DF Bit Override Functionality with IPsec Tunnels
First Published: August 12, 2002
Last Updated: July 31, 2009
The DF Bit Override Functionality with IPsec Tunnels feature allows you to configure the setting of the DF bit when encapsulating tunnel mode IPsec traffic on a global or per-interface level. Thus, if the DF bit is set to clear, routers can fragment packets regardless of the original DF bit setting.
Finding Feature Information
For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for DF Bit Override Functionality with IPsec Tunnels" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required
Contents
•Prerequisites for DF Bit Override Functionality with IPsec Tunnels
•Restrictions for DF Bit Override Functionality with IPsec Tunnels
•Information About DF Bit Override Functionality with IPsec Tunnels
•How to Configure DF Bit Override Functionality with IPsec Tunnels
•Configuration Examples for DB Bit Override Functionality with IPsec Tunnels
•Additional References
•Feature Information for DF Bit Override Functionality with IPsec Tunnels
Prerequisites for DF Bit Override Functionality with IPsec Tunnels
IPsec must be enabled on your router.
Restrictions for DF Bit Override Functionality with IPsec Tunnels
Performance Impact
Because each packet is reassembled at the process level, a significant performance impact occurs at a high data rate. Two major caveats are as follows:
•The reassemble queue can fill up and force fragments to be dropped.
•The traffic is slower because of the process switching.
DF Bit Setting Requirement
If several interfaces share the same crypto map using the local address feature, these interfaces must share the same DF bit setting.
Feature Availability
This feature is available only for IPsec tunnel mode. (IPsec transport mode is not affected because it does not provide an encapsulating IP header.)
Information About DF Bit Override Functionality with IPsec Tunnels
To configure the DF Bit Override Functionality with IPsec Tunnels feature, you should understand the following concept:
•Feature Overview
Feature Overview
The DF Bit Override Functionality with IPsec Tunnels feature allows you to specify whether your router can clear, set, or copy the Don't Fragment (DF) bit from the encapsulated header. A DF bit is a bit within the IP header that determines whether a router is allowed to fragment a packet.
Some user configurations have hosts that perform the following functions:
•Set the DF bit in packets they send
•Use firewalls that block Internet Control Message Protocol (ICMP) errors from outside the firewall, preventing hosts from learning about the maximum transmission unit (MTU) size outside the firewall
•Use IP Security (IPsec) to encapsulate packets, reducing the available MTU size
If your configurations have hosts that prevent you from learning about the available MTU size, you can configure your router to clear the DF bit and fragment the packet.
Note In compliance with RFC 2401, this feature can be configured globally or per interface. If both levels are configured, the interface configuration will override the global configuration.
How to Configure DF Bit Override Functionality with IPsec Tunnels
This section contains the following procedure:
•Configuring the DF Bit for the Encapsulating Header in Tunnel Mode
Configuring the DF Bit for the Encapsulating Header in Tunnel Mode
To set the DF bit for the encapsulating header in tunnel mode, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto ipsec df-bit [clear | set | copy]
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
crypto ipsec df-bit [clear | set | copy]
Router (config)# crypto ipsec df-bit set |
Sets the DF bit for the encapsulating header in tunnel mode for all interfaces. To set the DF bit for a specified interface, use the crypto ipsec df-bit command in interface configuration mode. Note DF bit interface configuration settings override all DF bit global configuration settings. |
Verifying DF Bit Setting
To verify the current DF Bit settings on your router, use the show running-config command in EXEC mode.
Configuration Examples for DB Bit Override Functionality with IPsec Tunnels
This section provides the following configuration example:
•DF Bit Setting Configuration: Example
DF Bit Setting Configuration: Example
In following example, the router is configured to globally clear the setting for the DF bit and copy the DF bit on the interface named FastEthernet. Thus, all interfaces except FastEthernet will allow the router to send packets larger than the available MTU size; FastEthernet will allow the router to fragment the packet.
crypto isakmp key Delaware address 192.168.10.66
crypto isakmp key Key-What-Key address 192.168.11.19
crypto ipsec transform-set exampleset ah-md5-hmac esp-des
crypto ipsec df-bit clear
crypto map armadillo 1 ipsec-isakmp
set transform-set exampleset
crypto map basilisk 1 ipsec-isakmp
set transform-set exampleset
ip address 192.168.10.38 255.255.255.0
ip broadcast-address 0.0.0.0
ip address 192.168.11.75 255.255.255.0
ip broadcast-address 0.0.0.0
ip broadcast-address 0.0.0.0
Additional References
The following sections provide references related to the DF Bit Override Functionality with IPsec Tunnels feature.
Related Documents
Standards
|
|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
MIBs
|
|
No new or modified MIBs are supported by this feature, and support for existing standards has not been modified by this feature. |
To locate and download MIBs for selected platforms, Cisco IOS XE releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs |
RFCs
|
|
No new or modified RFCs are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
Technical Assistance
|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
http://www.cisco.com/techsupport |
Feature Information for DF Bit Override Functionality with IPsec Tunnels
Table 1 lists the release history for this feature.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.
Table 1 Feature Information for DF Bit Override Functionality with IPsec Tunnels
|
|
|
DF Bit Override Functionality with IPsec Tunnels |
Cisco IOS XE Release 2.1 |
This feature allows users to specify whether their router can clear, set, or copy the Don't Fragment (DF) bit from the encapsulated header. A DF bit is a bit within the IP header that determines whether a router is allowed to fragment a packet. The following commands were introduced or modified: crypto ipsec df-bit. |
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2002-2009 Cisco Systems, Inc. All rights reserved.