Feature |
Product |
Release introduced |
---|---|---|
IPsec fragmentation before encryption |
5320 Series |
Not Supported |
5420 Series |
Not Supported |
|
5520 Series |
Not Supported |
|
5720 Series |
Fabric Engine 8.7 5720-24MXW and 5720-48MXW using Fabric IPsec Gateway |
|
7520 Series |
Fabric Engine 8.10 using Fabric IPsec Gateway |
|
7720 Series |
Fabric Engine 8.10 using Fabric IPsec Gateway |
|
VSP 4450 Series |
Not Supported |
|
VSP 4900 Series |
VOSS 8.3.1 VSP4900-12MXU-12XE and VSP4900-24XE using Fabric IPsec Gateway |
|
VSP 7200 Series |
Not Supported |
|
VSP 7400 Series |
VOSS 8.3.1 using Fabric IPsec Gateway |
|
VSP 8200 Series |
Not Supported |
|
VSP 8400 Series |
Not Supported |
|
VSP 8600 Series |
Not Supported |
|
XA1400 Series |
VOSS 8.2.7 |
5720-24MXW and 5720-48MXW switches support IPsec fragmentation before encryption of Fabric Extend tunnels using Fabric IPsec Gateway.
The best practice is to enable fragmentation before encryption only for an IPsec adjacency over a WAN.
Configure IPsec fragmentation of the packets to occur before encryption and IPsec encapsulation. Packets are fragmented based on the tunnel maximum transmission unit (MTU) without the IPsec header so that the final packet does not exceed the tunnel MTU. The MTU value is a per tunnel configuration, which means packet fragmentation occurs per tunnel. For a tunnel with this functionality enabled, packets that egress the specific NNI port are encapsulating security payload (ESP) packets only.
The following list identifies how you can implement IPsec fragmentation before encryption:
You must configure IPsec over Fabric Extend in IPsec decoupled mode, which means the IPsec source and destination IP addresses are different than the Fabric Extend addresses.
You cannot configure IPsec compression if fragmentation before encryption is already enabled.
A device is in IPsec decoupled mode when IPsec and Fabric Extend (FE) termination takes place on two different IP addresses. A device is in IPsec coupled mode when IPsec and Fabric Extend (FE) termination takes place on the same IP address.
5720 Series, 7520 Series, and 7720 Series, which use Fabric IPsec Gateway for Fabric Extend over IPsec, support IPsec in decoupled mode only. You must configure the IPsec tunnel in decoupled mode to enable IPsec termination in the Fabric IPsec Gateway VM. For more information about how to configure IPsec tunnels on the VM, see Configure IPsec Tunnels on Fabric IPsec Gateway VM.
For more information, see Enable Fragmentation Before Encryption on Fabric IPsec Gateway VM.