cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2719
Views
0
Helpful
1
Replies

MTU Size with 802.1q trunking

a.read
Level 1
Level 1

Hi All,

I am testing Checkpoint Firewall NG FP3 on SecurePlatform.

My routers (1600's,2500's, 2600's, and 4700) are connected to a 2950T-24 switch, each on separate vlans.

I connect to this switch with my new firewall via a 802.1q trunk. The "real" interface on this firewall is set to an mtu of 1500, with the sub interfaces being automatically configured to 1492. I cannot adjust the mtu on the firewall interfaces above 1500 (software limit).

I cannot ping greater than a size of 1468 through the new firewall to the routers (or beyond the routers) on the 2950.

Pinging on the "native"/untagged vlan works fine with any size packet.

Judging by the traffic I captured, the outgoing ping works fine, but the echo doesn't get back.

Where should I change the MTU?

On the 2950 Trunk port ?(can't change mtu on the default vlan).

On the 2950's ports connected to router?

On router ethernet interfaces?

On Router Serial Interfaces?

The only success I've had so far on livelinks is by decreasing the mtu on the remote host (via editing windows registry), not a desirable option.

Any help will be appreciated.

Regards,

Andrew

Output of a failed ping (ping -s 1470 192.168.108.2)

eth2.4:o[1508]: 192.168.41.33 -> 192.168.41.34 (ICMP) len=1492 id=20791 off=0

ICMP: type=8 code=0 echo request id=61193 seq=6912

eth2.4:O[1508]: 192.168.41.33 -> 192.168.41.34 (ICMP) len=1492 id=20791 off=0

ICMP: type=8 code=0 echo request id=61193 seq=6912

eth2.4:o[1508]: 192.168.41.33 -> 192.168.41.34 (ICMP) len=1492 id=20792 off=0

ICMP: type=8 code=0 echo request id=61193 seq=7168

No replies there

Output of a successful ping (ping -s 1468 192.168.108.2)

eth2.2:o[1496]: 192.168.108.1 -> 192.168.108.2 (ICMP) len=1492 id=37605 off=0

ICMP: type=8 code=0 echo request id=11535 seq=2304

eth2.2:O[1496]: 192.168.108.1 -> 192.168.108.2 (ICMP) len=1492 id=37605 off=0

ICMP: type=8 code=0 echo request id=11535 seq=2304

eth2.2:i[1496]: 192.168.108.2 -> 192.168.108.1 (ICMP) len=1496 id=37605

ICMP: type=0 code=0 echo reply id=11535 seq=2304

eth2.2:I[1496]: 192.168.108.2 -> 192.168.108.1 (ICMP) len=1496 id=37605

ICMP: type=0 code=0 echo reply id=11535 seq=2304

1 Reply 1

DALE FRANCIS
Level 3
Level 3

Andrew,

Not too sure if i am reading your question correctly, but here it goes.

Firstly the 2950 can support a max MTU of 1530 bytes, this is not IP MTU but just frame layer MTU.

Now looking at your scenarios, everything passes the Firewall or points towards thte firewall, i have also noticed the from the no echo reply in the failed ping you are not getting in ICMP error messages back which is default for most decent firewalls.

Bear in mind that the MTU is you packet size+20bytes(IP Hdr with no options)+14bytes(MAC leve)+8bytes(Preamble)+4bytes (CRC). So if you add these up (1516 bytes) you will see you are hitting the Firewall and any MTU for ethernet.

Note: that the premable is not normally counted but i find this a safety net, even if you take away the 8 bytes of preamble you are stull over the 1500 byte Mark.

Also NT and most win OS's can have pathMTU discvery configured and thus should be able to discover the MAX frame/data size that an app can send

Regards

Review Cisco Networking for a $25 gift card