Wednesday, March 12, 2014

Jumbo Frames cisco ASA

In this post, we will look at the enabling of the jumbo-frames for ethernet interfaces on the cisco ASA
software version 9.1.4



The usage of jumbo frames allows for a bigger ethernet payload to be used, thus reducing the overhead & maximizing the media thru-put.

A cisco ASA uses the defacto 1514/1518 bytes MTU for the processing of ethernet frames ( non-802.1tag vrs 802.1q tagged ) . A frame bigger than these 2 values would be considered a  "giant" and would be dropped unless the interfaces supports a ethernet-frame bigger than  1518bytes.

When enabling jumbo-frame support, it will always require a reboot of the firewall or all units in a cluster.

e.g



To validate the status of jumbo frames, the cli cmd  "show jumbo reserve" will easy identify or provided a warning if the stand-by unit has not been enable  or reboot.


NOTE: You have to reboot all units in the cluster for the changes to take place & to be effective.


Now that you have the  jumbo frame supported, you can make changes per interface, to change the actual mtu via the cli cmd mtu < intf-name> <size>


e.g



and a quick check before/after the change,  will show you  the newly applied MTU value;


e.g








NOTE:  if you happen to try changing a interface MTU on a cisco ASA that didn't have  jumbo-frames enabled you will get the following warning.




Things to consider b4 enabling jumbo-frames;

  •   does the layer2 switch port of the device directly connected, even  supports  jumbo frames ( it makes no sense to enable a device for jumbo but the switchport does not support jumbo frames )

  •   what's the max recognized frame size that you expect to received

  •   does your lan segment host/servers support jumbo frames

  •   are you using PMTUd  for mtu discovery

  •   does anything down or upstream support PMTUd

  •   does anything on your lan/wan links drops icmp messages or does not  generate icmp-type 3 icmp-code 4 messages

  •  Does you Software application have any restriction on the size of data per ethernet frame segment

  • or udp/tcp-segments limits in the size of payload
You can monitor interface drops on the ASA with the following cmd

show interface < interface name> detail

e.g



and on a cisco switch  via the command;

 show int <number> counter errors

e.g



NOTE: Keep in mind that Jumbo frames are typically not supported across any networks paths outside of your control and the defacto 1514/1518 bytes ethernet-frame for  non-802.1q and 802.1q  are the norm. 

IMHO they ( jumbo ) are only to be trusted as supportive in networks paths that's under your control. So this means you can discount the INTERNET for support of Jumbo-Frames.

Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   ^   ^  )=
          o
       /     \

No comments:

Post a Comment