- Overview of Secure Connectivity
-
- Implementing and Managing PKI Features Roadmap
- Overview of PKI
- Deploying RSA Keys Within a PKI
- Configuring Authorization and Revocation of Certificates in a PKI
- Configuring Certificate Enrollment for a PKI
- Storing PKI Credentials
- Source Interface Selection for Outgoing Traffic with Certificate Authority
- Cisco Group Encrypted Transport VPN
- Finding Feature Information
- Contents
- Prerequisites for DF Bit Override Functionality with IPsec Tunnels
- Restrictions for DF Bit Override Functionality with IPsec Tunnels
- Information About DF Bit Override Functionality with IPsec Tunnels
- How to Configure DF Bit Override Functionality with IPsec Tunnels
- Configuration Examples for DB Bit Override Functionality with IPsec Tunnels
- Additional References
- Feature Information for DF Bit Override Functionality with IPsec Tunnels
DF Bit Override Functionality with IPsec Tunnels
The DF Bit Override Functionality with IPsec Tunnels feature allows you to configure the setting of the DF bit when encapsulating tunnel mode IPsec traffic on a global or per-interface level. Thus, if the DF bit is set to clear, routers can fragment packets regardless of the original DF bit setting.
Finding Feature Information
For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for DF Bit Override Functionality with IPsec Tunnels" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required
Contents
•Prerequisites for DF Bit Override Functionality with IPsec Tunnels
•Restrictions for DF Bit Override Functionality with IPsec Tunnels
•Information About DF Bit Override Functionality with IPsec Tunnels
•How to Configure DF Bit Override Functionality with IPsec Tunnels
•Configuration Examples for DB Bit Override Functionality with IPsec Tunnels
•Feature Information for DF Bit Override Functionality with IPsec Tunnels
Prerequisites for DF Bit Override Functionality with IPsec Tunnels
IPsec must be enabled on your router.
Restrictions for DF Bit Override Functionality with IPsec Tunnels
Performance Impact
Because each packet is reassembled at the process level, a significant performance impact occurs at a high data rate. Two major caveats are as follows:
•The reassemble queue can fill up and force fragments to be dropped.
•The traffic is slower because of the process switching.
DF Bit Setting Requirement
If several interfaces share the same crypto map using the local address feature, these interfaces must share the same DF bit setting.
Feature Availability
This feature is available only for IPsec tunnel mode. (IPsec transport mode is not affected because it does not provide an encapsulating IP header.)
Information About DF Bit Override Functionality with IPsec Tunnels
To configure the DF Bit Override Functionality with IPsec Tunnels feature, you should understand the following concept:
Feature Overview
The DF Bit Override Functionality with IPsec Tunnels feature allows you to specify whether your router can clear, set, or copy the Don't Fragment (DF) bit from the encapsulated header. A DF bit is a bit within the IP header that determines whether a router is allowed to fragment a packet.
Some user configurations have hosts that perform the following functions:
•Set the DF bit in packets they send
•Use firewalls that block Internet Control Message Protocol (ICMP) errors from outside the firewall, preventing hosts from learning about the maximum transmission unit (MTU) size outside the firewall
•Use IP Security (IPsec) to encapsulate packets, reducing the available MTU size
If your configurations have hosts that prevent you from learning about the available MTU size, you can configure your router to clear the DF bit and fragment the packet.
Note In compliance with RFC 2401, this feature can be configured globally or per interface. If both levels are configured, the interface configuration will override the global configuration.
How to Configure DF Bit Override Functionality with IPsec Tunnels
This section contains the following procedure:
•Configuring the DF Bit for the Encapsulating Header in Tunnel Mode
Configuring the DF Bit for the Encapsulating Header in Tunnel Mode
To set the DF bit for the encapsulating header in tunnel mode, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto ipsec df-bit [clear | set | copy]
DETAILED STEPS
Verifying DF Bit Setting
To verify the current DF Bit settings on your router, use the show running-config command in EXEC mode.
Configuration Examples for DB Bit Override Functionality with IPsec Tunnels
This section provides the following configuration example:
•DF Bit Setting Configuration: Example
DF Bit Setting Configuration: Example
In following example, the router is configured to globally clear the setting for the DF bit and copy the DF bit on the interface named FastEthernet. Thus, all interfaces except FastEthernet will allow the router to send packets larger than the available MTU size; FastEthernet will allow the router to fragment the packet.
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key Delaware address 192.168.10.66
crypto isakmp key Key-What-Key address 192.168.11.19
!
!
crypto ipsec transform-set exampleset ah-md5-hmac esp-des
crypto ipsec df-bit clear
!
!
crypto map armadillo 1 ipsec-isakmp
set peer 192.168.10.66
set transform-set exampleset
match address 101
!
crypto map basilisk 1 ipsec-isakmp
set peer 192.168.11.19
set transform-set exampleset
match address 102
!
!
interface FastEthernet
ip address 192.168.10.38 255.255.255.0
ip broadcast-address 0.0.0.0
media-type 10BaseT
crypto map armadillo
crypto ipsec df-bit copy
!
interface FastEthernet1
ip address 192.168.11.75 255.255.255.0
ip broadcast-address 0.0.0.0
media-type 10BaseT
crypto map basilisk
!
interface Serial0
no ip address
ip broadcast-address 0.0.0.0
no ip route-cache
no ip mroute-cache
Additional References
The following sections provide references related to the DF Bit Override Functionality with IPsec Tunnels feature.
Related Documents
|
|
---|---|
Internet Key Exchange and IPsec networks |
|
IPsec network commands |
Standards
|
|
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
MIBs
RFCs
|
|
---|---|
No new or modified RFCs are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
Technical Assistance
Feature Information for DF Bit Override Functionality with IPsec Tunnels
Table 1 lists the release history for this feature.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.