Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
From a tunnel usage and MTU perspective, doesn't matter if just a pair of site or mutli-sites. What's important is whether fragmentation is happening on any tunnel.
Thought whitepaper had MTU recommendations, including a generic recommendation of using an IP MTU of 1400 to allow for GRE/IPSec tunnel overhead; but I haven't recently re-read it.
No, all sites don't have to have the same IP MTU configuration, although it's somewhat unusual if they don't.
The key take always are:
- Setting IP MTU, on tunnel interface, to allow for overhead.
- Setting PMTUD on tunnel interface to keep tunnel from fragmenting packets with DF bit set and to also deal with physical path with a MTU less than expected.
- Using the TCP mss-adjust command to get TCP sessions on optimal MTU starting at TCP session handshake.
I've done lots of tunneling, the above won't 100% guarantee all cases will avoid fragmentation. For example, recently I had a fragmentation issue across a VTI tunnel because of video from security camera. Traffic was non-TCP, and didn't set DF and exceeded tunnel's MTU.
