just finished an 8 city (3 u.s./5 e.u.) vpn deployment. we were in a bit of a rush and now that we have finished the initial deployment we have the luxury of time to think things through a little more clearly. one oversight that we made in our haste to deploy we just confirmed - the overhead associated with ipsec is causing packet fragmentation for packets exiting one location and destined for another over the vpn tunnels. i don't have the traces in front of me but we did run a trace on an ftp session and confirmed it. on an ftp session between vpn locations you see the following pattern of packets received on the destination network: packet 1 - 1460 bytes packet 2 - 120 bytes packet 3 - 1460 bytes packet 4 - 120 bytes &c.
they probably started life as 1500 bytes, the ipsec overhead forced a fragment, which appears as the second, smaller packet. the solution is to make all host mtu's slightly smaller, say 1460. this avoids fragmentation and results in an actual wan bandwidth savings of something like 3-5%, although it appears counter intuitive. the question i have is this - is it worth it to adjust each hosts mtu and take on that task? what are considered operational best practices - optimize wan or lan packet sizes and throughput. take on more server administration or ... given the recent thread on the death of design maybe the issue is moot? thanks in advance for your insights. now, if i could just remember how to enable the hub ports on a 2507 ... cheers! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69739&t=69739 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
