Showing results for 
Search instead for 
Did you mean: 

clearing the DF bit on a GRE tunnel

Hi i have a situation where i need to clear the DF bit on a GRE tunnel i have configured a route-map however it doesn't seem to be working. Not sure if im not testing it right or the the route-map to clear the DF is set on the wrong interface.

interface Tunnel7

description GRE Tunnel Between router A and B

ip address XXXX

ip policy route-map clear_tunnel_df_RM

tunnel source xxxx

tunnel destination xxxx

tunnel path-mtu-discovery

tunnel ttl 35


route-map clear_tunnel_df_RM, permit, sequence 10

  Match clauses:

    ip address (access-lists): tunnel_acl

  Set clauses:

    ip df 0

Extended IP access list tunnel_acl

    10 permit tcp any any

    20 permit icmp any any

    30 permit ip any any

the above config is on both routers.

For testing, on router B im have a static route to an ip on router A via the tunnel interface and im pinging that ip from router B with the DF option however anything over the GRE interface MTU 1476 gets dropped.

Do i have the route-map on the correct interface, in this case the tunnel int, or should it be on the physical interfaces that are the end points of the tunnel. Also im assuming the ping test im using is the correct way of testing.

VIP Mentor

The "ip policy route-map" is an input-feature to the interface. So you have to enable it on the physical interface facing to your users. With that you should change your ACEs to include the destination-network so that you don't brake your complete PMTUD.

Don't stop after you've improved your network! Improve the world by lending money to the working poor:


So some reason on my cisco 6500 using native IOS i still can't get this to work. On router A i moved the route-map command to vlan 2 where the source ip is connected to and on router B i did the same for the destination ip. However when i set the DF bit packets are still getting dropped as the DF bit doesnt seem to get cleared.

I'm not really sure why this is happening as im assuming the the DF bit should be cleared once the ping packet leaves the host A on router A and the packet hit the VLAN 2 SVI interface that has the route-map.

host_A-->routerA (vlan2 svi)------->serial PTP----------->RouterB-->(vlan2 svi)--->Host_B

I am bypassing the tunnel for testing purposes now

VIP Expert


The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.


Try removing PMTUD on tunnel interface.


i have tried removing the PMTUD on the tunnels but i still can't get this to work. i really have no idea why this is at this point. not sure if its 6500 related.



nevermind i found the issue, after using wireshark it was clear that i  was testing wrong. On my pc the ethernet has an mtu of 1500 and i was  ping with 1510 with the DF bit set, to it was not even leaving the local  ethernet. After i lowered the mtu (a value higher than the tunnel MTU  but lower than the 1500 local ethernet MTU) and set the DF bit to 1 ,  the Df bit was set to zero and it worked.