Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4439
Views
0
Helpful
4
Replies

How IPSec Overhead effects MTU ?

Go to solution
ioanniatr
Level 1
Level 1

‎11-04-2010 05:24 PM - edited ‎02-21-2020 04:57 PM

Hi,

I have seen all capabilities/combinations of IPsec with different security algorithms and modes, but i have the question, how much overhead is added finally to a packet and how this effects MTU (eg MTU for Ethernet frame is 1400 Bytes ) on each case?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
danny.carroll
Level 1
Level 1

‎11-04-2010 08:50 PM

Since it varies I dunno how to answer. Here is a great article explaining it..

http://www.iphelp.ru/doc/3/Cisco.Press.Comparing.Designing.and.Deploying.VPNs.Apr.2006/1587051796/ch07lev1sec4.html

If you didn't know:

You can test out the mtu with the ping command. #ping 192.168.0.1 size 1423 df-bit

View solution in original post

0 Helpful

Go to solution
danny.carroll
Level 1
Level 1
In response to danny.carroll

‎11-05-2010 06:34 AM

you can set it on the pc for sure.

you can set it on the router too but cisco say's.

set

Outer IP header will have the DF bit set; however, the router may fragment the packet if the original packet had the DF bit cleared.

I guess you could try and see how it works. Let me know as i just found this article

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftdfipsc.html

View solution in original post

0 Helpful
4 Replies 4

Go to solution
danny.carroll
Level 1
Level 1

‎11-04-2010 08:50 PM

Since it varies I dunno how to answer. Here is a great article explaining it..

http://www.iphelp.ru/doc/3/Cisco.Press.Comparing.Designing.and.Deploying.VPNs.Apr.2006/1587051796/ch07lev1sec4.html

If you didn't know:

You can test out the mtu with the ping command. #ping 192.168.0.1 size 1423 df-bit

0 Helpful

Go to solution
ioanniatr
Level 1
Level 1
In response to danny.carroll

‎11-05-2010 03:14 AM

Thanks,this is what i was looking for. I didn't knew this command. I know about DF-bit but i didn't knew how to use it.

i suppose that "df-bit" part of the command sets "Don't Fragmented" bit to 1....

What if i want to set this bit to 1 permanent for all outgoing packets on a single inerface?

0 Helpful

Go to solution
danny.carroll
Level 1
Level 1
In response to danny.carroll

‎11-05-2010 06:34 AM

you can set it on the pc for sure.

you can set it on the router too but cisco say's.

set

Outer IP header will have the DF bit set; however, the router may fragment the packet if the original packet had the DF bit cleared.

I guess you could try and see how it works. Let me know as i just found this article

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftdfipsc.html

0 Helpful

Go to solution
ioanniatr
Level 1
Level 1
In response to danny.carroll

‎11-08-2010 12:15 PM

Hi,

Xmm... Interesting theory. I'll try it and i 'll let you know. .

Thanks,

John

0 Helpful
Customers Also Viewed These Support Documents