Path Maximum Transmission Unit

ETEP Configuration

The PMTU specifies the maximum payload size of a packet that can be transmitted by the ETEP. The PMTU value excludes the Ethernet header, which is 14-18 bytes long, and the CRC. The PMTU setting applies to the local and remote ports, as shown in Table 99. On the management port the PMTU is hard- coded to 1400 bytes.

Table 99 Valid PMTU ranges on ETEP appliances

Appliance model	Layer 2 PMTU range	Layer 3 PMTU range	Default
ET0010A	800-1500 bytes	576-1500 bytes	1500
ET0100A / / ET1000A	800-9300 bytes	576-9300 bytes	1500

Before sending a packet from its remote or local port the ETEP compares the packet payload size to the configured PMTU. Depending on payload size and appliance configuration the ETEP either discards the packet, transmits the packet, or fragments the packet before transmitting, as described in Table 100.

Table 100 PMTU and fragmentation behavior on the ETEP

Packet Payload Size	Layer 2 ETEP	Layer 3 ETEP
Less than or equal to PMTU	Passes the packet	Passes the packet
Exceeds PMTU	When operating in non-jumbo	Fragments the packet if the
	mode (PMTU ≤1500), the ETEP	payload exceeds the PMTU by
	fragments packets that exceed	less than 100 bytes, to allow for
	the PMTU.	encapsulation overhead.
	When operating in jumbo mode	Discards the packet under the
	(PTMU 1501-9300), the ETEP	following circumstances:
	discards packets that exceed	- The payload exceeds the
	the PMTU.	- The payload exceeds the
	the PMTU.	PMTU by more than 100 bytes
		PMTU by more than 100 bytes
		- The DF bit is set in the IP
		header.

Fragmentation resolves the problem of encryption overhead, which consists of the extra bytes that are added to the packet as a result of security encapsulation. For example, a packet with a payload size of 1500 bytes may pass through the network without being discarded. But after encapsulation, the payload size increases by 37-52 bytes. The resulting larger packet may be rejected by some equipment located in the network between the two peer appliances. By fragmenting the packet, the separate fragments are not rejected by the network.

The ETEP can be configured to perform pre-encryption or post-encryption fragmentation when it is operating as a Layer 3 encryptor. This feature is called Reassembly mode, and it is defined on the Interfaces tab in the Appliance editor. Reassembly mode cannot be configured when the Encryption Policy Setting is set to Layer 2:Ethernet. At Layer 2, packets that are subject to fragmentation are encrypted prior to fragmentation. Jumbo packets that exceed the PMTU are discarded.

When the ETEP is configured as a Layer 3 encryptor, the ETEP discards packets that exceed the PMTU size and have the DF (do not fragment) bit set in the IP header. You can override the DF bit in the IP header using the Ignore DF Bit setting on the local port.

Black Box ET0010A, ET1000A Path Maximum Transmission Unit, Valid Pmtu ranges on Etep appliances

Models: EncrypTight ET0100A ET0010A ET1000A