11-02-2012 09:34 AM - edited 03-04-2019 06:02 PM
Hi i have a situation where i need to clear the DF bit on a GRE tunnel i have configured a route-map however it doesn't seem to be working. Not sure if im not testing it right or the the route-map to clear the DF is set on the wrong interface.
interface Tunnel7
description GRE Tunnel Between router A and B
ip address XXXX 255.255.255.252
ip policy route-map clear_tunnel_df_RM
tunnel source xxxx
tunnel destination xxxx
tunnel path-mtu-discovery
tunnel ttl 35
end
route-map clear_tunnel_df_RM, permit, sequence 10
Match clauses:
ip address (access-lists): tunnel_acl
Set clauses:
ip df 0
Extended IP access list tunnel_acl
10 permit tcp any any
20 permit icmp any any
30 permit ip any any
the above config is on both routers.
For testing, on router B im have a static route to an ip on router A via the tunnel interface and im pinging that ip from router B with the DF option however anything over the GRE interface MTU 1476 gets dropped.
Do i have the route-map on the correct interface, in this case the tunnel int, or should it be on the physical interfaces that are the end points of the tunnel. Also im assuming the ping test im using is the correct way of testing.
11-02-2012 09:40 AM
The "ip policy route-map" is an input-feature to the interface. So you have to enable it on the physical interface facing to your users. With that you should change your ACEs to include the destination-network so that you don't brake your complete PMTUD.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-02-2012 02:00 PM
So some reason on my cisco 6500 using native IOS i still can't get this to work. On router A i moved the route-map command to vlan 2 where the source ip is connected to and on router B i did the same for the destination ip. However when i set the DF bit packets are still getting dropped as the DF bit doesnt seem to get cleared.
I'm not really sure why this is happening as im assuming the the DF bit should be cleared once the ping packet leaves the host A on router A and the packet hit the VLAN 2 SVI interface that has the route-map.
host_A-->routerA (vlan2 svi)------->serial PTP----------->RouterB-->(vlan2 svi)--->Host_B
I am bypassing the tunnel for testing purposes now
11-03-2012 05:12 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Try removing PMTUD on tunnel interface.
11-05-2012 07:55 AM
i have tried removing the PMTUD on the tunnels but i still can't get this to work. i really have no idea why this is at this point. not sure if its 6500 related.
11-05-2012 09:36 AM
solved
nevermind i found the issue, after using wireshark it was clear that i was testing wrong. On my pc the ethernet has an mtu of 1500 and i was ping with 1510 with the DF bit set, to it was not even leaving the local ethernet. After i lowered the mtu (a value higher than the tunnel MTU but lower than the 1500 local ethernet MTU) and set the DF bit to 1 , the Df bit was set to zero and it worked.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide