Feature |
Product |
Release introduced |
---|---|---|
IPsec fragmentation before encryption |
5320 Series |
Not Supported |
5420 Series |
Not Supported |
|
5520 Series |
Not Supported |
|
5720 Series |
Fabric Engine 8.7 Supported on 5720-24MXW and 5720-48MXW Supported using Fabric IPsec Gateway |
|
7520 Series |
Fabric Engine 8.10 Supported using Fabric IPsec Gateway |
|
7720 Series |
Fabric Engine 8.10 Supported using Fabric IPsec Gateway |
|
VSP 4900 Series |
VOSS 8.3.1 Supported on VSP4900-12MXU-12XE and VSP4900-24XE Supported using Fabric IPsec Gateway |
|
VSP 7400 Series |
VOSS 8.3.1 Supported using Fabric IPsec Gateway |
The best practice is to enable fragmentation before encryption only for an IPsec adjacency over a WAN.
Configure IPsec fragmentation of the packets to occur before encryption and IPsec encapsulation. Packets are fragmented based on the tunnel maximum transmission unit (MTU) without the IPsec header so that the final packet does not exceed the tunnel MTU. The MTU value is a per tunnel configuration, which means packet fragmentation occurs per tunnel. For a tunnel with this functionality enabled, packets that egress the specific network-to-network interface (NNI) port are encapsulating security payload (ESP) packets only.
Note
You cannot configure IPsec compression if fragmentation before encryption is already enabled.
For more information, see Enable Fragmentation Before Encryption on Fabric IPsec Gateway VM: