The DF Bit setting specified for a gateway endpoint overrides the DF Bit setting specified for the external interface. All rights reserved. All other tradenames are the property of their respective owners. When you disable unset this option, the [device or interface] ignores the DF bit, fragments the packet so that none of the fragmented packets exceeds the MTU of the egress interface, and forwards them.
By default, this option is disabled. When the DF bit is set and the packet must be fragmented in order to be forwarded, then the firewall drops the packet and sends an ICMP Type3 Code4 to the sender. One method to test and detect a reduced MTU size is to use a ping with a large packet size.
Here are some examples of how to do this. IPv4 routers fragment on behalf of the source node that is sending an oversized packet. If the DF bit is set to 0 the default , the router splits a packet that is too large to fit into the outgoing interface and sends two packets toward the destination. When the destination receives the two fragments, the destination's protocol stack must reassemble the fragments before processing the protocol data unit PDU. This is because IPv6 routers do not fragment IPv6 packets on behalf of the source.
It then falls on the shoulders of the source to perform the fragmentation itself and cache the new reduced MTU size for that destination so future packets use the correct MTU size.
When routers perform fragmentation on behalf of the source, that adds CPU processing overhead on the router. If IPsec is being used, then the routers on both ends of the tunnel will need to handle the fragmentation and reassembly of the packets.
If the routers are performing fragmentation on behalf of the source node, it may be desirable to have the fragmentation performed prior to encryption, so the destination tunnel router doesn't have to reassemble the fragments and then perform the decryption. This can be configured in a Cisco IOS device using these commands. As we've seen, the primary issue with MTU size arises when encapsulation takes place while the links between sites only support a 1,byte MTU. If the MTU size could be increased throughout the path across the WAN, then the added encapsulation overhead could be compensated for by the WAN interface of the routers.
This would eliminate the need to reduce the MTU size on the tunnel interfaces, adjust MSS, and alleviate the routers from performing any fragmentation. That's where jumbo frames come in. In some situations, jumbo frames can be used to allow for much larger frame sizes if the networking hardware is capable of this configuration. Most modern routers and switches, as well as most datacenter networking hardware, can support jumbo frames.
Larger frames can also boost speed. Security Architecture for the Internet Protocol. The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train.
Unless noted otherwise, subsequent releases of that software release train also support that feature. The following commands were introduced or modified: crypto ipsec df-bit global configuration , crypto ipsec df-bit interface configuration. Skip to content Skip to search Skip to footer. Book Contents Book Contents. Find Matches in This Book.
0コメント