IP MTU Recommendations

Hi guys

With all respect, I believe the recommendations you give here are misleading

https://help.zscaler.com/zia/determining-the-optimal-mtu-for-gre-or-ipsec-tunnels

I don’t agree the approach you overview here is valid. Why would you configure tunnel’s IP MTU to the value of Path MTU? In your ping sweep exercise you only identify payload’s size, which you then combine with ICMP and IP headers, but what you actually don’t mention and don’t do is to reflect IPSec and/or GRE encapsulation.

It means if my Path MTU is 1500 and you configure Tunnel’s MTU as 1500, then Fragmentation does indeed happen on the outbound interface, which also has MTU 1500, but after IPSec/GRE adds its own headers, you go well above 1500 and network appliance must perform fragmentation. If not, fragmentation still happens at the intermediate node (if it has smaller MTU which you have identified via ping sweep exercise)

Cisco has a great white paper that explains this in detail:

Please adjust your knowledge base article as it’s really misleading and what you suggest there will actually lead to fragmentation.

Regards

P.S. To summarize, what I was trying to say here is that correct formula to calculate MTU for Tunnel interface will be — min(WAN-Interface-MTU, Path-MTU) - sum(GRE-headers, IPSec-headers)

WAN interface MTU or Path MTU (whatever is smaller) minus a sum of GRE and IPSec headers in bytes.

1 Like