MTU sizes and reasons

Discussion in 'Cisco' started by Zach Malmgren, Jan 6, 2006.

  1. Hi all,

    I "inherited" a router setup that has a VPN connection to one of our
    remote sites. I am at a loss to understand why the old administrator
    used the MTU that he did, and I hope someone here can explain it to me.
    This router has a frame-relay connection to the internet (MTU 1500)
    with a VPN Tunnel that has the IP MTP set to 1600. Shouldn't that be
    somewhere closer to 1460?

    Thanks,
    -Zach

    Config follows:
    interface Tunnel0
    bandwidth 1536
    ip address 192.168.X.X 255.255.255.252
    ip mtu 1600
    ip ospf message-digest-key 1 md5 7 AEFF2234234079BCDE3
    tunnel source 157.130.X.X
    tunnel destination 157.130.X.X
    crypto map gre

    interface Serial0/0
    no ip address
    encapsulation frame-relay IETF
    no fair-queue
    frame-relay lmi-type ansi
    !
    interface Serial0/0.1 point-to-point
    bandwidth 1536
    ip address 157.130.X.X 255.255.255.252
    ip access-group AccessIn in
    no cdp enable
    frame-relay interface-dlci 666 IETF
    crypto map gre
    Zach Malmgren, Jan 6, 2006
    #1
    1. Advertising

  2. Hi Zach,

    MTU size 1600 is too high. In most cases it will cause a fragmentation and,
    as a result, lower performance. If you want to check the maximum MTU
    possible for your end-to-end connectivity, you could play with the PING,
    trying to vary the size of the packet with "do-not-fragment" option set up.
    Windows command line should look like "ping -f -l <size> <destination>".
    Start with the packet size 1600, and then decrease it untill you get the
    response.

    Good luck,

    Mike
    www.headsetadapter.com



    "Zach Malmgren" <> wrote in message
    news:...
    > Hi all,
    >
    > I "inherited" a router setup that has a VPN connection to one of our
    > remote sites. I am at a loss to understand why the old administrator
    > used the MTU that he did, and I hope someone here can explain it to me.
    > This router has a frame-relay connection to the internet (MTU 1500)
    > with a VPN Tunnel that has the IP MTP set to 1600. Shouldn't that be
    > somewhere closer to 1460?
    >
    > Thanks,
    > -Zach
    >
    > Config follows:
    > interface Tunnel0
    > bandwidth 1536
    > ip address 192.168.X.X 255.255.255.252
    > ip mtu 1600
    > ip ospf message-digest-key 1 md5 7 AEFF2234234079BCDE3
    > tunnel source 157.130.X.X
    > tunnel destination 157.130.X.X
    > crypto map gre
    >
    > interface Serial0/0
    > no ip address
    > encapsulation frame-relay IETF
    > no fair-queue
    > frame-relay lmi-type ansi
    > !
    > interface Serial0/0.1 point-to-point
    > bandwidth 1536
    > ip address 157.130.X.X 255.255.255.252
    > ip access-group AccessIn in
    > no cdp enable
    > frame-relay interface-dlci 666 IETF
    > crypto map gre
    >
    CiscoHeadsetAdapter.com, Jan 7, 2006
    #2
    1. Advertising

  3. Zach Malmgren

    Bob Goddard Guest

    CiscoHeadsetAdapter.com wrote:

    > Hi Zach,
    >
    > MTU size 1600 is too high. In most cases it will cause a fragmentation
    > and, as a result, lower performance. If you want to check the maximum
    > MTU possible for your end-to-end connectivity, you could play with the
    > PING, trying to vary the size of the packet with "do-not-fragment"
    > option set up. Windows command line should look like "ping -f -l
    > <size> <destination>". Start with the packet size 1600, and then
    > decrease it untill you get the response.
    >


    Please do not top post.

    First, it's on a tunnel so a size bigger than a normal max packet size
    is required if fragmentation is to be avoided, secondly, it's only
    liable to have an impact for traffic which is sourced directly from
    the router and going out over the tunnel. Whoever installed it, could
    have worked out the additional overhead and slapped it on.



    B
    >
    > "Zach Malmgren" <> wrote in message
    > news:...
    >> Hi all,
    >>
    >> I "inherited" a router setup that has a VPN connection to one of our
    >> remote sites. I am at a loss to understand why the old administrator
    >> used the MTU that he did, and I hope someone here can explain it to
    >> me. This router has a frame-relay connection to the internet (MTU
    >> 1500) with a VPN Tunnel that has the IP MTP set to 1600. Shouldn't
    >> that be somewhere closer to 1460?
    >> Config follows:
    >> interface Tunnel0
    >> bandwidth 1536
    >> ip address 192.168.X.X 255.255.255.252
    >> ip mtu 1600
    >> ip ospf message-digest-key 1 md5 7 AEFF2234234079BCDE3
    >> tunnel source 157.130.X.X
    >> tunnel destination 157.130.X.X
    >> crypto map gre
    >>
    >> interface Serial0/0
    >> no ip address
    >> encapsulation frame-relay IETF
    >> no fair-queue
    >> frame-relay lmi-type ansi
    >> !
    >> interface Serial0/0.1 point-to-point
    >> bandwidth 1536
    >> ip address 157.130.X.X 255.255.255.252
    >> ip access-group AccessIn in
    >> no cdp enable
    >> frame-relay interface-dlci 666 IETF
    >> crypto map gre
    >>


    --
    http://www.mailtrap.org.uk/
    Bob Goddard, Jan 7, 2006
    #3
  4. Zach Malmgren

    Merv Guest

    Any tunnel MTU size htat is greater than any interface MTU in the path
    including the outgoing egress interface will result in fragementation.

    That may be why it is called Maximum Transmission Unit ...
    Merv, Jan 8, 2006
    #4
  5. Zach Malmgren

    Merv Guest

  6. Zach Malmgren

    Merv Guest

    Merv, Jan 9, 2006
    #6
  7. Zach Malmgren

    theapplebee

    Joined:
    Jun 19, 2009
    Messages:
    67
    Location:
    USA
    F.Y.I. Transit path on ISP site has bigger than 2000(at least) MTU set. It is perfectly making sense end node is default 1500.
    MTU size for VPN should be smaller than 1500 for better throughput

    Sharing Cisco Expertise : www.ipBalance.com
    Last edited: Apr 17, 2010
    theapplebee, Nov 4, 2009
    #7
  8. Zach Malmgren

    Baalhug

    Joined:
    Mar 8, 2011
    Messages:
    1
    Considering a frame encapsulated like:

    [PPPoE[Ethernet[DATA]]]
    <-mss->
    <-----------MTU---------------->

    MTU is the maximum size in bytes for the entire packet (i mean the DATA section plus all its headers) that a DEVICE will admit. So it is considered in layers 1-2. MTU is defined during the creation of the PPP tunnel and it is negotiated by both end-points of the connection (i.e. a PC and a web server). If a packet with a size of 1550 (i.e.) bytes reaches any interface with a MTU of 1500 inside the tunnel, the packet is fragmented. Some devices dont fragment so they drop the data and answer with a ICMP packet to the source device, informing the packet was too big and asking to re-send a shorter one. If ICMP traffic is filtered somewhere (a normal happening due to security issues) traffic is dropped and tunnel is not working. So let's repeat:


    Source device <--------------- PPP TUNNEL ---------------> Destination device

    Source and destination devices negotiate MTU for the PPP frames ignoring the rest of devices in the path between.
    If any logic or physical interface in the path has a MTU bigger than the negotiated by source and destionation devices, the packets will be fragmented if possible. If not, ICMP messages will be sent as explained and traffic will be re-sent or dropped.

    Hope my english is understood
    Baalhug, Mar 8, 2011
    #8
  9. Zach Malmgren

    virtualj

    Joined:
    Nov 14, 2012
    Messages:
    1
    Baalhug your explaination is very good, but the client and the server negotiate MSS in three way handshake, not MTU. They provide each other an MSS of MTU-40, and they choose the smaller one.
    You can find a perfect explanation searching on google "Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC" (I cannot post link)
    virtualj, Nov 14, 2012
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bill B.
    Replies:
    7
    Views:
    4,021
    Captain
    May 13, 2004
  2. V. Evans

    ip mtu / interface mtu

    V. Evans, Aug 19, 2005, in forum: Cisco
    Replies:
    1
    Views:
    20,701
    www.BradReese.Com
    Aug 19, 2005
  3. Steven M. Scharf

    25 Reasons to Aviod the SD-10 (was 15 Reasons to Aviod the SD-10)

    Steven M. Scharf, May 8, 2004, in forum: Digital Photography
    Replies:
    823
    Views:
    9,559
    George Preddy
    Jul 2, 2004
  4. Marful
    Replies:
    11
    Views:
    805
  5. why?
    Replies:
    0
    Views:
    724
Loading...

Share This Page