Solved: MTU issue in Switched network

ele203026 · ‎11-16-2015

I have a L3 swithces network as shown in the diagram. Comunication between client PC to ISE is okay but Large packets from client PC cannot get to Cisco ISE due to MTU incompatibility issues as indicated in the diagram.

My questions are; Does a switch with Jumbo MTU settings get to fragment its packet under any circumstance i.e does it perform PMTU discovery? When it recieves a packet too big icmp message.

Whats the best way to get the large packet to ISE from the client in this case without changing the MTUs on the switches? I can change SVI to no switch port if it will solve my problem

Thanks.

Joseph W. Doherty · ‎11-17-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

"Talking about L3 fragmentation, does this happen on SVI or routed interface only?"

Both.

"Can i use a router in between the 2 networks with one interface set with Jumbo MTU, and the other interface set as normal?"

If the router supports individual interfaces with jumbo MTU.

BTW, even on a 3750, system MTU allows for L2 support of jumbo MTU but if you're using L3 interfaces, you should, I beleive, be able to use IP MTU to force the egress to use a smaller L2 MTU too. I.e. you may not need to have a separate router to force the MTU reduction. You will, though, need to cross a L3 interface (outbound).

View solution in original post

acampbell · ‎11-16-2015

Hi,

Looking at this link re Jumbo/Giant support for the 3750 - MTU is media interface type related
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/24048-148.html#c3

Regards
Alex

Regards, Alex. Please rate useful posts.

ele203026 · ‎11-16-2015

Thanks Acampbell, will check the link and revert.

Joseph W. Doherty · ‎11-16-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Sorry, I'm not finding your diagram clear for all the information I need.

In general, MTU (IP) fragmentation only happens when you hit an egress L3 interface which has a smaller MTU.

PMTUD sets the IP packet's DF bit, which will cause an L3 egress interface, with a too small MTU to not fragment, but instead it drops the packet and sends an ICMP message that the IP packet was too large.

ele203026 · ‎11-16-2015

What part of the diagram do you nee clarification on? all the switches are connected via trunks and communicated is routed via the SVIs.

"MTU (IP) fragmentation only happens when you hit an egress L3 interfac"clarification please? Egress/Ingress or both?

Thanks for the effort

Joseph W. Doherty · ‎11-16-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

What I was looking for on the diagram, is MTU on every transit interface and where the L3 boundaries are. [edit - as all the switches are 3750s, I thought there's only one global MTU setting for all interfaces - but your drawing mentions multiple MTU settings?]

L3 fragmentation, as noted, is only done (if done) at L3 egress (it's not done on L3 ingress).

ele203026 · ‎11-17-2015

Yes Joseph. one global mtu per 3750. if you look at the diagram again, you'll see that their are 2 administrative/network domains. al the switches in domain A are set with jumbo mtu while B is on default. Thats the reason for the mtu incompatibility in the first place.

Talking about L3 fragmentation, does this happen on SVI or routed interface only?

Can i use a router in between the 2 networks with one interface set with Jumbo MTU, and the other interface set as normal?

Joseph W. Doherty · ‎11-17-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

"Talking about L3 fragmentation, does this happen on SVI or routed interface only?"

Both.

"Can i use a router in between the 2 networks with one interface set with Jumbo MTU, and the other interface set as normal?"

If the router supports individual interfaces with jumbo MTU.

BTW, even on a 3750, system MTU allows for L2 support of jumbo MTU but if you're using L3 interfaces, you should, I beleive, be able to use IP MTU to force the egress to use a smaller L2 MTU too. I.e. you may not need to have a separate router to force the MTU reduction. You will, though, need to cross a L3 interface (outbound).

Vivek Ganapathi · ‎11-16-2015

Hi,

IMHO, the client never talks to Cisco ISE directly. It is the NAD (i.e the switch) which sends RADIUS packet to the Cisco ISE. So, in your case there is some kind of fragmentation occuring between NAD & the ISE. Are you using EAP for authentication? Please let me know what is the RADIUS overhead during EAP Identity/Response (may need a packet capture) if you are using EAP.

Regards

Vivek

ele203026 · ‎11-17-2015

Yes Switch sends the radius packet to ISE and because its EAP, the packet is actually larger than standard mtu 1500. All switches in network A have jumbo mtu and network B have normal mtu

I cant set mtu to be same in network A and network B due to different administrative responsibility.

Can i use a router or firewall(no NAT) in between the 2 networks with one interface set with Jumbo mtu, and the other interface set as normal?