- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: IPSEC and GRE, does CEF works? posted 01/11/2005
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Fragmentation can be done in CEF path, defragmentation can only be done in
the process path.  Most impact on you routers performance would come from
fragmentation after encryption (resulting in receiving router having to
reassemble in process path before decription).  

Unless you are running IPSec over private L2 service allowing for MTU in
excess of 1500 only way to avoid that is by configuring IP MTU on GRE tunnel
small enough so packet would be potentially fragmented before it enters GRE
but not fragmented again after that.  Defragmentation then will happen on
the ultimate destination host side.

To further improve communication you should encourage your users to enable
TCP path MTU discovery and for high capacity UDP flows over the tunnel
configure ip mtu down on the host(s).

You can also use 'ip tcp adjust-mss' to get router to snoop on TCP SYN
packets and adjust MSS on behalf of hosts not performing tcp path mtu
discovery (mss is 40 bytes smaller then mtu).

Let me know how it works out for you.

Best Regards,

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of Dan
Sent: Tuesday, January 11, 2005 11:31 AM
To: ccielab@xxxxxxxxxxxxxx
Subject: IPSEC and GRE, does CEF works?

Hello all,

Cisco recommends configuring VPN with IPSEC/GRE combinations.

Does CEF works in such configuration? 

Can IP switching, QOS classifying, GRE encapsulation, encryption (HW
or SW) and QOS congestion management be done in a single interrupt? 

My hardware is 3825 and 7200 with VAM2, but  a generic answer will be
more educating for me.

Thank you all,

Subscription information may be found at: