Sunday, July 20, 2008

Cisco Systems: DF Bit Override Functionality with IPSec Tunnels

DF Bit Override Functionality with IPSec Tunnels - Cisco Systems
The DF Bit Override Functionality with IPSec Tunnels feature allows customers to specify whether their router can clear, set, or copy the Don't Fragment (DF) bit from the encapsulated header. A DF bit is a bit within the IP header that determines whether a router is allowed to fragment a packet.
Some customer configurations have hosts that perform the following functions:
•Set the DF bit in packets they send
•Use firewalls that block Internet Control Message Protocol (ICMP) errors from outside the firewall, preventing hosts from learning about the maximum transmission unit (MTU) size outside the firewall
•Use IP Security (IPSec) to encapsulate packets, reducing the available MTU size
Customers whose configurations have hosts that prevent them from learning about their available MTU size can configure their router to clear the DF bit and fragment the packet.

Note: In compliance with RFC 2401, this feature can be configured globally or per interface. If both levels are configured, the interface configuration will override the global configuration.

No comments: