Solved

Is this Cisco router programing right?

Posted on 2009-07-15
8
489 Views
Last Modified: 2013-12-12
I have been having a problem with  a GRE tunnel. It is making my MTU 1476.  I was told by a number of sources that enabling ICMP to re-negotiate the MTU size will do the trick. These are the lines I entered into the router. Are they right?

access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any packet-too-big
access-list 101 deny icmp any any

All commands were accepted.
0
Comment
Question by:ChiefIT
  • 4
  • 2
  • 2
8 Comments
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 250 total points
ID: 24864260
Use the ip tcp adjust-mss command on the tunnel interfaces so that the router will reduce the TCP MSS value in the TCP SYN packet. This will help the two end hosts (the TCP sender and receiver) to use packets small enough so that PMTUD is not needed.
0
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 250 total points
ID: 24864266
0
 
LVL 16

Assisted Solution

by:memo_tnt
memo_tnt earned 250 total points
ID: 24864270
yes it;s correct ...
 
 
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 38

Author Comment

by:ChiefIT
ID: 24864653
@ IKALMAR:

The only problem with the Tunneling interface is I don't have control of it.

Here is how the network topology looks like:

My LAN>>satellite connection>>NOC1 router for a large WAN>>((GRE TUNNEL))>>Headquarters NOC>>WWW

I am good on the WAN side of NOC1, with everything set at 1500, going through to headquarters and the WWW is giving me fits. So, I did an MTU ping to google.com, and it came back as

packet to large and DF is set.

I would love to control those Tunnel interfaces. Then, I would make the MTU size on those interfaces 1524, and no problems from there on out for the entire WAN.

For my case, I beleive I have to allow ICMP to renegotiate the MTU window for me until our two NOCs figure it out and come up with a fix on that GRE tunnel.


Do you have any other suggestions. I could call the Chief Information Officer and have him look into our Tunnel adapters.

0
 
LVL 38

Author Comment

by:ChiefIT
ID: 24864666
@memo:

I don't quite understand the last line:

"access-list 101 deny icmp any any"

Why deny it after you just permitted it in the lines above?
0
 
LVL 16

Assisted Solution

by:memo_tnt
memo_tnt earned 250 total points
ID: 24864742

ICMP has a lot of parameters check this ACL:

access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable  

So, when you deny ICMP any any at the end that means anything else after permitting the first parameters
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any packet-too-big

will be discard ..

that's why

BR
0
 
LVL 38

Author Comment

by:ChiefIT
ID: 24865579
I am in contact with the two NOCs to see if they will raise the Tunneling router's Maximum Segment size. I really appreciate your help. For now, the ICMP edits did the trick.

For the rest of the WAN, they are going to have problems. So, I am going to escolate this to the NOC level.

Thanks you guys, you have been a huge help all the way through this ordeal. For a bonehead at Cisco Routing, I sure appreciated your help.

0
 
LVL 38

Author Closing Comment

by:ChiefIT
ID: 31603996
Exactly what I was looking for.  Thanks, for alternative options ikalmar.

Thanks for verification and answering my concerns about the ICMP lines memo.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question