Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2654
Views
15
Helpful
1
Replies

MTU changes for SGT inline tagging?

Go to solution
zsmithtek
Level 1
Level 1

‎01-23-2020 11:12 AM - edited ‎02-21-2020 11:13 AM

When implementing inline tagging on Cisco 3850/4500/9300/9400 switches - adding the propagate sgt command to the uplink interface - I know I have heard this but having an issue finding the documentation - but don't i need to increase the MTU on the switch to avoid fragmentation as the SGT adds to the existing frame going over the default 1500 mtu setting?

 

i think I also read Catalyst 9K switches will adjust for this automatically.  Not sure how this happens..?  What about 3850/4500 switches?  Is the recommendation to just make the system mtu like 1600 or something similar?

 

Any insight into MTU changes required when enabling inline tagging will be helpful.

 

Thanks for the help.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-23-2020 05:18 PM - edited ‎02-14-2020 08:13 AM

I do not recommend adjusting the system MTU's for TrustSec. I know there is old deployment documentation stating that you should adjust it to 1600, but this will lead to many others issues and isn't necessary. I don't have any past/recent platforms where the standard 1500 system mtu hasn't worked for me. There will be no fragmentation.

When you apply CTS manual to the uplinks, the cisco metadata frame header addition will automatically be accommodated for by the port. It acts in the same way as enabling trunking on an uplink and handing the vlan tag.

Ensure that you are shut/no shutting links following enabling inline tagging though, it also can't hurt to ping through the path at the configured MTU to be sure.

There is one exception you may find but it is handled automatically for you still. This stems from a bug I ran in to with ISR4k/ASR platforms a couple years ago where they were not infact adjusting the mtu internally. The implemented fix is found post IOS-XE 16.6.6. When you enable cts manual, a macro will run and adjust the interface MTU to 1508, and will place ip mtu 1500 in the interface config.

View solution in original post

1 Reply 1

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-23-2020 05:18 PM - edited ‎02-14-2020 08:13 AM

I do not recommend adjusting the system MTU's for TrustSec. I know there is old deployment documentation stating that you should adjust it to 1600, but this will lead to many others issues and isn't necessary. I don't have any past/recent platforms where the standard 1500 system mtu hasn't worked for me. There will be no fragmentation.

When you apply CTS manual to the uplinks, the cisco metadata frame header addition will automatically be accommodated for by the port. It acts in the same way as enabling trunking on an uplink and handing the vlan tag.

Ensure that you are shut/no shutting links following enabling inline tagging though, it also can't hurt to ping through the path at the configured MTU to be sure.

There is one exception you may find but it is handled automatically for you still. This stems from a bug I ran in to with ISR4k/ASR platforms a couple years ago where they were not infact adjusting the mtu internally. The implemented fix is found post IOS-XE 16.6.6. When you enable cts manual, a macro will run and adjust the interface MTU to 1508, and will place ip mtu 1500 in the interface config.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents