Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2718
Views
0
Helpful
1
Replies

MTU Size with 802.1q trunking

a.read
Level 1
Level 1

‎12-16-2002 03:52 PM - edited ‎03-02-2019 03:38 AM

Hi All,

I am testing Checkpoint Firewall NG FP3 on SecurePlatform.

My routers (1600's,2500's, 2600's, and 4700) are connected to a 2950T-24 switch, each on separate vlans.

I connect to this switch with my new firewall via a 802.1q trunk. The "real" interface on this firewall is set to an mtu of 1500, with the sub interfaces being automatically configured to 1492. I cannot adjust the mtu on the firewall interfaces above 1500 (software limit).

I cannot ping greater than a size of 1468 through the new firewall to the routers (or beyond the routers) on the 2950.

Pinging on the "native"/untagged vlan works fine with any size packet.

Judging by the traffic I captured, the outgoing ping works fine, but the echo doesn't get back.

Where should I change the MTU?

On the 2950 Trunk port ?(can't change mtu on the default vlan).

On the 2950's ports connected to router?

On router ethernet interfaces?

On Router Serial Interfaces?

The only success I've had so far on livelinks is by decreasing the mtu on the remote host (via editing windows registry), not a desirable option.

Any help will be appreciated.

Regards,

Andrew

Output of a failed ping (ping -s 1470 192.168.108.2)

eth2.4:o[1508]: 192.168.41.33 -> 192.168.41.34 (ICMP) len=1492 id=20791 off=0

ICMP: type=8 code=0 echo request id=61193 seq=6912

eth2.4:O[1508]: 192.168.41.33 -> 192.168.41.34 (ICMP) len=1492 id=20791 off=0

ICMP: type=8 code=0 echo request id=61193 seq=6912

eth2.4:o[1508]: 192.168.41.33 -> 192.168.41.34 (ICMP) len=1492 id=20792 off=0

ICMP: type=8 code=0 echo request id=61193 seq=7168

No replies there

Output of a successful ping (ping -s 1468 192.168.108.2)

eth2.2:o[1496]: 192.168.108.1 -> 192.168.108.2 (ICMP) len=1492 id=37605 off=0

ICMP: type=8 code=0 echo request id=11535 seq=2304

eth2.2:O[1496]: 192.168.108.1 -> 192.168.108.2 (ICMP) len=1492 id=37605 off=0

ICMP: type=8 code=0 echo request id=11535 seq=2304

eth2.2:i[1496]: 192.168.108.2 -> 192.168.108.1 (ICMP) len=1496 id=37605

ICMP: type=0 code=0 echo reply id=11535 seq=2304

eth2.2:I[1496]: 192.168.108.2 -> 192.168.108.1 (ICMP) len=1496 id=37605

ICMP: type=0 code=0 echo reply id=11535 seq=2304

Labels:
0 Helpful
1 Reply 1

DALE FRANCIS
Level 3
Level 3

‎12-17-2002 03:09 AM

Andrew,

Not too sure if i am reading your question correctly, but here it goes.

Firstly the 2950 can support a max MTU of 1530 bytes, this is not IP MTU but just frame layer MTU.

Now looking at your scenarios, everything passes the Firewall or points towards thte firewall, i have also noticed the from the no echo reply in the failed ping you are not getting in ICMP error messages back which is default for most decent firewalls.

Bear in mind that the MTU is you packet size+20bytes(IP Hdr with no options)+14bytes(MAC leve)+8bytes(Preamble)+4bytes (CRC). So if you add these up (1516 bytes) you will see you are hitting the Firewall and any MTU for ethernet.

Note: that the premable is not normally counted but i find this a safety net, even if you take away the 8 bytes of preamble you are stull over the 1500 byte Mark.

Also NT and most win OS's can have pathMTU discvery configured and thus should be able to discover the MAX frame/data size that an app can send

Regards

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card