Yes, that explains most of it. But still I dont understand why it kills eigrp neighborships. It uses multicast, right? what is the default values? Are we lowering or raising them when adding those 2 commands with the values discussed above? And most of all; why isnĀ“t it just fragmentet to be transported anyway?
and of course, both mth and adjust tcp-mss are interface-commands. This is another question that imho should be crossposted in the r/s-list. I hope someone like Marko will beat my ass and explain it all. :-) I include my original question again since the discussion has been redistributed to another thread: ------------ Most often when we configure dmvpn we use eigrp. Configuration guides states setting ip mtu size as well as ip tcp adjust-mss. DocCD uses mtu 1400 and tcp adjust-mss 1360, but in an example from ipexpert (ILT Lab2) they (Well, Tyson I guess. ;) ) set mtu to 1492 and tcp mss to 1452. What is the reason for eigrp not running thru a default-"sized" GRE-tunnel and which are the preferred values? Default values? Within which ranges should we stay? ----------------- /J 2010/7/8 Kingsley Charles <[email protected]> > Jimmy hope this mail thread would answer your query on DMVPN mtu size. > > Also I don't think, the mtu is configured for EIGRP rather for DMVPN > tunnels. > > With regards > Kings > > > ---------- Forwarded message ---------- > From: Piotr Matusiak <[email protected]> > Date: Sat, May 22, 2010 at 2:57 AM > Subject: Re: [OSL | CCIE_Security] DMVPN tunnel interface with mtu 1400 > To: Kingsley Charles <[email protected]> > Cc: [email protected] > > > Hi Kings, > > I must disagree. You can configure Tunnel or Transport mode under the IPSec > transform set and use it for DMVPN or GREoIPSec deployments. Although, there > is no difference in outer IP header (an interface tunnel IP addresses are > there in both cases) the ESP packet is different in size due to additional > inner IP header in Tunnel mode. This IP header is the same as the outer IP > header, thus there is not much value in such deployment. that's why the > Transport mode is recommended in DMVPN (and GRE) scenarios. > > For example. When using Tunnel mode, the packet (regular ping for instance) > will look like: > ETHER=14 > IP=20 > > ESP=36 > GRE=24 > IP=20 > ICMP=8 + 72(payload) > > TOTAL=194 > > > In case of the same packet in Transport mode: > ETHER=14 > IP=20 > ESP=36 > GRE=24 > ICMP=8 + 72(payload) > > TOTAL=174 > > > > HTH, > Piotr > > > 2010/5/21 Kingsley Charles <[email protected]> > >> Hi Piotr >> >> For GRE based IPSec like DMVPN or GREoIPSec, I don't think there is a >> concept of transport or tunnel mode. Irrespective of whether you configure >> transport or not, the IP packet format is same. >> >> Always there are three IP headers - ESP or AH IP header, GRE IP header and >> Payload IP header. >> >> Even when you configure tunnel mode, it has only the above three IP >> headers. >> >> It is always tunnel mode, meaning the original IP header is wrapped in GRE >> and then into ESP. >> >> >> >> With regards >> Kings >> >> >> On Fri, May 21, 2010 at 7:20 PM, Piotr Matusiak <[email protected]> wrote: >> >>> Kings, >>> >>> It depends on many things like: >>> - what IPSec encryption you use >>> - do you use ESP alone or ESP with AH >>> - transport or tunnel mode >>> >>> For example in ESP-3DES/ESP-MD5 with transport mode it should look like: >>> >>> ESP - 36 >>> GRE - 24 >>> IP - 20 >>> >>> Hence the router add 80 bytes to the packet. If you use IP MTU 1400 >>> you're safe. >>> When you use Tunnel mode you're adding 20 bytes for new IP header. >>> >>> >>> >>> TCP MSS is for changing TCP header to instruct the server (or host, >>> whatever) to decrease the payload size. We configure 1360 to accommodate >>> larger TCP header (by default 20 bytes, but can be larger due to TCP options >>> like MD5 hash or something). >>> >>> HTH, >>> Piotr >>> >>> >>> >>> 2010/5/21 Kingsley Charles <[email protected]> >>> >>>> Hi all >>>> >>>> Usually we configure ip mtu 1400 for DMVPN tunnel interface and there is >>>> a standard calculation for it. I did it long time ago and trying to see, if >>>> I am having the right understanding now. >>>> >>>> Ethernet MTU - 1500 >>>> >>>> IPSec IP header - 20 bytes >>>> GRE IP header - 20 bytes >>>> Payload IP header - 20 bytes >>>> TCP header - 20 bytes >>>> >>>> Total of 80 bytes. >>>> >>>> 1500 - 80 = 1420 >>>> >>>> Including others like ESP header & trailer, GRE header etc, we round it >>>> to 1400. >>>> >>>> Hence, we add ip mtu of 1400 to DMVPN tunnel interface, to avoid >>>> fragmentation.in between. >>>> >>>> Correct me, if I am wrong. >>>> >>>> >>>> >>>> TCP MSS >>>> >>>> >>>> TCP MSS => IP MTU - TCP header size which is 1400 - 20 = 1380 bytes >>>> >>>> We usually configure "tcp adjust-mss 1360". >>>> >>>> Any idea why it is 1360 instead of 1380? >>>> >>>> >>>> >>>> >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >> > > -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu -------
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
