software version 9.1.4
The usage of jumbo frames allows for a bigger ethernet payload to be used, thus reducing the overhead & maximizing the media thru-put.
A cisco ASA uses the defacto 1514/1518 bytes MTU for the processing of ethernet frames ( non-802.1tag vrs 802.1q tagged ) . A frame bigger than these 2 values would be considered a "giant" and would be dropped unless the interfaces supports a ethernet-frame bigger than 1518bytes.
When enabling jumbo-frame support, it will always require a reboot of the firewall or all units in a cluster.
e.g
To validate the status of jumbo frames, the cli cmd "show jumbo reserve" will easy identify or provided a warning if the stand-by unit has not been enable or reboot.
NOTE: You have to reboot all units in the cluster for the changes to take place & to be effective.
Now that you have the jumbo frame supported, you can make changes per interface, to change the actual mtu via the cli cmd mtu < intf-name> <size>
e.g
and a quick check before/after the change, will show you the newly applied MTU value;
e.g
NOTE: if you happen to try changing a interface MTU on a cisco ASA that didn't have jumbo-frames enabled you will get the following warning.
Things to consider b4 enabling jumbo-frames;
- does the layer2 switch port of the device directly connected, even supports jumbo frames ( it makes no sense to enable a device for jumbo but the switchport does not support jumbo frames )
- what's the max recognized frame size that you expect to received
- does your lan segment host/servers support jumbo frames
- are you using PMTUd for mtu discovery
- does anything down or upstream support PMTUd
- does anything on your lan/wan links drops icmp messages or does not generate icmp-type 3 icmp-code 4 messages
- Does you Software application have any restriction on the size of data per ethernet frame segment
- or udp/tcp-segments limits in the size of payload
show interface < interface name> detail
e.g
and on a cisco switch via the command;
show int <number> counter errors
e.g
NOTE: Keep in mind that Jumbo frames are typically not supported across any networks paths outside of your control and the defacto 1514/1518 bytes ethernet-frame for non-802.1q and 802.1q are the norm.
IMHO they ( jumbo ) are only to be trusted as supportive in networks paths that's under your control. So this means you can discount the INTERNET for support of Jumbo-Frames.
Ken Felix
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( ^ ^ )=
o
/ \
No comments:
Post a Comment