-
Cisco IOS Security Configuration Guide: Secure Connectivity, Release 12.4
-
Overview: Secure Connectivity
- Internet Key Exchange for IPsec VPNs
-
Security for VPNs with IPsec
-
Configuring Security for VPNs with IPsec
-
IPsec Virtual Tunnel Interface
-
L2TP—IPsec Support for NAT and PAT Windows Clients
-
SafeNet IPsec VPN Client Support
-
Ability to Disable Extended Authentication for Static IPsec Peers
-
Crypto Conditional Debug Support
-
VPN Acceleration Module (VAM)
-
Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
-
- VPN Availability
-
IPsec Data Plane
-
IPsec Anti-Replay Window: Expanding and Disabling
-
Pre-Fragmentation for IPsec VPNs
-
Invalid Security Parameter Index Recovery
-
IPsec Dead Peer Detection Periodic Message Option
-
IPsec NAT Transparency
-
DF Bit Override Functionality with IPsec Tunnels
-
Crypto Access Check on Clear-Text Packets
-
IPsec Security Association Idle Timers
-
Low Latency Queueing (LLQ) for IPsec Encryption Engines
-
- IPsec Management Plane
-
Public Key Infrastructure (PKI)
-
Implementing and Managing PKI Features Roadmap
-
Cisco IOS PKI Overview: Understanding and Planning a PKI
-
Deploying RSA Keys Within a PKI
-
Configuring Authorization and Revocation of Certificates in a PKI
-
Configuring Certificate Enrollment for a PKI
-
Setting Up Secure Device Provisioning (SDP) for Enrollment in a PKI
-
Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment
-
Storing PKI Credentials
-
Source Interface Selection for Outgoing Traffic with Certificate Authority (CA)
-
- Dynamic Multipoint VPN (DMVPN)
- Easy VPN
- SSL VPN
-
Table Of Contents
DF Bit Override Functionality with IPsec Tunnels
Supported Standards, MIBs, and RFCs
Configuring the DF Bit for the Encapsulating Header in Tunnel Mode
DF Bit Setting Configuration Example
DF Bit Override Functionality with IPsec Tunnels
Feature History
This feature module describes the DF Bit Override Functionality with IPsec Tunnels feature and contains the following sections:
•
Supported Standards, MIBs, and RFCs
Feature Overview
The DF Bit Override Functionality with IPsec Tunnels feature allows customers to specify whether their router can clear, set, or copy the Don't Fragment (DF) bit from the encapsulated header. A DF bit is a bit within the IP header that determines whether a router is allowed to fragment a packet.
Some customer configurations have hosts that perform the following functions:
•
•
•
Customers whose configurations have hosts that prevent them from learning about their available MTU size can configure their router to clear the DF bit and fragment the packet.
Note
Benefits
The DF Bit Override Functionality with IPsec Tunnels feature allows customers to configure the setting of the DF bit when encapsulating tunnel mode IPsec traffic on a global or per-interface level. Thus, if the DF bit is set to clear, routers can fragment packets regardless of the original DF bit setting.
Restrictions
Performance Impact
Because each packet is reassembled at the process level, a significant performance impact occurs at a high data rate. Two major caveats are as follows:
•
•
DF Bit Setting Requirement
If several interfaces share the same crypto map using the local address feature, these interfaces must share the same DF bit setting.
Feature Availability
This feature is available only for IPsec tunnel mode. (IPsec transport mode is not affected because it does not provide an encapsulating IP header.)
Related Documents
The following document provides information related to the DF Bit Override Functionality with IPsec Tunnels feature:
•
Supported Platforms
This feature is supported on the following platforms:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
This feature runs on all platforms that support IPsec.
Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBS are supported by this feature.
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
•
Prerequisites
IPsec must be enabled on your router.
Configuration Tasks
See the following section for configuration tasks for the DF-Bit Override Functionality with IPsec Tunnels feature:
•
Configuring the DF Bit for the Encapsulating Header in Tunnel Mode
To set the DF bit for the encapsulating header in tunnel mode, use the following command in global configuration mode:
Verifying DF Bit Setting
To verify the current DF Bit settings on your router, use the show running-config command in EXEC mode.
Configuration Examples
This section provides the following configuration example:
•
DF Bit Setting Configuration Example
In following example, the router is configured to globally clear the setting for the DF bit and copy the DF bit on the interface named Ethernet0. Thus, all interfaces except Ethernet0 will allow the router to send packets larger than the available MTU size; Ethernet0 will allow the router to fragment the packet.
crypto isakmp policy 1hash md5authentication pre-sharecrypto isakmp key Delaware address 192.168.10.66crypto isakmp key Key-What-Key address 192.168.11.19!!crypto ipsec transform-set BearMama ah-md5-hmac esp-descrypto ipsec df-bit clear!!crypto map armadillo 1 ipsec-isakmpset peer 192.168.10.66set transform-set BearMamamatch address 101!crypto map basilisk 1 ipsec-isakmpset peer 192.168.11.19set transform-set BearMamamatch address 102!!interface Ethernet0ip address 192.168.10.38 255.255.255.0ip broadcast-address 0.0.0.0media-type 10BaseTcrypto map armadillocrypto ipsec df-bit copy!interface Ethernet1ip address 192.168.11.75 255.255.255.0ip broadcast-address 0.0.0.0media-type 10BaseTcrypto map basilisk!interface Serial0no ip addressip broadcast-address 0.0.0.0no ip route-cacheno ip mroute-cacheCommand Reference
The following new commands are pertinent to this feature. To see the command pages for these commands and other commands used with this feature, go to the Cisco IOS Master Commands List at http://www.cisco.com/en/US/products/ps6441/products_product_indices_list.html.
•
•
For information about these commands, see the Cisco IOS Security Command Reference at
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html.
For information about all Cisco IOS commands, see the Command Lookup Tool at
http://tools.cisco.com/Support/CLILookup or the Master Command List.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video (Design), Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0907R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
