Thursday, March 17, 2005

GRE Tunelling and clrearing the DF bit

A question sometimes is

Why Can't I Browse the Internet when Using a GRE Tunnel?

Sometimes when traffic goes through a generic routing encapsulation (GRE) tunnel, you can successfully use the ping command and Telnet, but you cannot download Internet pages or transfer files using File Transfer Protocol (FTP). This document explains a common reason for this problem, and offers several workarounds.


One of these four solutions should solve the problem.

Find out where along the path the ICMP message is blocked, and see if you can get it allowed.

Set the MTU on the Client's network interface to 1476 bytes, forcing the SMSS to be smaller, so packets won't have to be fragmented when they reach R2. However, if you change the MTU for the Client, you should also change the MTU for all devices that share the network with this Client. On an Ethernet segment, this could be a large number of devices.

Use a proxy-server (or, even better, a Web cache engine) between R2 and the Gateway router, and let the proxy-server request all the Internet pages.

If the GRE tunnel runs over links that can have an MTU greater than 1500 bytes plus the tunnel header, then another solution is to increase the MTU to 1524 (1500 plus 24 for the GRE overhead) on all interfaces and links between the GRE endpoint routers.

I would be using the route map to reset the DF bit.So here is an example of how to do this on a Cisco router:
route-map nodf permit 10
set ip df 0
interface FastEthernet2/0
ip policy route-map nodf

Note that the "ip policy route-map nodf" command must be applied on the interface receiving the packets for which the DF bit must be cleared, and not the interface with the reduced MTU itself, where the packets are subsequently transmitted.

For more information refer to article at cisco site.


Post a Comment

<< Home