RE: IPSEC and GRE, does CEF works? posted 01/11/2005
Fragmentation can be done in CEF path, defragmentation can only be done in
the process path. Most impact on you routers performance would come from
fragmentation after encryption (resulting in receiving router having to
reassemble in process path before decription).
Unless you are running IPSec over private L2 service allowing for MTU in
excess of 1500 only way to avoid that is by configuring IP MTU on GRE tunnel
small enough so packet would be potentially fragmented before it enters GRE
but not fragmented again after that. Defragmentation then will happen on
the ultimate destination host side.
To further improve communication you should encourage your users to enable
TCP path MTU discovery and for high capacity UDP flows over the tunnel
configure ip mtu down on the host(s).
You can also use 'ip tcp adjust-mss' to get router to snoop on TCP SYN
packets and adjust MSS on behalf of hosts not performing tcp path mtu
discovery (mss is 40 bytes smaller then mtu).
Let me know how it works out for you.
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of Dan
Sent: Tuesday, January 11, 2005 11:31 AM
Subject: IPSEC and GRE, does CEF works?
Cisco recommends configuring VPN with IPSEC/GRE combinations.
Does CEF works in such configuration?
Can IP switching, QOS classifying, GRE encapsulation, encryption (HW
or SW) and QOS congestion management be done in a single interrupt?
My hardware is 3825 and 7200 with VAM2, but a generic answer will be
more educating for me.
Thank you all,
Subscription information may be found at: