cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8878
Views
5
Helpful
8
Replies

Urgent:where to configure ip tcp adjust-mss 1452 in main FastEthernet interface or in subinterfaces?

jgtheodor
Level 1
Level 1

Hi everyone,

I have an 2811 Internet router with ADSL uplink and there is a need to configure subinterfaces to the main FastEthernet interface pointing the internal LAN and is connected to a layer 2 switch. So my question is where I have to configure the relevant "ip tcp adjust-mss 1452" command, in the main physical FastEthernet interface, in logical subinterfaces or both? I have not found out any relevant cisco documentation for this issue, but I believe that I should configure the command in all IP subinterfaces. Am I right.

Moreover I am planning to segment the main FastEthernet with 3 subinterfaces because of the addition of another network device. So I will configure  the first one the native (with vlan used for the native trunks , IP unnumbered), the second with the Vlan pointing my external firewalls and the third one pointing the new device, the VPN gateway. I am doing this because I want to isolate all the VPN traffic from the rest inbound Internet traffic. Do you believe that this is a right approach? Do you think that might I have a performance or security issue with such a design in the future?

Thank you in advance!

Warm Regards

8 Replies 8

andrew.prince
Level 10
Level 10

Firstly - why 1452 ?

Secondly I configure it directly on the interface where the MTU/MSS is having issues - in your case the ADSL interface.

HTH>

Hi,

1452 because PPPoE truncates the Ethernet maximum transmission unit (MTU) 1492 and if you consider the IP header (20 bytes &) and TCP header (20 bytes) then finally we have 1452.

http://www.cisco.com/en/US/docs/ios/12_2sb/12_2sba/feature/guide/sb_admss.pdf

In several cisco  configuration examples this command is entered in LAN interface, so I am using it in the inside LAN interface.

I ask, as in the past when I have also been using NAT and virtual Assembly I have required a lower value for the MSS to be intercepted.  I have seen that document and plenty of others - and I would suggest you do some testing before you take that number as the law.

JYTPW.

Anybody? Is this redundant, or not? If yes, which one is obsolete?

interface GigabitEthernet0/0

no ip address

ip tcp adjust-mss 1354

duplex auto

speed auto

!

interface GigabitEthernet0/0.1

encapsulation dot1Q 1 native

ip address 172.16.1.1 255.255.255.0

ip tcp adjust-mss 1354

Hi,

Yes it is redundant, the ip tcp adjust-mss only needs to be on the subinterface in this example, because it is a layer 3 interface. Where there are MTU issues there are MTU issues for all protocols.

This command only affects TCP traffic. If you monitor closely you will notice UDP traffic getting fragmented or dropped on occasion. Usually it is UDP port 88 kerberos (MS Windows) or SNMP 161 when polling some devices that give large amounts of information in response. The MTU would be 40 bytes larger than the MSS you are using in this example , so "ip mtu 1394" would be used in the subinterface here to cover the larger UDP packets encountered.

Cheers,

Brian

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

You can use the command anywhere along the path.  Ideally, you apply it on an interface such that only the relevant traffic that needs the adjustment will be impacted.

Your external (PPPoE) facing interface is a good choice.  Not sure whether it would work for you on the just the physical interface.  I would try it on your subinterfaces with whose traffic will actually transit the PPPoE.  On subinterfaces, I wouldn't expect you would need it on the physical and subinterfaces interface too.

Hi,

I have a few question regarding ip tcp adjust-mss comand:

1. Does this command rewrite MSS in SYN packet from client to server and in SYN/ACK packet from server to client?

2. Client/Server MSS need not be the same as mentioned below. Client and Server will not settle on the lower of the two MSS values [sent and received] is still valid, right?

Per RFC 879:

3.  The TCP Maximum Segment Size Option

   TCP provides an option that may be used at the time a connection is    established (only) to indicate the maximum size TCP segment that can    be accepted on that connection.  This Maximum Segment Size (MSS)    announcement (often mistakenly called a negotiation) is sent from the    data receiver to the data sender and says "I can accept TCP segments    up to size X". The size (X) may be larger or smaller than the    default.  The MSS can be used completely independently in each    direction of data flow.  The result may be quite different maximum    sizes in the two directions.

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

1. Does this command rewrite MSS in SYN packet from client to server and in SYN/ACK packet from server to client?

Oh, without looking it up, I forget exactly what it does.  I do know it will affect TCP handshake in either direction.

2. Client/Server MSS need not be the same as mentioned below. Client and Server will not settle on the lower of the two MSS values [sent and received] is still valid, right?

Yes, but as I noted above, the command will examine and perhaps modify traffic in either direction.  Only if one or both side sources was less than the adjustment would that handshake be ignored.

e.g.

host A has mss 1460

host B has mss 1260

you configure mss-adjust 1360

host A would be reset to 1360, host B would be left at 1260

Review Cisco Networking for a $25 gift card