MTU sizes and reasons

Discussion in 'Cisco' started by Zach Malmgren, Jan 6, 2006.

  1. Hi all,

    I "inherited" a router setup that has a VPN connection to one of our
    remote sites. I am at a loss to understand why the old administrator
    used the MTU that he did, and I hope someone here can explain it to me.
    This router has a frame-relay connection to the internet (MTU 1500)
    with a VPN Tunnel that has the IP MTP set to 1600. Shouldn't that be
    somewhere closer to 1460?


    Config follows:
    interface Tunnel0
    bandwidth 1536
    ip address 192.168.X.X
    ip mtu 1600
    ip ospf message-digest-key 1 md5 7 AEFF2234234079BCDE3
    tunnel source 157.130.X.X
    tunnel destination 157.130.X.X
    crypto map gre

    interface Serial0/0
    no ip address
    encapsulation frame-relay IETF
    no fair-queue
    frame-relay lmi-type ansi
    interface Serial0/0.1 point-to-point
    bandwidth 1536
    ip address 157.130.X.X
    ip access-group AccessIn in
    no cdp enable
    frame-relay interface-dlci 666 IETF
    crypto map gre
    Zach Malmgren, Jan 6, 2006
    1. Advertisements

  2. Hi Zach,

    MTU size 1600 is too high. In most cases it will cause a fragmentation and,
    as a result, lower performance. If you want to check the maximum MTU
    possible for your end-to-end connectivity, you could play with the PING,
    trying to vary the size of the packet with "do-not-fragment" option set up.
    Windows command line should look like "ping -f -l <size> <destination>".
    Start with the packet size 1600, and then decrease it untill you get the

    Good luck,

, Jan 7, 2006
    1. Advertisements

  3. Zach Malmgren

    Bob Goddard Guest

    Please do not top post.

    First, it's on a tunnel so a size bigger than a normal max packet size
    is required if fragmentation is to be avoided, secondly, it's only
    liable to have an impact for traffic which is sourced directly from
    the router and going out over the tunnel. Whoever installed it, could
    have worked out the additional overhead and slapped it on.

    Bob Goddard, Jan 7, 2006
  4. Zach Malmgren

    Merv Guest

    Any tunnel MTU size htat is greater than any interface MTU in the path
    including the outgoing egress interface will result in fragementation.

    That may be why it is called Maximum Transmission Unit ...
    Merv, Jan 8, 2006
  5. Zach Malmgren

    Merv Guest

  6. Zach Malmgren

    Merv Guest

    Merv, Jan 9, 2006
  7. Zach Malmgren


    Jun 19, 2009
    Likes Received:
    F.Y.I. Transit path on ISP site has bigger than 2000(at least) MTU set. It is perfectly making sense end node is default 1500.
    MTU size for VPN should be smaller than 1500 for better throughput

    Sharing Cisco Expertise :
    Last edited: Apr 17, 2010
    theapplebee, Nov 4, 2009
  8. Zach Malmgren


    Mar 8, 2011
    Likes Received:
    Considering a frame encapsulated like:


    MTU is the maximum size in bytes for the entire packet (i mean the DATA section plus all its headers) that a DEVICE will admit. So it is considered in layers 1-2. MTU is defined during the creation of the PPP tunnel and it is negotiated by both end-points of the connection (i.e. a PC and a web server). If a packet with a size of 1550 (i.e.) bytes reaches any interface with a MTU of 1500 inside the tunnel, the packet is fragmented. Some devices dont fragment so they drop the data and answer with a ICMP packet to the source device, informing the packet was too big and asking to re-send a shorter one. If ICMP traffic is filtered somewhere (a normal happening due to security issues) traffic is dropped and tunnel is not working. So let's repeat:

    Source device <--------------- PPP TUNNEL ---------------> Destination device

    Source and destination devices negotiate MTU for the PPP frames ignoring the rest of devices in the path between.
    If any logic or physical interface in the path has a MTU bigger than the negotiated by source and destionation devices, the packets will be fragmented if possible. If not, ICMP messages will be sent as explained and traffic will be re-sent or dropped.

    Hope my english is understood
    Baalhug, Mar 8, 2011
  9. Zach Malmgren


    Nov 14, 2012
    Likes Received:
    Baalhug your explaination is very good, but the client and the server negotiate MSS in three way handshake, not MTU. They provide each other an MSS of MTU-40, and they choose the smaller one.
    You can find a perfect explanation searching on google "Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC" (I cannot post link)
    virtualj, Nov 14, 2012
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.