cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4669
Views
0
Helpful
4
Replies

Clear DF Bit Or NOT?

lnthompson
Level 1
Level 1

While poking around my network, I was debugging some ICMP on an MSFC we have. I noticed some interesting messages "ICMP: dst (x.x.x.x) frag. needed and DF set unreachable sent to y.y.y.y". I then found a good article on why this is http://www.cisco.com/warp/public/105/56.html"

We have a IPSEC / GRE tunnel so it is obvious that we are exceeding the MTU with tha additional packet header information.

Now for the question: Is it better to let the Unreachable needed DF bit message alter the MTU, or should we clear the DF bit with the policy routemap?

Are there performance advantages either way?

4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

This is a somewhat complicated issue and I am not sure that there is a clear best answer. It will depend a lot on your individual situation.

There is some advantage in letting the ICMP go through and alter the MTU. The biggest advantage of this is that it puts the work of managing packet size on the end station. If the MTU does not get adjusted from the end station, then your routers will be doing extra work to fragment and reassemble data packets.

On the other hand, even if you let the ICMP go through there is no guarantee that someone else somewhere else will not deny them. So it may be preferable to deal with the issue in another way. Using policy routing is one of the options to consider. It has the advantage that you will have more control within your network. But there is still some risk that someone outside of your network may impact or deny your traffic.

A customer I work with has faced this issue. We also run IPSec with GRE tunnels and were having issues with fragmentation, especially for traffic to destinations outside of our network. We found a solution in the ip tcp adjust-mss command. It effectively over-rides the negotiation of packet size and will get the end stations to set a packet size that will fit through your tunnels. It has the advantage that it puts the work of managing the packet size on the end stations not on your routers. If your routers are running code recent enough to support this I would recommend that you look at this as a possible solution.

HTH

Rick

HTH

Rick

Can you apply the tcp-mss command to just the tunnel interfaces? That way the rest of the network can continue to use the regular MTU?

The documentation for ip tcp adjust-mss states that it is to be applied to physical interfaces not virtual interfaces like tunnels. That is the way I applied it (and in our case there are no packets going through the interface that are not going through the tunnel).

I have heard that people have applied adjust-mss to tunnel interfaces and that it worked. Since I have not tested or applied in this way I can not comment one way or the other. Let us know if you do try it how it did work on tunnels.

HTH

Rick

HTH

Rick

rsissons
Level 5
Level 5

The Unreachable needed DF bit message will not necessarily cause the end device to alter the MTU and so the frame will simply be dropped. You should clear the DF bit to prevent this.