Scott Granados wrote:
We set ospf
internally, set up bgp for the announcements at each site and used the
no-export tag for the more specifics. Then gre tunnels:) for the
internal. It worked and I pushed probably 45 to 50mb over the internal
loops or gre tunnels. Not ideal but it worked.
Last time I tried this (IOS11.X to IOS11.X GRE) it was unreliable
due to MTU limits. Certain websites (mainly financial) send large
packets and set DF. This probably works around some security issue
but the result was that these SSL servers couldn't reach clients
over the GRE.
We have seen the same issue in recent history.
Generally, we try to have most of the traffic not pass through a GRE
tunnel. With some creative routing, we can pass the data back out to
our upstream which knows the more specific for that route.
That said, we do support /32 static dialups across our net - I.E. if you
have a /32 static on your dialup, you get the same /32 no matter where you
dialup. These generally pass through the GRE tunnel as we only know of
them through OSPF through the GRE tunnel.
We have found that setting a mtu of roughly 1514 on the tunnel fixes this.
I think this forces the GRE encapsulation to frag the packets regardless
of the setting of the DF bit. Whether the far end router reassembles
them or not I'm not sure about and haven't had the opportunity to stick a
packet sniffer on the far end to tell. Regardless, it seems to fix the
broken sites. YMMV
- Forrest W. Christian (forrestc@imach.com) AC7DE