MTU vs MSS

I have been reading up on DMVPN and noticed the tunnel configuration had the following:
iinterface Tunnel0
ip mtu 1408
ip tcp adjust-mss 574
Would someone be able to explain to me why the mss is so much lower than the MTU.
I thought the MSS was 28 less than the MTU.

From same doc, I think this is valid
"The goal is to select an optimum value for ip tcp adjust-mss that minimizes both the IPSec padding and
ATM adaption layer (AAL) 5 padding."
Is that your objective in live network?
For the rest it's pretty self explanatory.
IP MTU of transport network > IP MTU overlay network > TCP MSS set on overlay

Similar Messages

  • Advice required on optimal MTU and MSS settings for GRE and IPSEC connections

    Hi,
    We have 2 remote sites (Site A and Site B) which connect to our datacentres (DC) over IPSEC VPN and connect to each other over GRE tunnels.
    We had some issues recently which we believe were MTU/MSS related (browsing web servers at one location not appearing correctly etc)
    We got some advice from our Cisco partner and tweaked some settings but I'm still not convinced we have the optimal configuration - and we still have some problems I suspect may be MTU related.  For example, from our DC (connected to Site A by IPSEC), we CANNOT browse to the webpage of the phone system hosted at Site A.  Yet, we CAN browse to the webpage of the Site A phone system from Site B (connected over GRE)
    Site A and Site B have two WAN internet circuits each - and each provider presents their circuit to us as ethernet.
    Here are the relevant interface settings showing the currently configured MTU and MSS (both routers are configured the same way)
    Can someone advise on what the optimal settings should be for our MTU and MSS values on the various interfaces or how we might best determine the values?
    interface Tunnel1
    description *** GRE Tunnel 1 to SiteB***
    ip address [removed]
    ip mtu 1400
    ip tcp adjust-mss 1360
    keepalive 30 3
    tunnel source [removed]
    tunnel destination [removed]
    interface Tunnel2
    description *** GRE Tunnel2 to SiteB***
    ip address [removed]
    ip mtu 1400
    ip tcp adjust-mss 1360
    keepalive 30 3
    tunnel source [removed]
    tunnel destination [removed]
    interface GigabitEthernet0/0
    description "WAN Connection to Provider1"
    ip address [removed]
    ip access-group firewall in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip mtu 1492
    ip nat outside
    ip inspect cbac out
    ip virtual-reassembly in
    crypto map cryptomap
    interface GigabitEthernet0/1
    description "Connection to LAN"
    no ip address
    ip flow ingress
    ip flow egress
    duplex auto
    speed auto
    interface GigabitEthernet0/1.1
    description DATA VLAN
    encapsulation dot1Q 20
    ip address [removed]
    ip access-group 100 in
    ip nat inside
    ip virtual-reassembly in
    ip tcp adjust-mss 1320
    interface GigabitEthernet0/1.2
    description VOICE VLAN
    encapsulation dot1Q 25
    ip address [removed]
    ip nat inside
    ip virtual-reassembly in
    ip tcp adjust-mss 1320
    interface GigabitEthernet0/2
    description "Connection to Provider2"
    ip address [removed]
    ip access-group firewall in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip mtu 1492
    ip nat outside
    ip inspect cbac out
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map grecrypto
    Thanks.

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html

  • Optimize mtu and mss

    Dear all,
    It is about a IPSEC/GRE over WAN...
    Would you please confirm or comment the following in terms of MTU:
    1. On GRE tunnel interfaces "ip mtu" and "ip tcp adjust-mss" is mandatory. "tunnel path-mtu-discovery" is good to have and will allow DF bit to be set in the outer header. If "tunnel path-mtu-discovery" is to be applied, ICMP should not be blocked between routers.
    2. On inside router interfaces "ip tcp adjust-mss" is mandatory and will be the same value as on the tunnel interfaces. This will make sure TCP traffic from inside hosts is OK.
    3. It is mandatory that ICMP messages are not blocked between inside hosts and WAN routers in order for PMTUD for hosts to be working.
    Thanks in advance,
    Mladen

    No you have not mis-read the document - maybe just been lead down a path a little, my answers are based on experiance.
    I have found that tunnel path-mtu-discovery/PMTUD/BlackHole MTUD do not work in 99.999% of the cases where I have had mtu issues - Windows OS has been where the issues lie. I have never encounted a time where the Windows OS has actually taken any notice of the ICMP fragmentation needed message has been recevied.
    Some Cisco platforms cannot use the tcp mss adjust command on transient packets, only packets sourced from the deivce are effected.
    Cisco firewalls, have default configuration in regards to fragementation - the packets will be fragemented prior to encrypting the packet and they copy the DF bit = the packet will be dropped due to being oversized.
    What I do when dealing with GRE/IPSEC tunnels is either:-
    1) Change the MTU of the workstations/servers - works in small enviroments, does not scale.
    2) You do not have to worry about MTU/MSS sizes on internet sites generally, as the remote servers wil 99% negotiate a small MSS.
    3) Use where possible tcp mss adjust on routers and firewalls (this is a great place, especially when you are not using GRE tunnels)
    4) Perform packet captures to determine if an application will send ALL packets with the DF bit set, or as normal just the TCP handshake.
    Below is a good example:-
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml
    HTH>

  • IPSEC SA ip mtu idb interface?

    Hello,
    What is the ip mtu idb interface under the "show crypto ipsec sa" command output in IOS?  How is this interface determined?      
    Thanks,
    Nathan

    Nathan,
    The IPsec overhead is 'complicated' to calculate (depending on chosen cipher suite and original packet length). Hence you'd need to have calculator of some sort, several folks wrote those, we have one internally written by a colleague.
    It is safe to assume that overhead will be around 100 bytes (for GRE over IPsec) , newer IOS will calculate that for you too. It's a stretch, but we'd rather have lower MSS than deal with fragmentation.
    But regardless, you will see very often in our reference configuration that MTU is set to 1400, and a matching MSS of 1360.
    Fragmentation/reassambly is an popular, remember that when you set MTU you NEED to set also MSS (MTU - 40 = MSS).
    Another thing is (tunnel) PMTUD, while it's typically broken over internet, it is one of my favorites, it helps detect and diagnose problems early in the deployment rather than dealing with it later on.
    Just figured I'd get this out there.
    M.

  • HTTP and SMB over Cisco LAN-to-LAN IPSec-VPN

    we are connecting Cisco 887VA router with various other Non-Cisco routers.
    VPN tunnels are up and we can ping devices on the remote network through the VPN.
    However, we have a few devices (on the Cisco lan) that provide a web interface (NAS etc) and these are not accessible over the VPN, the connection seems to just hang like its waiting for a response but it never gets one and eventually the browser times out.
    Strangely, if I request a page that does not exist from the NAS (eg. http://192.168.3.x/test) I will receive a 404 error so it is kind of working.
    Similar problems with SMB, if I access \\192.168.3.x I can list the content (4 items) but if I go into one of those folders (containing 10+ items) it hangs and eventually gives up.
    I have tried adjusting MTU and MSS with no change.
    Any ideas cause I'm running out of hair
    My config is attached, it is most likely a mess as this is my first Cisco device so please go easy

    Hi,
    i can get you a example VPN config (Cisco 1841)  that works:
    //192.168.49.0 INSIDE IP | 192.168.0.0/16 and 172.20.0.0/24 RemoteSite IP
    access-list 102 permit ip 192.168.49.0 0.0.0.255 192.168.0.0 0.0.255.255
    access-list 102 permit ip 192.168.49.0 0.0.0.255 172.20.0.0 0.0.0.255
    access-list 150 deny   ip 192.168.49.0 0.0.0.255 192.168.0.0 0.0.255.255
    access-list 150 deny   ip 192.168.49.0 0.0.0.255 172.20.0.0 0.0.0.255
    access-list 150 permit ip 192.168.49.0 0.0.0.255 any
    crypto isakmp policy 10
    encr aes
    authentication pre-share
    group 2
    crypto isakmp key CRYPTOKEYHERE address REMOTEWANIP
    crypto isakmp keepalive 30
    crypto ipsec transform-set SETNAME esp-aes esp-sha-hmac
    crypto map B2B 10 ipsec-isakmp
    description b2b-fw
    set peer PEERWANIP
    set security-association lifetime seconds 86400
    set transform-set SETNAME
    match address 102
    interface FastEthernet0/0
    description wan_primary
    crypto map B2B
    ip nat outside
    interface FastEthernet0/1
    ip nat inside
    route-map nonat permit 10
    match ip address 150
    ip nat inside source route-map nonat interface FastEthernet0/0 overload
    Regards
    Markus

  • GRE slow in one direction

    Hi folks
    I need some help understanding a problem I have. I have to networks connected over GRE using Cisco 1921 routers. One router is connected to the Internet and the other one to a 4G provider. 4G as I know it should be slower on the upload than on the download but for my users at the remote site it's the opposite. I get speeds around 4mbit down and 12mbit up. If I send the remote site straight out to Internet and skip the tunnel I get speeds around 10mbit down and 5mbit up.
    I've been trying some MTU and MSS settings but none has given any clear improvements. Anyone got an idea?
    Regards
    Fredrik

    I'm talking about either basic ethernet or a wifi connection. Basic ethernet has the same speed in either direction ie 'downstream' or 'upstream'. I don't know the specifics of wifi but I'm pretty sure it too has identical speeds in either direction.
    I only have an ssh server on my linux machine so I'm always running the copy from the mac. To summarize:
    $ scp file1 linux:/tmp -> 2.2Mb/s
    $ scp linux:/tmp/file1 . -> 100Kb/s
    I know that apple wifi cards sometimes have problems with linksys routers, but even with a normal ethernet connection the speeds are the same.
    ibook G4 Mac OS X (10.3.9)

  • 802.1x/EAP-TLS Fragmentation across VPN tunnel

    I am having an issue authenticating users via 802.1x/EAP-TLS across an IPSec tunnel. I am using route-based VPN with SVTI configuration on a 2921 and 1941. I have the following settings defined:
    - Under the tunnel interfaces:
    - MTU 1390
    - MSS 1350
    - PMTUD
    - Under the ingress LAN interface
    - route-map to set the DNF bit to 0
    - On the RADIUS Server (2008 NPS)
    - Framed-MTU: 1300
    This had been working for months until I got a call last week about users not being able to authenticate to our secured SSID. I fired up wireshark and also used my client monitor tool in my wireless NMS to watch what is going on. I see all of the access-request and access-challenge exchanges, but the final exchange never happens. In both captures you can see messages with id's 77-81, but message id 82 isn't shown in the wireshark capture, only fragments are. In the client monitor capture you can see that message id 82 is 1726 bytes in length. Now, if I capture packets on my local LAN, the 1726 byte packet is properly fragmented and users can authenticate just fine.
    What am I missing with this?? I have scoured the Internet trying to find a setting that I must have missed, but I can't. I've tried adjusting the Framed-MTU, all the way down to 1100.
    Thanks for you help.

    I figured I would post back with my results. I ended up removing my mtu value from the tunnel interfaces and then fired up wireshark again. This time I found a crap load of ICMP time-exceeded messages which told me that PMTUD is not working properly across the tunnel. From there I simply re-applied my previous MTU numbers back into the tunnel configs and all of the sudden EAP-TLS started flowing fine. I do not know why removing and re-applying the MTU would make things start working again so I assume that I'll be dealing with this again sometime in the future.

  • 877W unable to view web pages

    Hi all,
    I've been trying to setup the new 877W DSL router for last days with no luck.
    Situation is as follows:
    Everything seems to be alright, DSL connects properly, and my pc is able to ping and traceroute to sites.
    Problem comes when trying to use the web browser, I'm not getting any kind of heavy page (it does load google after 30 secs).
    I've checked it does NAT translations as I can see them with the sh ip nat translations command.
    I'm copying the whole config. Thanks in advance for your help, Any comment will be helpful.

    Hi,
    2 things to try, first you say that you can ping sites while not able to web browse, it might be a DNS problem accordingly please try to check your dns (ping the DNS and then try doing nslookup).
    Second, for the MTU and MSS its recommended to have:
    interface
    ip tcp adjust-mss 1452
    interface
    mtu 1492
    HTH, please do rate all helpful replies,
    Mohammed Mahmoud.

  • How is "current transport value" calculated?

    We had an issue recently where I work where an officer started having connectivity problems.  This office has a VPN router with an IPsec tunnel to access the main network because they're located several hours away.  (The hub router is a 3945, the office has a 2800 series router.) This worked fine for years but about a month ago with no changes to the network they started having issues with VOIP and web access.
    While troubleshooting we adjusted the MTU on the workstation and found that it worked fine at 1380, but when we set the adjust-mss on the tunnel to 1380 it didn't work for all the affected computers.
    We tried various settings on the adjust-mss and the ip mtu until we got one that worked, but if we went too high on the MTU we got message saying out setting was "higher than the current transport value of 1414, fragmentation will occur."
    This was six lower than 1420, the IP MTU setting that was originally there.  We dropped the ip tcp adjust-mss to 1374 and it worked. 
    It looks like the "current transport value" is what changed, but I can't find any way to see what the value is on either router and I don't know what goes into finding this value.  Does anyone know the command to view it and what determines it?

    You're making a confusion between MTU and MSS.
    MTU = maximum IP datagram size the layer 2 can carry,
    MSS = maximum TCP segment size.
    On a usual Ethernet Link MTU=1500 bytes. MSS = 1500 - 20 (IP header) - 20 (TCP header) = 1460 bytes.
    When using tunnels, you've got to take into account the added encapsulation. With GRE for instance (which I know better than IPSec), you've got 24 bytes more to take into account.
    On a router, with a PPP interface with 1500 bytes MTU, if you enable GRE the GRE tunnel will have a MTU of 1476 bytes because each user datagram will receive an additionnal IP+GRE header (+24bytes).
    MSS is then 1436 bytes (1436 + 40= 1476) and you can avoid IP fragmentation by setting tcp mss adjust to 1436 for tcp traffic (nothing can be done for big UDP packets).
    Same thing with IPSec. Depending of the encapsulation (ESP, tunnel, transport...), you had X bytes of additionnal header.
    On a WAN PPP interface having a MTU of 1500 bytes, a tunnel going thru the PPP interface toward its destination will detect a transport MTU of 1500 bytes (MTU of the outgoing transport interface, the PPP interface), and will set its own MTU at 1500 - X bytes (MTU of outgoing interface minus additionnal bytes of tunnel encapsulation). You can set mss adjust to Transport (here 1500) - (X) - (40).
    Hope this helps.

  • Poor Network Performance from VPN sites

    We are experiencing poor network performance when connecting from hardware VPN sites. VPN sites have Cisco Hardware VPN client 3002 which terminates to Cisco 3005 VPN concentrator. Geting upload/download speeds of 355/484kbsp from VPN to surewest.com. If I remove the VPN and connect laptop directly to dsl modem, speeds are 3mb up and 1mb down. Any ideas what could be causing this?

    Try this
    Adjust the MTU and MSS size in concentrator and client.
    Try these link for more info:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce0e.html#1223423
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter09186a00803ef6c5.html

  • ISM with NAT64 - need help with config

    Hello,
    we are trying to configure NAT64 on ISM. We are running 4.3.0 on ASR9k and all
    packages are installed.
    Problem is that the config guide is "incomplete" and the NAT64 config is not well
    explained.
    I will paste the config and show command output..
    RP/0/RSP1/CPU0:ASR9010_PE_DMALTA#sh cgn nat64 stateful CGN1 statistics
    Tue Jan 29 14:52:59.351 BIH
    Unable to obtain requested info Error:'cgn' detected the 'warning' condition 'The instance has not yet been configured'
    RP/0/RSP1/CPU0:ASR9010_PE_DMALTA#sh cgn nat64 stateful STATEFULL statistics
    Tue Jan 29 14:59:07.270 BIH
    Unable to obtain requested info Error:'cgn' detected the 'warning' condition 'CONN state is DOWN'
    service cgn CGN1
    service-location preferred-active 0/4/CPU0
    service-type nat64 stateful STATEFULL
      portlimit 2000
      ipv6-prefix 64:ff9b::/64
      ipv4 address-pool 80.65.84.160/29
      dynamic-port-range start 10000
      address-family ipv4
       interface ServiceApp2
       tcp mss 600
      address-family ipv6
       interface ServiceApp1
       protocol icmp
        reset-mtu
       tcp mss 600
      protocol udp
       timeout 1800
      protocol tcp
       session initial timeout 90
       session active timeout 90
      protocol icmp
       timeout 900
      interface ServiceInfra10
    ipv4 address 10.100.127.9 255.255.255.252
    service-location 0/4/CPU0
    Interface serviceAPP1 is present but not serviceApp2
    RP/0/RSP1/CPU0:ASR9010_PE_DMALTA#sh run inter ServiceApp1
    Tue Jan 29 22:40:43.814 BIH
    interface ServiceApp1
    RP/0/RSP1/CPU0:ASR9010_PE_DMALTA#sh run inter ServiceApp2
    Tue Jan 29 22:41:34.601 BIH
    % No such configuration item(s)
    RP/0/RSP1/CPU0:ASR9010_PE_DMALTA#show platform
    Tue Jan 29 14:57:29.753 BIH
    Node            Type                      State            Config State
    0/RSP0/CPU0     A9K-RSP440-TR(Standby)    IOS XR RUN       PWR,NSHUT,MON
    0/RSP1/CPU0     A9K-RSP440-TR(Active)     IOS XR RUN       PWR,NSHUT,MON
    0/0/CPU0        A9K-8T-L                  IOS XR RUN       PWR,NSHUT,MON
    0/1/CPU0        A9K-8T-L                  IOS XR RUN       PWR,NSHUT,MON
    0/2/CPU0        A9K-2T20GE-L              IOS XR RUN       PWR,NSHUT,MON
    0/3/CPU0        A9K-2T20GE-L              IOS XR RUN       PWR,NSHUT,MON
    0/4/CPU0        A9K-ISM-100(LCP)          IOS XR RUN       PWR,NSHUT,MON
    0/4/CPU1        A9K-ISM-100(SE)           APP-READY
    Package asr9k-ism-cgv6-install-kit-4.3.0.00.sh has been installed!
    Node 0/RSP0/CPU0 [RP] [SDR: Owner]
        Boot Device: disk0:
        Boot Image: /disk0/asr9k-os-mbi-4.3.0/0x100305/mbiasr9k-rsp3.vm
        Active Packages:
          disk0:asr9k-fpd-px-4.3.0
          disk0:asr9k-mpls-px-4.3.0
          disk0:asr9k-optic-px-4.3.0
          disk0:asr9k-doc-px-4.3.0
          disk0:asr9k-mini-px-4.3.0
          disk0:asr9k-mcast-px-4.3.0
          disk0:asr9k-mgbl-px-4.3.0
          disk0:asr9k-services-p-px-4.3.0
          disk0:asr9k-k9sec-px-4.3.0
    Node 0/4/CPU0 [LC] [SDR: Owner]
        Boot Device: mem:
        Boot Image: /disk0/asr9k-os-mbi-4.3.0/lc/mbiasr9k-lc.vm
        Active Packages:
          disk0:asr9k-mpls-px-4.3.0
          disk0:asr9k-optic-px-4.3.0
          disk0:asr9k-mini-px-4.3.0
          disk0:asr9k-mcast-px-4.3.0
          disk0:asr9k-services-p-px-4.3.0
    Service-Engine0/4/0/0          unassigned      Up                    Up    
    Service-Mgmt0/4/0/0            unassigned      Up                    Up    
    Service-Engine0/4/0/1          unassigned      Up                    Up    
    Service-Mgmt0/4/0/1            unassigned      Up                    Up    
    Service-Engine0/4/0/2          unassigned      Up                    Up    
    Service-Mgmt0/4/0/2            unassigned      Up                    Up    
    Service-Engine0/4/0/3          unassigned      Up                    Up    
    Service-Mgmt0/4/0/3            unassigned      Up                    Up 

    Hi,
    first thank your for reply.
    hw-module service cgn location 0/4/CPU0 has been typed in the config but I can not see it anywhere in the config after I enter and commit it.
    This is the guide I am using. You will see that the NAT64 example is incomplete or is lacking of some explainations. You will see mistakes like an IP address 300.x.x.x . I even tried to completly copy/paste the example in the guide and it still shows the same errors!
    http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.3/cg_nat/configuration/guide/cgnat_43.html
    Edit:
    After serviceapp 1 and 2 has been configured the error "Unable to obtain requested info Error:'cgn' detected the 'warning' condition 'CONN state is DOWN'
    " has gone
    RP/0/RSP1/CPU0:ASR9010_PE_DMALTA#sh run interface serviceapp1
    Wed Jan 30 08:44:59.602 BIH
    interface ServiceApp1
    vrf Internet
    ipv6 address 1::1/64
    service cgn CGN1 service-type nat64 stateful
    RP/0/RSP1/CPU0:ASR9010_PE_DMALTA#sh run interface serviceapp2
    Wed Jan 30 08:45:00.950 BIH
    interface ServiceApp2
    vrf Internet
    ipv4 address 1.1.1.1 255.255.255.252
    service cgn CGN1 service-type nat64 stateful
    RP/0/RSP1/CPU0:ASR9010_PE_DMALTA#sh cgn nat64 stateful STATEFULL statistics
    Wed Jan 30 08:46:50.342 BIH
    Statistics summary of NAT64 Stateful instance: 'STATEFULL'
    Number of active translations                  : 0
    Number of static translations                  : 0
    Number of dynamic translations                 : 0
    Number of Sessions                             : 0
    Translations create rate                       : 0
    Translations delete rate                       : 0
    Inside to outside forward rate                 : 0
    Outside to inside forward rate                 : 0
    Inside to outside drops port limit exceeded    : 0
    Inside to outside drops system limit reached   : 0
    Inside to outside drops resource depletion     : 0
    No translation entry drops                     : 3134
    Filtering Drops                                : 0
    Invalid Ipv6 Prefix Drops                      : 0
    Number of subscribers                          : 0
    Drops due to session db limit exceeded         : 0
    Pool address totally free                      : 8
    Pool address used                              : 0
    For what are the IP addresses in serviceapp used, only for communication between router and ISM?

  • E90 poor network

    HI.
    I M USING E90 SINCE 2YEAR BUT NOW DAYS I M FACING SOME NETWORK PROBLEM.THE SIGNALS ARE VERY LOW AS COMPARE TO ANY OTHERS MOBILE PHONES.I HAVE VISITES NOKIA CENTER CARE & MOBILE CONECTION CPMPANY TO REPAIR MY SIM,BUT THEY BOTH SAID THAT IS WORKING FINE FROM THERE SIDE.
    PLEASE HEPL ME WITH THIS NETWORK PROBLEM.

    Try this
    Adjust the MTU and MSS size in concentrator and client.
    Try these link for more info:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce0e.html#1223423
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter09186a00803ef6c5.html

  • 1000v Almost Working

    I've got the 1000v (single VSM in L3 mode) up and running. I have a couple of port-profiles with VMs running fine in them. All VEMs seem to be registered and speaking fine. The only problem I have is when I go to move the VSM's eth1 interface off the vSwitch0 and onto the 1000v, it loses communication (vEth shows BLK when I move it).
    N1KV# sh run
    !Command: show running-config
    !Time: Thu May  1 21:32:36 2014
    version 4.2(1)SV2(2.2)
    svs switch edition essential
    no feature telnet
    username admin password 5 $1$LxtFHxdd$nnLt6SIClbFprf3qv7Pig0  role network-admin
    banner motd #Nexus 1000v Switch#
    ssh key rsa 2048
    ip domain-lookup
    ip host N1KV 10.2.55.100
    hostname N1KV
    errdisable recovery cause failed-port-state
    vem 3
      host id 64b73ccc-c6cf-e311-0000-00000000004f
    vem 4
      host id 64b73ccc-c6cf-e311-0000-00000000002f
    vem 5
      host id 64b73ccc-c6cf-e311-0000-00000000005f
    vem 6
      host id 64b73ccc-c6cf-e311-0000-00000000003f
    snmp-server user admin network-admin auth md5 0x009f54b10a39bb2726dacb1dc22802af priv 0x009f54b10a39bb2726dacb1dc22802af localizedkey
    vrf context management
      ip route 0.0.0.0/0 10.2.55.1
    vlan 1,3255,3268,3350,3360
    port-channel load-balance ethernet source-mac
    port-profile default max-ports 32
    port-profile type ethernet Unused_Or_Quarantine_Uplink
      vmware port-group
      shutdown
      description Port-group created for Nexus1000V internal usage. Do not use.
      state enabled
    port-profile type vethernet Unused_Or_Quarantine_Veth
      vmware port-group
      shutdown
      description Port-group created for Nexus1000V internal usage. Do not use.
      state enabled
    port-profile type ethernet System-Uplink
      vmware port-group
      switchport mode trunk
      switchport trunk allowed vlan 1-3967,4048-4093
      mtu 9000
      channel-group auto mode on mac-pinning
      no shutdown
      system vlan 3255
      description physical switch link
      state enabled
    port-profile type vethernet VLAN3255
      capability l3control
      vmware port-group VLAN-3255-L3
      port-binding static auto expand
      switchport mode access
      switchport access vlan 3255
      no shutdown
      system vlan 3255
      max-ports 256
      min-ports 16
      state enabled
    port-profile type vethernet vMotion-3268
      vmware port-group
      switchport mode access
      switchport access vlan 3268
      no shutdown
      system vlan 3268
      max-ports 256
      state enabled
    port-profile type vethernet VLAN-3255
      vmware port-group
      switchport mode access
      switchport access vlan 3255
      no shutdown
      max-ports 256
      min-ports 16
      state enabled
    port-profile type vethernet VLAN-3360
      vmware port-group
      switchport mode access
      switchport access vlan 3360
      no shutdown
      max-ports 256
      min-ports 16
      state enabled
    port-profile type vethernet VLAN-3350
      vmware port-group
      switchport mode access
      switchport access vlan 3350
      no shutdown
      max-ports 256
      min-ports 16
      state enabled
    vdc N1KV id 1
      limit-resource vlan minimum 16 maximum 2049
      limit-resource monitor-session minimum 0 maximum 2
      limit-resource vrf minimum 16 maximum 8192
      limit-resource port-channel minimum 0 maximum 768
      limit-resource u4route-mem minimum 1 maximum 1
      limit-resource u6route-mem minimum 1 maximum 1
    interface port-channel1
      inherit port-profile System-Uplink
      vem 3
    interface port-channel2
      inherit port-profile System-Uplink
      vem 4
    interface port-channel3
      inherit port-profile System-Uplink
      vem 5
    interface port-channel4
      inherit port-profile System-Uplink
      vem 6
    interface mgmt0
      ip address 10.2.55.100/24
    interface Vethernet1
      inherit port-profile VLAN3255
      description VMware VMkernel, vmk0
      vmware dvport 434 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
      vmware vm mac 0025.B500.000B
    interface Vethernet2
      inherit port-profile vMotion-3268
      description VMware VMkernel, vmk1
      vmware dvport 442 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
      vmware vm mac 0050.5663.A33C
    interface Vethernet3
      inherit port-profile VLAN3255
      description VMware VMkernel, vmk0
      vmware dvport 432 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
      vmware vm mac 0025.B500.000E
    interface Vethernet4
      inherit port-profile VLAN3255
      description VMware VMkernel, vmk0
      vmware dvport 433 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
      vmware vm mac 0025.B500.000D
    interface Vethernet5
      inherit port-profile vMotion-3268
      description VMware VMkernel, vmk2
      vmware dvport 440 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
      vmware vm mac 0050.566D.7851
    interface Vethernet6
      inherit port-profile vMotion-3268
      description VMware VMkernel, vmk1
      vmware dvport 441 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
      vmware vm mac 0050.5663.CFF0
    interface Vethernet7
      inherit port-profile VLAN-3255
      description VUM, Network Adapter 1
      vmware dvport 704 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
      vmware vm mac 0050.5690.284B
    interface Vethernet8
      inherit port-profile VLAN3255
      description VMware VMkernel, vmk0
      vmware dvport 438 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
      vmware vm mac 0025.B500.000C
    interface Vethernet9
      inherit port-profile vMotion-3268
      description VMware VMkernel, vmk1
      vmware dvport 443 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
      vmware vm mac 0050.566C.6C27
    interface Vethernet10
      inherit port-profile VLAN-3255
      description Ubuntu - Craig, Network Adapter 1
      vmware dvport 705 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
      vmware vm mac 0050.5690.0A43
    interface Vethernet11
      inherit port-profile VLAN3255
      description Nexus1000V-4.2.1.SV2.2.1b, Network Adapter 1
      vmware dvport 703 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
      vmware vm mac 0050.5690.E208
    interface Vethernet12
      inherit port-profile VLAN3255
      description Nexus1000V-4.2.1.SV2.2.1b, Network Adapter 3
      vmware dvport 701 dvswitch uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a"
      vmware vm mac 0050.5690.F928
    interface Ethernet3/1
      inherit port-profile System-Uplink
    interface Ethernet4/1
      inherit port-profile System-Uplink
    interface Ethernet4/2
      inherit port-profile System-Uplink
    interface Ethernet5/1
      inherit port-profile System-Uplink
    interface Ethernet5/2
      inherit port-profile System-Uplink
    interface control0
    cli alias name wr copy run start
    line console
    boot kickstart bootflash:/nexus-1000v-kickstart.4.2.1.SV2.2.2.bin sup-1
    boot system bootflash:/nexus-1000v.4.2.1.SV2.2.2.bin sup-1
    boot kickstart bootflash:/nexus-1000v-kickstart.4.2.1.SV2.2.2.bin sup-2
    boot system bootflash:/nexus-1000v.4.2.1.SV2.2.2.bin sup-2
    svs-domain
      domain id 10
      control vlan 1
      packet vlan 1
      svs mode L3 interface mgmt0
    svs connection vcenter
      protocol vmware-vim
      remote ip address 10.2.55.35 port 80
      vmware dvs uuid "3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a" datacenter-name UCS
      admin user n1kUser
      max-ports 8192
      connect
    vservice global type vsg
      tcp state-checks invalid-ack
      tcp state-checks seq-past-window
      no tcp state-checks window-variation
      no bypass asa-traffic
    vnm-policy-agent
      registration-ip 0.0.0.0
      shared-secret **********
      log-level
    N1KV# sh mod
    Mod  Ports  Module-Type                       Model               Status
    1    0      Virtual Supervisor Module         Nexus1000V          active *
    3    332    Virtual Ethernet Module           NA                  ok
    4    332    Virtual Ethernet Module           NA                  ok
    5    332    Virtual Ethernet Module           NA                  ok
    Mod  Sw                  Hw
    1    4.2(1)SV2(2.2)      0.0
    3    4.2(1)SV2(2.2)      VMware ESXi 5.5.0 Releasebuild-1623387 (3.2)
    4    4.2(1)SV2(2.2)      VMware ESXi 5.5.0 Releasebuild-1623387 (3.2)
    5    4.2(1)SV2(2.2)      VMware ESXi 5.5.0 Releasebuild-1623387 (3.2)
    Mod  Server-IP        Server-UUID                           Server-Name
    1    10.2.55.100      NA                                    NA
    3    10.2.55.101      64b73ccc-c6cf-e311-0000-00000000004f  exucs1.bhsi.com
    4    10.2.55.103      64b73ccc-c6cf-e311-0000-00000000002f  exucs3.bhsi.com
    5    10.2.55.102      64b73ccc-c6cf-e311-0000-00000000005f  exucs2.bhsi.com
    * this terminal session
    N1KV#
    N1KV# module vem 3 execute vemcmd show port
      LTL   VSM Port  Admin Link  State  PC-LTL  SGID  Vem Port  Type
       17     Eth3/1     UP   UP    FWD     561     0    vmnic0
       49     Veth11     UP   UP    FWD       0     0  Nexus1000V-4.2.1.SV2.2.1b.eth0
       50      Veth5     UP   UP    FWD       0     0      vmk2
       51      Veth8     UP   UP    FWD       0     0      vmk0
       53     Veth12     UP   UP    FWD       0     0  Nexus1000V-4.2.1.SV2.2.1b.eth2
      561        Po1     UP   UP    FWD       0
    * F/B: Port is BLOCKED on some of the vlans.
           One or more vlans are either not created or
           not in the list of allowed vlans for this port.
     Please run "vemcmd show port vlans" to see the details.
    N1KV#
    N1KV# sh svs connections
    connection vcenter:
        ip address: 10.2.55.35
        remote port: 80
        protocol: vmware-vim https
        certificate: default
        datacenter name: UCS
        admin: n1kUser(user)
        max-ports: 8192
        DVS uuid: 3c 0d 10 50 1b 8e 2c c6-fb 74 a2 23 ea c8 07 9a
        config status: Enabled
        operational status: Connected
        sync status: Complete
        version: VMware vCenter Server 5.5.0 build-1750787
        vc-uuid: 61E318F1-6DF1-4441-B34B-C762CC2E4AE4
        ssl-cert: self-signed or not authenticated
    ~ # esxcfg-vmknic -l
    Interface  Port Group/DVPort   IP Family IP Address                              Netmask         Broadcast       MAC Address       MTU     TSO MSS   Enabled Type
    vmk2       440                 IPv4      10.2.68.101                             255.255.255.0   10.2.68.255     00:50:56:6d:78:51 1500    65535     true    STATIC
    vmk2       440                 IPv6      fe80::250:56ff:fe6d:7851                64                              00:50:56:6d:78:51 1500    65535     true    STATIC, PREFERRED
    vmk0       438                 IPv4      10.2.55.101                             255.255.255.0   10.2.55.255     00:25:b5:00:00:0c 1500    65535     true    STATIC
    vmk0       438                 IPv6      fe80::225:b5ff:fe00:c                   64                              00:25:b5:00:00:0c 1500    65535     true    STATIC, PREFERRED

    I hope you get an answer to your problem.
    Unfortunately, it's a lot of code to wade through, and many regulars know you
    cross-post your problems all over the place, so probably ignore your posts
    rather than risk their time being wasted on a problem already solved.
    When I said "I hope you get an answer to your problem.",
    I lied.

  • Poor network efficiency

    I'm supporting an app running on WLS 6.1 SP3. It's using the Apache SOAP toolkit.
    I don't have access to the app or its source code, though I may be able to request
    enhancements.
    In network traces of the app, we're seeing excessive fragmentation of the response
    HTTP headers sent by WLS. Specifically, each discrete piece of an HTTP header
    is being sent in its own network packet. For example, the date header is returned
    as follows:
    "Date" - first packet
    ": " - second packet
    "{date value}" - third packet
    "\x0d\x0a" - fourth packet
    This obviously results in significantly more network traffic than is optimal.
    It also places extra CPU load on server and client since the network stack is
    doing more work. Note that, from what I can determine, all the headers are ones
    that are automatically sent by WLS, save "Content-Type" and "Content-Length".
    I know there's a ServletResponse.setBufferSize method, but its docs seem to state
    that it only applies to the content/body of the response, not the headers.
    Does anyone have experience with this problem? Is there a WLS config setting to
    alleviate the problem? Or will setBufferSize help w/ the headers also?
    Many thanks,
    Donnie

    Try this
    Adjust the MTU and MSS size in concentrator and client.
    Try these link for more info:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce0e.html#1223423
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter09186a00803ef6c5.html

  • PAT Issues

    We have a MPLS network which is having some issues for customers using PAT. The case is if I have a CE configured with public IP address or static NAT they have no problems to navigate or do anything on Internet. But if I configure PAT they simply cannot open some pages like hotmail, etc. in that case if I adjust MTU or MSS they can navigate. There is some solution to avoid this?? or somebody knows why it can be happening? as long as I know the packet size doesnt change with PAT.
    Thanks for the help.

    Every device in a IP path intercepting TCP, needs to advertise the MSS option. Or if this segment size is not used then segement of any size may be received.
    And such packets which upon receipt have DF bit set then you have a problem and you will have be able to browse such packets from content rich websites.
    What you can do is:
    1) use this command on you ip nat inside and ip nat outside interface
    interface x/x
    ip add x.x.x.x x.x.x.x
    ip nat inside
    ip tcp adjust-mss 1452
    interface x/x
    ip add x.x.x.x x.x.x.x
    ip nat outside
    ip tcp adjust-mss 1452
    This should solve your problem without changing any MTU or MSS on the customer CE.
    1) Now two questions, you had a problem before beause of the MTU right, now what is this NAT/PAT.
    2) Where are you doing this NAT and PAT.
    Can u explain the data path, for eg
    CE<-->NAT<-->PE<--MPLS-->PE-ASBR<-->Internet.
    HTH-Cheers,
    Swaroop

Maybe you are looking for

  • Select of database takes a lot of time

    Dear all, myabe its a simple question but it is not for me. I do select the FAGLFLEXA table (standard table) and it takes a lot of time. here my selection: select * from faglflexa into table gt_flexa    where    docnr  in   s_belnr     and     rbukrs

  • Deadline to update iphone 4 to ios 7

    after the release of ios 8 will still be able to upgrade to the iphone 4 to IOS 7.1?

  • 2 macs, 1 external HD: how to connect?

    I need need two macs connected to the same external HD. the problem is that the macs are in separate parts of the house. My internet connection is wireless. Can I connect both macs to the external HD through my wireless network. If it helps, I need t

  • What method should be used for resizing the particular JTable Column width

    I have a four table. Only one table which are on top have a table header. I want that when user resize the topmost table with a mouse other table colume also be resized automatically. So I want to know that what method should be used for resizing the

  • How to Define an Item which is Produceble and Buyable....in R12

    Hi Let us assume there is a Product XYZ which intend to make and as well intend to buy from other sources, how to define this item ixyz n Master Item of Oracle inventory and how to assign Make/Buy in General planning tab.(since for this item I want t