Users of a site-to-site VPN are reporting performance problems. The VPN connection employs IPSec and GRE and traverses several Ethernet segments. The VPN packets are being fragmented as they traverse the links. What would be two methods to overcome this problem? (Choose two.)
A.
Employ path MTU discovery.
B.
Set the MTU higher than 1500 bytes.
C.
Turn off pre-fragmentation for IPSec.
D.
Set the MTU value to 1400 bytes.
Explanation:
Ans is corrcet:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/vspa/configuration/guide/ivmvpnb.pdf
When a packet is nearly the size of the maximum transmission unit (MTU) of the physical egress port
of the encrypting switch, and it is encapsulated with IPsec headers, it probably will exceed the MTU of
the egress port. This situation causes the packet to be fragmented after encryption (post-fragmentation),
which requires the IPsec peer to perform reassembly before decryption, degrading its performance. To
minimize post-fragmentation, you can set the MTU in the upstream data path to ensure that most
fragmentation occurs before encryption (prefragmentation). Prefragmentation for IPsec VPNs avoids
performance degradation by shifting the reassembly task from the receiving IPsec peer to the receiving
end hosts.
To ensure prefragmentation in most cases, we recommend the following MTU settings:
• The crypto interface VLAN MTU associated with the VSPA should be set to be equal or less than
the egress interface MTU.
• For GRE over IPsec, the IP MTU of the GRE tunnel interface should be set below the egress
interface MTU by at least the overhead of IPsec encryption and the 24-byte GRE+IP header (20-byte
IP header plus 4-byte GRE header). Because options such as tunnel key (RFC 2890) are not
supported, the GRE+IP IP header will always be 24 bytes.
0
0