Configuring Path Maximum Transmission Unit Discovery on Avaya Security Gateways - Issue 1.0

Similar documents
Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

Configuring H.323 over Port Network Address Translation (PNAT) for Avaya IP Endpoints using the Avaya SG200 Security Gateway - Issue 1.

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Application Notes for Configuring Yealink T-22 SIP Phones to interoperate with Avaya IP Office - Issue 1.0

Abstract. Avaya Solution & Interoperability Test Lab

Application Notes for Configuring Dorado Software Redcell Enterprise Bundle using SNMP with Avaya Communication Manager - Issue 1.

Technical Support Information Belkin internal use only

Abstract. Avaya Solution & Interoperability Test Lab

Guideline for setting up a functional VPN

Sample Configuration Using the ip nat outside source static

Internetworking. Problem: There is more than one network (heterogeneity & scale)

Sample Configuration for Microsoft Firewall and McAfee Desktop Firewall 8.5 to Support Avaya IP Softphone Issue 1.0

Sample Configuration for H.323 Trunk between Avaya IP Office and Cisco Unified Communications Manager 7.0 Issue 1.0

Using Cisco UC320W with Windows Small Business Server

CCNA Discovery Networking for Homes and Small Businesses Student Packet Tracer Lab Manual

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

LAB THREE STATIC ROUTING

How to Configure the Juniper NetScreen 5GT to Support Avaya H.323 IP Telephony Issue 1.0

Abstract. Avaya Solution & Interoperability Test Lab

1 PC to WX64 direction connection with crossover cable or hub/switch

Application Notes for Valcom PagePro IP with Avaya IP Office Issue 1.0

Application Notes for Configuring a SonicWALL Continuous Data Protection (CDP) backup solution with Avaya Voic Pro - Issue 1.

Application Notes for snom 3x0 VoIP Phones with Avaya IP Office Issue 1.0

Configuring Avaya 1120E, 1140E, 1220 and 1230 IP Deskphones with Avaya IP Office Release 6.1 Issue 1.0

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

Chapter 10 Troubleshooting

Application Notes for BT Wholesale/HIPCOM SIP Trunk Service and Avaya IP Office 8.0 Issue 1.0

Avaya ExpertNet Lite Assessment Tool

Computer Networks I Laboratory Exercise 1

Pre-lab and In-class Laboratory Exercise 10 (L10)

Internet Architecture and Philosophy

BASIC ANALYSIS OF TCP/IP NETWORKS

Configuring the Avaya B179 SIP Conference Phone with Avaya Aura Communication Manager and Avaya Aura Session Manager Issue 1.0

IP - The Internet Protocol

Configuring Static and Dynamic NAT Simultaneously

Instructor Notes for Lab 3

SonicOS 5.9 One Touch Configuration Guide

8.2 The Internet Protocol

Exam 1 Review Questions

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

Application Notes for Configuring SIP Trunking between Metaswitch MetaSphere CFS and Avaya IP Office Issue 1.0

Application Notes for Metropolis ProfitWatch Hotel Call Accounting with Avaya IP Office Issue 1.0

Network Layer IPv4. Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS. School of Computing, UNF

Interconnection of Heterogeneous Networks. Internetworking. Service model. Addressing Address mapping Automatic host configuration

Cisco QuickVPN Installation Tips for Windows Operating Systems

Abstract. Avaya Solution & Interoperability Test Lab

Sample Configuration for SIP Trunking between Avaya IP Office R8.0 and Cisco Unified Communications Manager Issue 1.0

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Mobile IP Network Layer Lesson 02 TCP/IP Suite and IP Protocol

Network layer: Overview. Network layer functions IP Routing and forwarding

Cisco Configuring Commonly Used IP ACLs

Lab - Configure a Windows 7 Firewall

Connecting Remote Offices by Setting Up VPN Tunnels

Configuring the PIX Firewall with PDM

How to setup PPTP VPN connection with DI-804HV or DI-808HV using Windows PPTP client

VPNC Interoperability Profile

Application Notes for configuring Avaya IP Office IP500 R7.0 with 2Ring NetFAX R3.0 Issue 1.0

Firewall Stateful Inspection of ICMP

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

Abstract. Avaya Solution & Interoperability Test Lab

04 Internet Protocol (IP)

Application Notes for Configuring Cablevision Optimum Voice SIP Trunking with Avaya IP Office - Issue 1.1

Application Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0

Computer Networks. Lecture 3: IP Protocol. Marcin Bieńkowski. Institute of Computer Science University of Wrocław

Application Notes for Configuring Microsoft Office Communications Server 2007 R2 and Avaya IP Office PSTN Call Routing - Issue 1.0

Application Notes for Multi-Tech FaxFinder IP with Avaya IP Office Issue 1.0

How To Test The Nms Adaptive Suite With An Ip Office On A Windows 2003 Server On A Nms Desktop On A Pnet 2.5 (Tapi) On A Blackberry 2.2 (Tapi) On An Ipo 2

Discovering Devices CHAPTER

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

USER GUIDE. Ethernet Configuration Guide (Lantronix) P/N: Rev 6

Lab Configuring Access Policies and DMZ Settings

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture

Abstract. Avaya Solution & Interoperability Test Lab

Using IPM to Measure Network Performance

Lecture 15. IP address space managed by Internet Assigned Numbers Authority (IANA)

Sample Configuration Using the ip nat outside source list C

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Abstract. Avaya Solution & Interoperability Test Lab

ACHILLES CERTIFICATION. SIS Module SLS 1508

Fonality. Optimum Business Trunking and the Fonality Trixbox Pro IP PBX Standard Edition V p13 Configuration Guide

IP Address Classes (Some are Obsolete) Computer Networking. Important Concepts. Subnetting Lecture 8 IP Addressing & Packets

ASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version Rev.

Configure ISDN Backup and VPN Connection

What is VLAN Routing?

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

Application Notes for Configuring NMS Adaptive Desktop SMS with Avaya IP Office R8.0 using Avaya IP Office TAPI Service Provider - Issue 1.

Configuring an IPSec Tunnel between a Cisco 3825 Router and the Cisco VPN Client to Support Avaya IP Softphone Issue 1.0

Abstract. Avaya Solution & Interoperability Test Lab

SMC7004ABR Barricade Broadband Router Installation Instructions

Application Notes for Configuring SIP Trunking between McLeodUSA SIP Trunking Solution and an Avaya IP Office Telephony Solution 1.

Application Notes for Configuring Intelepeer SIP Trunking with Avaya IP Office Issue 1.0

Lab - Configure a Windows Vista Firewall

his document discusses implementation of dynamic mobile network routing (DMNR) in the EN-4000.

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Discovering Devices. The Cisco Prime Collaboration Manager discovery process involves three phases: Access-level discovery Cisco Prime CM:

Lab Configuring Access Policies and DMZ Settings

Lab Configure Cisco IOS Firewall CBAC

Transcription:

Avaya Solution & Interoperability Test Lab Configuring Path Maximum Transmission Unit Discovery on Avaya Security Gateways - Issue 1.0 Abstract These Application Notes address the setup and configuration of Path Maximum Transmission Unit (MTU) Discovery on the Avaya Security Gateways. The Path MTU feature may be used for either clear traffic or encrypted (VPN) traffic. 1 of 12

1. Introduction Path MTU is used for dynamically discovering the maximum transmission unit (MTU) of an arbitrary Internet path. The Path MTU Discovery is defined in RFC 1191. The basic idea is that a source host initially assumes that the Path MTU of a path is the (known) MTU of its first hop, and sends all datagrams on that path with the Don t Fragment (DF) bit set. If any of the datagrams are too large to be forwarded without fragmentation by some router along the path, that router will discard them and return ICMP Destination Unreachable messages with a code meaning "fragmentation needed and DF set". Upon receipt of such a message, the source host reduces its assumed Path MTU for the path. Avaya Security Gateways (SGs) support Path MTU discovery for both clear traffic and encrypted (VPN) traffic. These Application Notes demonstrate the steps required to configure the Path MTU in Avaya Security Gateways in an IP network environment. Figure 1 below shows the topology used for the verification. SG208 Private: 192.168.101.8 Public: 60.1.1.2 SG203 Private:10.4.4.2 Public: 90.1.1.2 Avaya P882 192.168.101.0 Avaya SG208 60.1.1.0/24 Extreme Alpine 3808 90.1.1.0/24 Avaya SG203 10.4.4.0/24 Cisco 3745 Site-to-Site VPN Tunnel PC 1 192.168.101.10 PC 2 101.4.4.10 Figure 1: Sample Site-to-Site VPN Configuration Notes: It has been assumed that a site-to-site VPN tunnel between the Avaya SG208 and the Avaya SG203 has been pre-configured and is working. For detailed VPN tunnel configuration, please refer to the Application Note entitled Site-to-Site VPN Configuration between Avaya SG208 Security Gateway, Enterasys XSR-1805 Security Router, and Cisco VPN 3000 Concentrator using AES-128, Perfect Forward Secrecy and Tunnel Persistence Issue 1.0 at http://www1.avaya.com/enterprise/resourcelibrary/applicationnotes/datanetworking.html 2 of 12

2. Equipment and Software Validated Table 2 lists the equipment and software validated for the sample configuration provided. Equipment Avaya P882 MultiService Switch Avaya SG208 Security Gateway Avaya SG203 Security Gateway Extreme Alpine 3808 Switch Cisco 3745 MultiService Router Software V6.0.0 VPNos v4.5.29 VPNos v4.5.29 V7.2.0 (B25) IOS 12.3.(4T) Table 2: Equipment and Software Validated 3. Configure Path MTU on Avaya SG203 Security Gateway This section describes the Path MTU configuration for the Avaya SG203 Security Gateway. Basic public and private interface administration is not covered. Please refer to the SG203 system documentation for details on interface administration. Since the configuration is identical for both the SG203 and the SG208, only the SG203 configuration is presented here. Table 1 shows the default Path MTU settings for Avaya Security Gateways. Security Gateway Path MTU DF Bit Other DF Bit Options SG5, SG5x OFF CLEAR COPY, SET available SG200, SG203, SG208 ON COPY No other options available Table 1: Default Path MTU Settings for Security Gateways 3.1. Enable Path MTU Discovery By default, the Path MTU is on and the DF Bit is set to COPY. If Path MTU discovery is on, it will enable the SG203 to dynamically figure out the minimum MTU of the packet path and, if possible, to inform the source host of the packet about it. The routers that support Path MTU will send an ICMP need-frag message to the source of the packet. Note that Path MTU will work differently in the following two scenarios. Scenario 1: Clear Traffic and NAT enabled In the case of Static or Port NAT, the SG will be seen as the source of the packet by outside routers (routers located on the public side). Hence they will send the ICMP need-frag message to the SG. The SG will generate or convert the ICMP message and send it to the real source host. Scenario 2: VPN Traffic When the SG is an endpoint for a VPN, the packets leaving the SG on the public interface will have the source set as the SG. When an intermediate router sends an ICMP need-frag message to the SG, the SG will find all VPNs matching the destination address and the 3 of 12

security protocol (ESP/AH) and update their MTU size. Therefore, when the next packet larger than this new Path MTU arrives at the SG from a private interface, the SG generates an ICMP need-frag message to the source host. This is the case with Tunnel NAT enabled or disabled. To configure Path MTU Discovery on the SG203, follow these steps: Establish an HTTP connection to the Security Gateway private interface. Log in using a valid login ID and password. Navigate to Configure Advanced Path MTU. Figure 2 shows that the default setting is on for the SG203. Figure 2: Path MTU ON Configuration Note: Path MTU timeout range is 0-1000 minutes. The default is 500 minutes. 3.2. Disable Path MTU Discovery When the Path MTU is turned off on the SG203, there are three settings available for the DF bit. Understanding the differences among these settings is important in order to implement Path MTU Discovery properly. 4 of 12

1. Copy DF bit from the source packet With this configuration, all VPN traffic leaving the SG203 will have the same DF bit setting, as the original packet and the SG will not honor the ICMP need-frag messages. 2. Set DF bit With this configuration, the SG203 will set the DF bit to do not fragment the packet as the packets leave the SG203. 3. Clear DF bit When the DF bit is set to CLEAR, the SG203 will not honor any ICMP messages coming to the SG. The SG will clear the DF bit for all VPN packets leaving the SG. Follow the steps below to turn off the Path MTU Discovery and configure different DF bit settings on the SG203. Configure the SG203 to Copy DF bit from the source packet. Click Off for Path MTU Discovery. Select one of the DF bit settings in Figure 3. Click Save. Figure 3: Path MTU OFF and DF bit Set to Copy Configuration 5 of 12

Note: Once the Save button is clicked, the SG will generate a warning message as shown in Figure 4. Click Close in Figure 4. Figure 4: SG203 Warning Message Click OK from Figure 5 to save the configuration. Figure 5: Save Configuration 6 of 12

3.3. Configure the SG203 Interface MTU Size The MTU size for SG203 interfaces can be set in the range of 296 1500 bytes. The following example shows how to configure the SG public interface MTU to 1000 bytes. Navigate to Configure Networks. Highlight Interfaces under the Properties panel. Highlight Ethernet 1 (public) and click Modify... as shown in Figure 6. Figure 6: Configure Interface 7 of 12

Click Media Settings as shown in Figure 7. Figure 7: Configure Media Setting for Interface Type 1000 in the MTU field as shown in Figure 8 and click OK. Figure 8: Configure Media Setting for Interface (Continued) 8 of 12

Click Save as shown in Figure 9. Figure 9: Save Interface Configuration 4. Verification Steps The following steps can be used to validate the configuration. Set Path MTU to ON and the MTU size to 1000 bytes for the SG public interface. Launch a ping from PC 1 with a packet size of 1500. Verify that the pings are successful and the SG fragments the packets. Set Path MTU to OFF and the DF bit to COPY. Launch pings from PC 1 to the Cisco 3745 router interface (10.4.4.1) with a packet size of 1500 bytes and DF bit Set (flag f means to set the DF bit) Verify that the pings failed (SG dropped the packets) and the PC 1 received ICMP message Packet needs to be fragmented but DF set from the 9 of 12

SG. The capture below is the output from the PC 1. Note that the IP address 192.168.101.8 is the IP address of the SG208 private interface. C:\> ping 10.4.4.1 -f -l 1500 Pinging 10.4.4.1 with 1000 bytes of data: Reply from 192.168.101.8: Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Ping statistics for 10.4.4.1: Packets: Sent = 4, Received = 1, Lost = 3 (75% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Set the MTU size to 800 bytes in both private and public interfaces of the SG208. Launch a ping with packet size 1500 bytes from the Cisco 3745 router to the Avaya P882 Switch. Verify that the SG203 fragments the packets. The protocol analyzer trace, shown below, captured from the private side of the SG208 showed that the ICMP packet was fragmented. The lines in bold showed the packet fragmentation. Record #6 (From Node to Hub) Captured on 10.12.04 at 14:03:04.622560600 Length = 814 Runtime Frame# 6 ------------ ETHER Header ------------ ETHER: Destination: 00-30-6D-E8-18-64 ETHER: Source: 00-60-A1-00-CD-96 ETHER: Protocol: IP ETHER: FCS: 0238FCF9 ------------ IP Header ------------ IP: Version = 4 IP: Header length = 20 IP: Differentiated Services (DS) Field = 0x00 IP: 0000 00.. DS Codepoint = Default PHB (0) IP:.....00 Unused IP: Packet length = 796 IP: Id = c4 IP: Fragmentation Info = 0x2000 IP: IP:.0........... Don't Fragment Bit = FALSE..1.......... More Fragments Bit = TRUE IP:...0 0000 0000 0000 Fragment offset = 0 IP: Time to live = 253 IP: Protocol = ICMP (1) IP: Header checksum = 666E (Verified 666E) IP: Source address = 10.4.4.1 IP: Destination address = 192.168.101.1 10 of 12

Record #7 (From Node to Hub) Captured on 10.12.04 at 14:03:04.622624000 Length = 742 Runtime Frame# 7 ------------ ETHER Header ------------ ETHER: Destination: 00-30-6D-E8-18-64 ETHER: Source: 00-60-A1-00-CD-96 ETHER: Protocol: IP ETHER: FCS: D92A5A0C ------------ IP Header ------------ IP: Version = 4 IP: Header length = 20 IP: Differentiated Services (DS) Field = 0x00 IP: 0000 00.. DS Codepoint = Default PHB (0) IP:.....00 Unused IP: Packet length = 724 IP: Id = c4 IP: Fragmentation Info = 0x0061 IP:.0........... Don't Fragment Bit = FALSE IP:..0.......... More Fragments Bit = FALSE IP:...0 0000 0110 0001 Fragment offset = 776 IP: Time to live = 253 IP: Protocol = ICMP (1) IP: Header checksum = 8655 (Verified 8655) IP: Source address = 10.4.4.1 IP: Destination address = 192.168.101.1 Note that the Record #6 is the first part of the original packet and the Record #7 is the second half after fragmentation. 5. Conclusion Avaya Security Gateways support the Path MTU Discovery protocol for both clear and encrypted (VPN) traffic. The SGs interoperated with Extreme network devices that support the Path MTU Discovery protocol. The steps described in these Application Notes can be generalized for most configurations. 11 of 12

Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by and are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya Solution & Interoperability Test Lab at interoplabnotes@list.avaya.com 12 of 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information