0 : Fri Jul 01 2011 - 06:24:28 ART