Hi Thomas, The answer is looking around and do some sniffing. The easy answer which I just used in a lab environment is to use an access-list to deny and fragments. We used it mainly to test IPX with GRE and force IPX to negotiate a bigger packet size than the standard 570 (I think). Use the keyword "Fragments" to deny any packets with that bit set.
deny ip any any fragments. Nabil "I have never let my schooling interfere with my education." "Thomas N." To: [EMAIL PROTECTED] Sent by: cc: nobody@groupstudy Subject: MTU size for IPSec+GRE tunnel [7:62161] .com 01/29/2003 10:05 PM Please respond to "Thomas N." Hi All, I am trying to avoid fragmentation of packets across the IPSec+GRE tunnel with "transform-set" using "ah-sha-hmac" AND "esp-3des" for header authentication and payload encryption. What size of MTU or "TCP addjust-MSS" should I use for maximum performance? I tried out couple values and found TCP adjust-mss of 1076 worked out OK most, but still don't understand why. According Cisco whitepaper, reducing MTU to about 1400 should void the fragmentation but it didn't work in my case. Please help. Thanks! Thomas Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62182&t=62161 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]