Black Box ET0010A User Manual
ETEP Configuration
326
EncrypTight User Guide
Path Maximum Transmission Unit
The PMTU specifies the maximum payload size of a packet that can be transmitted by the ETEP. The
PMTU value excludes the Ethernet header, which is 14-18 bytes long, and the CRC. The PMTU setting
applies to the local and remote ports, as shown in
PMTU value excludes the Ethernet header, which is 14-18 bytes long, and the CRC. The PMTU setting
applies to the local and remote ports, as shown in
. On the management port the PMTU is hard-
coded to 1400 bytes.
Before sending a packet from its remote or local port the ETEP compares the packet payload size to the
configured PMTU. Depending on payload size and appliance configuration the ETEP either discards the
packet, transmits the packet, or fragments the packet before transmitting, as described in
configured PMTU. Depending on payload size and appliance configuration the ETEP either discards the
packet, transmits the packet, or fragments the packet before transmitting, as described in
.
Fragmentation resolves the problem of encryption overhead, which consists of the extra bytes that are
added to the packet as a result of security encapsulation. For example, a packet with a payload size of
1500 bytes may pass through the network without being discarded. But after encapsulation, the payload
size increases by 37-52 bytes. The resulting larger packet may be rejected by some equipment located in
the network between the two peer appliances. By fragmenting the packet, the separate fragments are not
rejected by the network.
added to the packet as a result of security encapsulation. For example, a packet with a payload size of
1500 bytes may pass through the network without being discarded. But after encapsulation, the payload
size increases by 37-52 bytes. The resulting larger packet may be rejected by some equipment located in
the network between the two peer appliances. By fragmenting the packet, the separate fragments are not
rejected by the network.
The ETEP can be configured to perform pre-encryption or post-encryption fragmentation when it is
operating as a Layer 3 encryptor. This feature is called Reassembly mode, and it is defined on the
Interfaces tab in the Appliance editor. Reassembly mode cannot be configured when the Encryption
Policy Setting is set to Layer 2:Ethernet. At Layer 2, packets that are subject to fragmentation are
encrypted prior to fragmentation. Jumbo packets that exceed the PMTU are discarded.
operating as a Layer 3 encryptor. This feature is called Reassembly mode, and it is defined on the
Interfaces tab in the Appliance editor. Reassembly mode cannot be configured when the Encryption
Policy Setting is set to Layer 2:Ethernet. At Layer 2, packets that are subject to fragmentation are
encrypted prior to fragmentation. Jumbo packets that exceed the PMTU are discarded.
When the ETEP is configured as a Layer 3 encryptor, the ETEP discards packets that exceed the PMTU
size and have the DF (do not fragment) bit set in the IP header. You can override the DF bit in the IP
header using the Ignore DF Bit setting on the local port.
size and have the DF (do not fragment) bit set in the IP header. You can override the DF bit in the IP
header using the Ignore DF Bit setting on the local port.
Related topics:
●
Table 99
Valid PMTU ranges on ETEP appliances
Appliance model
Layer 2 PMTU range
Layer 3 PMTU range
Default
ET0010A
800-1500 bytes
576-1500 bytes
1500
ET0100A / / ET1000A
800-9300 bytes
576-9300 bytes
1500
Table 100 PMTU and fragmentation behavior on the ETEP
Packet Payload Size
Layer 2 ETEP
Layer 3 ETEP
Less than or equal to PMTU
Passes the packet
Passes the packet
Exceeds PMTU
When operating in non-jumbo
mode (PMTU
≤
1500), the ETEP
fragments packets that exceed
the PMTU.
When operating in jumbo mode
When operating in jumbo mode
(PTMU 1501-9300), the ETEP
discards packets that exceed
the PMTU.
Fragments the packet if the
payload exceeds the PMTU by
less than 100 bytes, to allow for
encapsulation overhead.
Discards the packet under the
Discards the packet under the
following circumstances:
- The payload exceeds the
- The payload exceeds the
PMTU by more than 100 bytes
- The DF bit is set in the IP
- The DF bit is set in the IP
header.