Nokia IPSO 4.0 manual Virtual LAN Interfaces, Configuring MSS Clamping

2

5.Click Delete.

6.Click Apply.

Configuring MSS Clamping

When end devices use path MTU discovery, it can cause connectivity problems when their connections pass through PPPoE interfaces. Use the MSS Clamping field to prevent these problems by reducing the maximum segment size (MSS) that is advertised across the outgoing link.

IPSO advertises the value in this field as the MSS for packets that transit this interface. If a connected device (such as a host system) advertises a greater MSS, IPSO advertises the value in this field instead of the value advertised by the device. There is no default value for the MSS Clamping field. If you do not enter a value, the MSS advertised by end devices is always advertised across the link.

If hosts connected to this interface experience connectivity problems with some destinations, use this field to restrict the MSS that they can advertise. Entering a value of 1452 will probably solve any such problems.

See RFC 2923 for more information about how path MTU discovery that can cause connectivity problems.

Virtual LAN Interfaces

Nokia IPSO supports virtual LAN (VLAN) interfaces on all supported Ethernet interfaces. VLAN interfaces lets you configure subnets with a secure private link to Check Point FW-1/ VPN-1 with the existing topology. VLAN enables the multiplexing of Ethernet traffic into channels on a single cable.

The Nokia implementation of VLAN supports adding a logical interface with a VLAN ID to a physical interface. In a VLAN packet, the OSI Layer 2 header, or MAC header, contains four more bytes than the typical Ethernet header for a total of 18 bytes. When traffic arrives at the physical interface, the system examines it for the VLAN layer-two header and accepts and forwards the traffic if a VLAN logical interface is configured. If the traffic that arrives at the physical interface does not have a VLAN header, it is directed to the channel 0, or untagged, interface. In the Nokia implementation, the untagged channel-0 interface drops VLAN packets that are sent to the subnets on that interface.

Outgoing traffic from a VLAN interface is tagged with the VLAN header. The Nokia appliance can receive and generate fully conformant IEEE 802.1Q tags. The IEEE802.1Q standard defines the technology for virtual bridged networks. The Nokia implementation is completely interoperable as a router, not as a switch.

IPSO supports a maximum of 1015 VLAN interfaces. However, if you do not explicitly configure the system to support this number (in the Maximum Number of VLANs Allowed text box), the default maximum is 950 VLAN interfaces.This is system limit and not limited to specific interface.