Device Advanced
Issue 4 May 2005 201
Examples of traffic destined for the private network are:
Decapsulated IPSec packets destined for the private network.
SNMP Get Responses being sent to a VPNmanager console residing on the private side
of the VSU
Traps sent to a VPNmanager console residing on the private side of the VSU
Note:
Note: It is important to remember that ARP often works in conjunction with the
Advanced Filter setting.
Device in parallel with firewall or router - For example, if you setup a VSU in parallel with a
network device that provides firewall and routing services and you only want the VSU to:
send ARPs for addresses in its primary IP address space out the public interface and,
send ARPs for addresses in its private IP address space out the private interface,

you would then want to:

1. Set the above to “Bind one IP address to each port” and
2. Set the Advanced Filter to Deny all non-VPN traffic. The latter prevents a ARP from going
out both interfaces.
Device in One-Arm Mode. - Suppose you have deployed the VSU in one-arm mode (which
requires that only the private port be plugged into the network) and you ha ve us ed the Bi nd one
IP address to each port setting. This topology requires that the Advanced Filter setting be
“Permit all non-VPN packets”. This allows ARPs for the VSU's primary IP address that come in
the private port (remember it is the only port plugged in) to be resolved.
The “Bind Both Primary and Private IP Address to the Private Port” setting is available for
legacy support. In particular, with this setting the VSU always ARPs out both ports independent
of the Advanced Filter setting and it always uses the private port's MAC address for all packets
originating from the VSU. Use this setting if you need a VSU running VPNOS 3.1.xx, or later, to
support this legacy behavior.
Generally, only if the VSU firmware is earlier than 3.1, and the VSU is the only device between
the internet and the private network (not in parallel with a firewall), is Bind both Primary and
Private IP addresses to private port checked.
Path MTU Discovery
When a device communicates with another network device, it attempts to discover the largest
packet it can transmit to the other network device. The largest packet the network can transmit
is called maximum transmission unit (MTU).