Hi i have a situation where i need to clear the DF bit on a GRE tunnel i have configured a route-map however it doesn't seem to be working. Not sure if im not testing it right or the the route-map to clear the DF is set on the wrong interface.
description GRE Tunnel Between router A and B
ip address XXXX 255.255.255.252
ip policy route-map clear_tunnel_df_RM
tunnel source xxxx
tunnel destination xxxx
tunnel ttl 35
route-map clear_tunnel_df_RM, permit, sequence 10
ip address (access-lists): tunnel_acl
ip df 0
Extended IP access list tunnel_acl
10 permit tcp any any
20 permit icmp any any
30 permit ip any any
the above config is on both routers.
For testing, on router B im have a static route to an ip on router A via the tunnel interface and im pinging that ip from router B with the DF option however anything over the GRE interface MTU 1476 gets dropped.
Do i have the route-map on the correct interface, in this case the tunnel int, or should it be on the physical interfaces that are the end points of the tunnel. Also im assuming the ping test im using is the correct way of testing.
The "ip policy route-map" is an input-feature to the interface. So you have to enable it on the physical interface facing to your users. With that you should change your ACEs to include the destination-network so that you don't brake your complete PMTUD.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
So some reason on my cisco 6500 using native IOS i still can't get this to work. On router A i moved the route-map command to vlan 2 where the source ip is connected to and on router B i did the same for the destination ip. However when i set the DF bit packets are still getting dropped as the DF bit doesnt seem to get cleared.
I'm not really sure why this is happening as im assuming the the DF bit should be cleared once the ping packet leaves the host A on router A and the packet hit the VLAN 2 SVI interface that has the route-map.
host_A-->routerA (vlan2 svi)------->serial PTP----------->RouterB-->(vlan2 svi)--->Host_B
I am bypassing the tunnel for testing purposes now
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Try removing PMTUD on tunnel interface.
i have tried removing the PMTUD on the tunnels but i still can't get this to work. i really have no idea why this is at this point. not sure if its 6500 related.
nevermind i found the issue, after using wireshark it was clear that i was testing wrong. On my pc the ethernet has an mtu of 1500 and i was ping with 1510 with the DF bit set, to it was not even leaving the local ethernet. After i lowered the mtu (a value higher than the tunnel MTU but lower than the 1500 local ethernet MTU) and set the DF bit to 1 , the Df bit was set to zero and it worked.