IPsec Fragmentation Before Encryption

Table 1. Fabric Extend - IPsec Fragmentation before Encryption product support

Feature

Product

Release introduced

IPsec fragmentation before encryption

5320 Series

Not Supported

5420 Series

Not Supported

5520 Series

Not Supported

5720 Series

Fabric Engine 8.7

Supported on 5720-24MXW and 5720-48MXW

Supported using Fabric IPsec Gateway

7520 Series

Fabric Engine 8.10

Supported using Fabric IPsec Gateway

7720 Series

Fabric Engine 8.10

Supported using Fabric IPsec Gateway

VSP 4900 Series

VOSS 8.3.1

Supported on VSP4900-12MXU-12XE and VSP4900-24XE

Supported using Fabric IPsec Gateway

VSP 7400 Series

VOSS 8.3.1

Supported using Fabric IPsec Gateway

The best practice is to enable fragmentation before encryption only for an IPsec adjacency over a WAN.

Configure IPsec fragmentation of the packets to occur before encryption and IPsec encapsulation. Packets are fragmented based on the tunnel maximum transmission unit (MTU) without the IPsec header so that the final packet does not exceed the tunnel MTU. The MTU value is a per tunnel configuration, which means packet fragmentation occurs per tunnel. For a tunnel with this functionality enabled, packets that egress the specific network-to-network interface (NNI) port are encapsulating security payload (ESP) packets only.

Note

Note

You cannot configure IPsec compression if fragmentation before encryption is already enabled.

For more information, see Enable Fragmentation Before Encryption on Fabric IPsec Gateway VM: