RE: Fragmentation DMVPN (GRE over IPSec)

Hi Joseph,

Thanks for ur reply. TCP-adjust have already been used. But large UDP
packets still need to be fragmented.

Cheers

Charles

-----Original Message-----
From: Joseph L. Brunner [mailto:joe_at_affirmedsystems.com]
Sent: Friday, 10 June 2011 11:42 AM
To: Charles Zhuang; ccielab_at_groupstudy.com
Subject: RE: Fragmentation DMVPN (GRE over IPSec)

Wrong... prevent fragmentation in the first place...

Lower all servers to 1300 MTU and or use ip tcp adjust-mss on the server
facing interface of all routers...

Come on man!

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Charles Zhuang
Sent: Thursday, June 09, 2011 8:21 PM
To: ccielab_at_groupstudy.com
Subject: Fragmentation DMVPN (GRE over IPSec)

Hi Guys,

To use crypto ipsec fragmentation before-encryption (LAF) will have better
performance according to Cisco.

http://www.cisco.com/en/US/docs/ios/12_1/12_1e11/feature/guide/lookaheadfrag
.html

But I tried both ( before & after) and it seems to me after is slightly
better ( CPU utilization). Don't know why. There is another Cisco link
explaining after-encryption, but the condition is crypto map applied on both
physical and tunnel interfaces.

http://www.cisco.com/en/US/ts/fn/620/fn62394.html

Not sure if anyone has any experience on this... What is the best practise
in DMVPN phase 1 environment.

Thanks

Charles

Blogs and organic groups at http://www.ccie.net
Received on Fri Jun 10 2011 - 12:24:08 ART