Solved

Is this Cisco router programing right?

Posted on 2009-07-15
8
478 Views
Last Modified: 2013-12-12
I have been having a problem with  a GRE tunnel. It is making my MTU 1476.  I was told by a number of sources that enabling ICMP to re-negotiate the MTU size will do the trick. These are the lines I entered into the router. Are they right?

access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any packet-too-big
access-list 101 deny icmp any any

All commands were accepted.
0
Comment
Question by:ChiefIT
  • 4
  • 2
  • 2
8 Comments
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 250 total points
Comment Utility
Use the ip tcp adjust-mss command on the tunnel interfaces so that the router will reduce the TCP MSS value in the TCP SYN packet. This will help the two end hosts (the TCP sender and receiver) to use packets small enough so that PMTUD is not needed.
0
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 250 total points
Comment Utility
0
 
LVL 16

Assisted Solution

by:memo_tnt
memo_tnt earned 250 total points
Comment Utility
yes it;s correct ...
 
 
0
 
LVL 38

Author Comment

by:ChiefIT
Comment Utility
@ IKALMAR:

The only problem with the Tunneling interface is I don't have control of it.

Here is how the network topology looks like:

My LAN>>satellite connection>>NOC1 router for a large WAN>>((GRE TUNNEL))>>Headquarters NOC>>WWW

I am good on the WAN side of NOC1, with everything set at 1500, going through to headquarters and the WWW is giving me fits. So, I did an MTU ping to google.com, and it came back as

packet to large and DF is set.

I would love to control those Tunnel interfaces. Then, I would make the MTU size on those interfaces 1524, and no problems from there on out for the entire WAN.

For my case, I beleive I have to allow ICMP to renegotiate the MTU window for me until our two NOCs figure it out and come up with a fix on that GRE tunnel.


Do you have any other suggestions. I could call the Chief Information Officer and have him look into our Tunnel adapters.

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 38

Author Comment

by:ChiefIT
Comment Utility
@memo:

I don't quite understand the last line:

"access-list 101 deny icmp any any"

Why deny it after you just permitted it in the lines above?
0
 
LVL 16

Assisted Solution

by:memo_tnt
memo_tnt earned 250 total points
Comment Utility

ICMP has a lot of parameters check this ACL:

access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable  

So, when you deny ICMP any any at the end that means anything else after permitting the first parameters
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any packet-too-big

will be discard ..

that's why

BR
0
 
LVL 38

Author Comment

by:ChiefIT
Comment Utility
I am in contact with the two NOCs to see if they will raise the Tunneling router's Maximum Segment size. I really appreciate your help. For now, the ICMP edits did the trick.

For the rest of the WAN, they are going to have problems. So, I am going to escolate this to the NOC level.

Thanks you guys, you have been a huge help all the way through this ordeal. For a bonehead at Cisco Routing, I sure appreciated your help.

0
 
LVL 38

Author Closing Comment

by:ChiefIT
Comment Utility
Exactly what I was looking for.  Thanks, for alternative options ikalmar.

Thanks for verification and answering my concerns about the ICMP lines memo.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now