-
Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide
-
Preface
-
Using Cisco IOS Software
-
SIP, SSC, and SPA Product Overview
-
Overview of the SIPs and SSC
-
Configuring the SIPs and SSC
-
Troubleshooting the SIPs and SSC
-
Overview of the ATM SPAs
-
Configuring the ATM SPAs
-
Troubleshooting the ATM SPAs
-
Overview of the CEoP and Channelized ATM SPAs
-
Configuring the CEoP and Channelized ATM SPAs
-
Overview of the Ethernet SPAs
-
Configuring the Fast Ethernet and Gigabit Ethernet SPAs
-
Troubleshooting the Fast Ethernet and Gigabit Ethernet SPAs
-
Overview of the POS SPAs
-
Configuring the POS SPAs
-
Overview of the Serial SPAs
-
Configuring the 8-Port Channelized T1/E1 SPA
-
Configuring the 2-Port and 4-Port Clear Channel T3/E3 SPAs
-
Configuring the 2-Port and 4-Port Channelized T3 SPAs
-
Configuring the 1-Port Channelized OC-3/STM-1 SPA
-
Cisco 1-Port Channelized OC-48/DS3 STM-16 SPA
-
Configuring the 4-Port Serial Interface SPA
-
Troubleshooting the Serial SPAs
-
Overview of the IPSec VPN SPA
-
Configuring VPNs on the IPSec VPN SPA
-
Configuring VPNs in VRF Mode
-
Configuring IPSec VPN Fragmentation and MTU
-
Configuring IKE Features Using the IPSec VPN SPA
-
Configuring Enhanced IPSec Features Using the IPSec VPN SPA
-
Configuring PKI Using the IPSec VPN SPA
-
Configuring Advanced VPNs Using the IPSec VPN SPA
-
Configuring Duplicate Hardware Configurations and IPSec Failover Using the IPSec VPN SPA
-
Configuring Monitoring and Accounting for the IPSec VPN SPA
-
IPv6 Support for the IPsec VSPA
-
Troubleshooting the IPSec VPN SPA
-
Upgrading Field-Programmable Devices
-
Feedback
Table Of Contents
Configuring IPSec VPN Fragmentation and MTU
Understanding IPSec VPN Fragmentation and MTU
Overview of Fragmentation and MTU
Fragmentation in Different Modes
Fragmentation in Crypto-Connect Mode
Fragmentation of IPSec (Using Crypto Maps) Packets in VRF Mode
Fragmentation of GRE Packets with Tunnel Protection in VRF Mode
Configuring IPSec Prefragmentation
IPSec Prefragmentation Configuration Guidelines
Configuring IPSec Prefragmentation Globally
Configuring IPSec Prefragmentation at the Interface
Verifying the IPSec Prefragmentation Configuration
MTU Settings Configuration Guidelines and Restrictions
Changing the Physical Egress Interface MTU
Changing the Tunnel Interface MTU
Changing the Interface VLAN MTU
Configuring IPSec VPN Fragmentation and MTU
This chapter provides information about configuring IPSec VPN fragmentation and the maximum transmission unit (MTU). It includes the following sections:
•
Understanding IPSec VPN Fragmentation and MTU
•
For more information about the commands used in this chapter, see the Cisco 7600 Series Cisco IOS Command Reference, 12.2 SR publication. Also refer to the related Cisco IOS Release 12.2 software command reference and master index publications. For more information about accessing these publications, see the "Related Documentation" section.
Understanding IPSec VPN Fragmentation and MTU
This section includes the following topics:
•
•
Overview of Fragmentation and MTU
When a packet is nearly the size of the maximum transmission unit (MTU) of the physical egress port of the encrypting router, and it is encapsulated with IPSec headers, it probably will exceed the MTU of the egress port. This condition causes the packet to be fragmented after encryption (post-fragmentation), which requires the IPSec peer to perform reassembly before decryption, degrading its performance. To minimize post-fragmentation, you can set the MTU in the upstream data path to ensure that most fragmentation occurs before encryption (prefragmentation). Prefragmentation for IPSec VPNs avoids performance degradation by shifting the reassembly task from the receiving IPSec peer to the receiving end hosts.
Note
To ensure prefragmentation in most cases, we recommend the following MTU settings:
•
•
Note
The following are additional guidelines for IPSec prefragmentation and MTU in crypto-connect mode:
•
•
•
Note
The IPSec and GRE prefragmentation feature differs based on the Cisco IOS release, as described in Table 27-1.
For general information on fragmentation and MTU issues, see "Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSec" at this URL:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
IPSec Prefragmentation
In the IPSec prefragmentation process (also called Look-Ahead Fragmentation, or LAF), the encrypting router can predetermine the encapsulated packet size from information available in transform sets, which are configured as part of the IPSec security association (SA). IPSec prefragmentation avoids reassembly by the receiving router before decryption and helps improve overall IPSec traffic throughput by shifting the reassembly task to the end hosts.
A packet will be fragmented before encryption if it is predetermined that the encrypted packet will exceed the MTU of the output interface.
Fragmentation in Different Modes
The fragmentation process differs depending on the IPSec VPN mode and whether GRE or VTI are used, as described in the following sections:
•
•
•
In the following fragmentation descriptions, we assume that the DF (Don't Fragment) bit is not set for packets entering the flowchart. If a packet requires fragmentation and the DF bit is set, the packet will be dropped.
Fragmentation in Crypto-Connect Mode
The following are the relevant MTU settings for fragmentation of packets in crypto-connect mode:
•
Prefragmentation of non-GRE traffic by the RP will be based on this MTU.
•
Prefragmentation of GRE traffic will be based on this MTU.
•
Pre- and post-fragmentation by the IPSec VPN SPA will be based on this MTU.
Fragmentation will be performed as follows:
•
•
–
–
•
–
–
•
Figure 27-1 shows the fragmentation process for packets in crypto-connect mode.
Figure 27-1 Fragmentation of Packets in Crypto-Connect Mode
Fragmentation of IPSec (Using Crypto Maps) Packets in VRF Mode
The following are the relevant MTU settings for fragmentation of IPSec traffic in VRF mode:
•
Prefragmentation by the RP will be based on this MTU.
•
Pre- and post-fragmentation by the IPSec VPN SPA will be based on this MTU.
Fragmentation will be performed as follows:
•
•
–
–
The fragmentation process for IPSec packets in VRF mode is shown in Figure 27-2.
Figure 27-2 Fragmentation of IPSec Packets in VRF Mode
Fragmentation of GRE Packets with Tunnel Protection in VRF Mode
The following are the relevant MTU settings for fragmentation of GRE traffic with tunnel protection in VRF mode:
•
Prefragmentation will be based on this MTU.
•
Pre- and post-fragmentation by the IPSec VPN SPA will be based on this MTU.
Fragmentation will be performed as follows:
•
–
–
•
–
–
The fragmentation process for GRE packets with tunnel protection in VRF mode is shown in Figure 27-3.
Figure 27-3 Fragmentation of GRE Packets with Tunnel Protection in VRF Mode
Fragmentation in VTIs
The following are the relevant MTU settings for fragmentation of VTI packets:
•
Prefragmentation will be based on this MTU.
Note
•
Post-fragmentation by the IPSec VPN SPA will be based on this MTU.
Fragmentation will be performed as follows:
•
Note
•
The fragmentation process for VTI packets is shown in Figure 27-4.
Figure 27-4 Fragmentation of VTI Packets
Configuring IPSec Prefragmentation
IPSec prefragmentation can be configured globally or at the interface level. By default, IPSec prefragmentation is enabled globally. Enabling or disabling IPSec prefragmentation at the interface will override the global configuration.
IPSec Prefragmentation Configuration Guidelines
When configuring IPSec prefragmentation, follow these guidelines:
•
•
•
•
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftprefrg.html
•
–
–
•
•
Configuring IPSec Prefragmentation Globally
IPSec prefragmentation is globally enabled by default. To enable or disable prefragmentation for IPSec VPNs at the global level, perform this task beginning in global configuration mode:
Configuring IPSec Prefragmentation at the Interface
IPSec prefragmentation is globally enabled by default. To enable or disable prefragmentation for IPSec VPNs at the interface level, perform this task beginning in interface configuration mode for the interface to which the crypto map is attached:
Note
Verifying the IPSec Prefragmentation Configuration
To verify that IPSec prefragmentation is enabled, consult the interface statistics on the encrypting router and the decrypting router. If fragmentation occurs on the encrypting router, and no reassembly occurs on the decrypting router, fragmentation is occurring before encryption, which means that the packets are not being reassembled before decryption and the feature is enabled.
To verify that the IPSec prefragmentation feature is enabled, enter the show running-configuration command on the encrypting router. If the feature is enabled, no fragmentation feature will appear in the command output:
Router# show running-configurationcrypto isakmp policy 10authentication pre-sharecrypto isakmp key abcd123 address 25.0.0.7crypto ipsec transform-set fooprime esp-3des esp-sha-hmac!!! the postfragmentation feature appears here if IPSec prefragmentation is disabledcrypto map bar 10 ipsec-isakmpset peer 25.0.0.7set transform-set fooprimematch address 102If IPSec prefragmentation has been disabled, the postfragmentation feature will appear in the command output:
Router# show running-configurationcrypto isakmp policy 10authentication pre-sharecrypto isakmp key abcd123 address 25.0.0.7crypto ipsec transform-set fooprime esp-3des esp-sha-hmaccrypto ipsec fragmentation after-encryptioncrypto map bar 10 ipsec-isakmpset peer 25.0.0.7set transform-set fooprimematch address 102To display the configuration of the encrypting router interface VLAN, enter the show running-configuration interface command. If the IPSec prefragmentation feature is enabled, a prefragmentation statement will appear in the command output:
Router# show running-configuration interface vlan2interface Vlan2ip address 15.0.0.2 255.255.255.0crypto map testtagcrypto engine slot 1/0crypto ipsec fragmentation before-encryptionIf the IPSec prefragmentation feature has been disabled at the interface VLAN, a postfragmentation statement will appear in the command output:
Router# show running-configuration interface vlan2interface Vlan2ip address 15.0.0.2 255.255.255.0crypto map testtagcrypto engine slot 1/0crypto ipsec fragmentation after-encryption endConfiguring MTU Settings
The Cisco IOS software allows the configuration of the Layer 3 maximum transmission unit (MTU) of interfaces and VLANs. You should ensure that all MTU values are consistent to avoid unnecessary fragmentation of packets.
Note
MTU Settings Configuration Guidelines and Restrictions
When configuring MTU settings for an IPSec VPN SPA, follow these guidelines and note these restrictions:
•
–
–
–
•
Note
Changing the Physical Egress Interface MTU
You can configure either the Layer 3 MTU or the IP MTU of the physical egress interface. To change the MTU value on a physical egress interface, perform this task beginning in global configuration mode:
Step 1
Router(config)# interface type1 slot/port
Enters interface configuration mode for the interface.
Step 2
Router(config-if)# mtu bytes
Configures the maximum transmission unit (MTU) size for the interface.
•
1 type = fastethernet, gigabitethernet, or tengigabitethernet
Changing the Tunnel Interface MTU
You can configure the IP MTU of the tunnel interface, but you cannot configure the Layer 3 MTU. To change the IP MTU value on a tunnel, perform this task beginning in global configuration mode:
Changing the Interface VLAN MTU
You can configure the Layer 3 MTU of the interface VLAN. To change the MTU value on an interface VLAN, perform this task beginning in global configuration mode:
Verifying the MTU Size
To verify the MTU size for an interface, enter the show interface command or the show ip interface command, as shown in the following examples:
To display the MTU value for a secure port, enter the show interface command:
Router# show interface g1/1GigabitEthernet1/1 is up, line protocol is up (connected)Hardware is C6k 1000Mb 802.3, address is 000a.8ad8.1c4a (bia 000a.8ad8.1c4a)MTU 9216 bytes, BW 1000000 Kbit, DLY 10 usec,reliability 255/255, txload 1/255, rxload 1/255...To display the MTU size for an interface VLAN, enter the show interface command.
Router# show interface vlan2Vlan2 is up, line protocol is upHardware is EtherSVI, address is 000e.39ad.e700 (bia 000e.39ad.e700)Internet address is 192.168.1.1/16MTU 1000 bytes, BW 1000000 Kbit, DLY 10 usec,reliability 255/255, txload 1/255, rxload 1/255Encapsulation ARPA, loopback not set...To display the IP MTU value for a GRE tunnel, enter the show ip interface command:
Router# show ip interface tunnel 2Tunnel2 is up, line protocol is upInternet address is 11.1.0.2/16Broadcast address is 255.255.255.255Address determined by non-volatile memoryMTU is 1450 bytes...
