ETEP Configuration

Ignore DF Bit

When the ETEP is configured for use in Layer 3 IP encryption policies, its default behavior is to enable DF Bit handling on the local port. This tells the ETEP to ignore the “do not fragment” (DF) bit in the IP header, and fragment outbound packets that exceed the MTU of the system. This setting should be used under the following conditions:

Reassembly mode is set to gateway

ICMP is blocked at the firewall

PMTU path discovery isn’t working

A symptom of a PMTU problem is when the network operates normally when traffic passes in the clear but loses packets when encryption is turned on.

You can override the default behavior by disabling the DF Bit handling on the local port. The ETEP will then discard packets in which the DF bit is set and the packet length, including the encryption header, exceed the PMTU.

Table 89

Ignore DF Bit settings

 

 

 

Setting

 

Description

Enabled

 

The ETEP ignores the DF bit in the IP header and fragments outbound

 

 

packets greater than the MTU of the system. This setting is automatically

 

 

enabled when the reassembly mode is set to gateway.

Disabled

 

The ETEP acts in accordance with the DF bit setting in the IP header.

 

 

 

Related topic:

“Reassembly Mode” on page 310

Reassembly Mode

The reassembly mode setting applies to packets entering the ETEP’s local port that are subject to fragmentation. This setting specifies whether packets are fragmented before or after they are encrypted and who performs the reassembly of the fragmented packet: the destination host or gateway.

The reassembly mode option is available only when the ETEP’s Encryption Policy Setting is set to Layer 3:IP. When the Encryption Policy Setting is set to Layer 2:Ethernet, packets that are subject to fragmentation are encrypted prior to fragmentation. Layer 2 jumbo packets that exceed the PMTU are discarded. The Encryption Policy Setting is configured on the Features tab.

Table 90

Reassembly mode settings

 

 

 

Setting

 

Description

Gateway

 

This setting is recommended for ETEP-ETEP encryption. Packets are

 

 

encrypted first and then fragmented based on the new packet size, which

 

 

includes the encryption header. This behavior is consistent with RFC 2401.

 

 

The gateway (ETEP) performs the reassembly.

 

 

When the reassembly mode is set to gateway, the Ignore DFBit setting is

 

 

automatically enabled.

Host

 

This setting is required for the ETEPs to interoperate successfully with some

 

 

security gateways. Packets are fragmented before they are encrypted, and

 

 

the encryption header is added to the packet fragments. The destination

 

 

host performs the reassembly.

 

 

 

310

EncrypTight User Guide

Page 308 Page 310
Page 309
Image 309
Black Box ET0010A, ET1000A, EncrypTight, ET0100A manual Reassembly Mode, Ignore DF Bit settings, Reassembly mode settings
Page 308 Page 310

EncrypTight, ET0100A, ET0010A, ET1000A specifications

The Black Box ET1000A, ET0010A, EncrypTight, and ET0100A are advanced solutions designed for secure data transmission and network management, catering to modern enterprise needs. These tools integrate cutting-edge technologies to enhance connectivity, security, and efficiency within various environments.

The Black Box ET1000A is primarily a high-performance Ethernet over Twisted Pair (EoTP) solution. It enables users to extend Ethernet signals over long distances using existing twisted-pair cabling without sacrificing speed or reliability. With support for speeds up to 100 Mbps, this device is ideal for organizations looking to upgrade their existing infrastructure without extensive rewiring. Key features include plug-and-play installation, which simplifies deployment, and versatile compatibility with both legacy and modern ethernet networks.

The ET0010A model takes connectivity a step further by providing seamless integration with fiber optics. This device supports transmission distances that far exceed traditional copper solutions, making it a perfect fit for larger facilities or multi-building campuses. Its built-in Ethernet switch enhances network efficiency by providing multiple ports for device connectivity, thus facilitating greater data flow.

EncrypTight technology is a notable feature across these Black Box models, offering advanced encryption capabilities to safeguard sensitive data during transmission. With military-grade encryption protocols, EncrypTight ensures that corporate information remains secure from potential eavesdroppers. This technology is essential for businesses operating in regulated industries or that handle confidential customer information.

The ET0100A model combines intelligence with monitoring features to provide users with comprehensive network insights. It boasts built-in diagnostic tools that enable IT professionals to troubleshoot issues quickly and efficiently. Additionally, it features real-time performance monitoring, allowing users to analyze bandwidth usage and optimize network performance accordingly.

In conclusion, the Black Box ET1000A, ET0010A, EncrypTight, and ET0100A are powerful tools that embody the latest in data transmission and network management technologies. With their unique features—including extended connectivity capabilities, robust encryption technologies, and real-time monitoring solutions—these devices cater to the growing demands of businesses seeking to enhance their network infrastructure while ensuring robust security and efficiency. Integrating these tools into any organization’s operations can fundamentally improve both performance and data protection, making them indispensable in today’s digital landscape.
Top Page Image Contents