We deal with Mtu issues on all out site to site vpn. Gre plus IPSec plus other uses up 60 to 90 bytes. There are some good docs on ciscos site.
Standard solution for tcp flows is, ... for the constrained or tunnel int. "IP Mtu 1400" "IP tcp adjust-mss 1360" This will cause the tcp 3way setup to negotiate a 1360byte mss which then fits into the 1500 byte max physical Mtu size. In theory, setting the Mtu to 1400 will also cause the pmtu discovery process to auto adjust as well. This is hit or miss, depending on stack and if icmp is being filtered in the path. Windows tries hard to guess the Mtu and usually sets the do not frag bit on most packets. The above usually works. But we often find some non-tcp app defaults to 1500 bytes anyway. Since windows sends it with do not frag, the router drops it. To fix this use a route-map to clear the DC bit. I only do this for udp now. Seems a good compromise. All this would be done on your Cpe or other edge router. Tunnelled ddos mitigation vendors also do this to avoid Mtu issues. Sent from my iPhone > On Jan 24, 2016, at 2:15 AM, Victor Sudakov <v...@mpeks.tomsk.su> wrote: > > Mark Tinka wrote: >> >> >>> >>> If you are using MPLS routers that perform forwarding in SW you can test in >>> the lab if they would be able to handle the fragmentation so during the >>> failure of primary link they would have to fragment. >>> Otherwise the fragmentation would have to be done on CE routers which is >>> something that some customers might not be happy about. >> >> MPLS does not like fragmentation. >> >> IP is happy with fragmentation. > > So if I find a way to fragment a customer's packet before it enters > the MPLS network, I should be fine. The question is, I don't want to > fragment the customers' packets all the time. > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > sip:suda...@sibptus.tomsk.ru > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
