5720-24MXW and 5720-48MXW switches support IPsec fragmentation before encryption of Fabric Extend tunnels using Fabric IPsec Gateway.
The best practice is to enable fragmentation before encryption only for an IPsec adjacency over a WAN.
Configure IPsec fragmentation of the packets to occur before encryption and IPsec encapsulation. Packets are fragmented based on the tunnel maximum transmission unit (MTU) without the IPsec header so that the final packet does not exceed the tunnel MTU. The MTU value is a per tunnel configuration, which means packet fragmentation occurs per tunnel. For a tunnel with this functionality enabled, packets that egress the specific NNI port are encapsulating security payload (ESP) packets only.
The following list identifies how you can implement IPsec fragmentation before encryption:
You must configure IPsec over Fabric Extend in IPsec decoupled mode, which means the IPsec source and destination IP addresses are different than the Fabric Extend addresses.
You cannot configure IPsec compression if fragmentation before encryption is already enabled.
A device is in IPsec decoupled mode when IPsec and Fabric Extend (FE) termination takes place on two different IP addresses. A device is in IPsec coupled mode when IPsec and Fabric Extend (FE) termination takes place on the same IP address.
The 5720 Series devices, which use Fabric IPsec Gateway for Fabric Extend over IPsec, support IPsec in decoupled mode only. You must configure the IPsec tunnel in decoupled mode to enable IPsec termination in the Fabric IPsec Gateway VM. For more information about how to configure IPsec tunnels on the VM, see Configure IPsec Tunnels on Fabric IPsec Gateway VM.
For more information, see Enable Fragmentation Before Encryption on Fabric IPsec Gateway VM.