IPsec Fragmentation Before Encryption

Table 1. Fabric Extend - IPsec Fragmentation before Encryption product support

Feature

Product

Release introduced

IPsec fragmentation before encryption

5320 Series

Not Supported

5420 Series

Not Supported

5520 Series

Not Supported

5720 Series

Fabric Engine 8.7

5720-24MXW and 5720-48MXW using Fabric IPsec Gateway

7520 Series

Fabric Engine 8.10 using Fabric IPsec Gateway

7720 Series

Fabric Engine 8.10 using Fabric IPsec Gateway

VSP 4450 Series

Not Supported

VSP 4900 Series

VOSS 8.3.1

VSP4900-12MXU-12XE and VSP4900-24XE using Fabric IPsec Gateway

VSP 7200 Series

Not Supported

VSP 7400 Series

VOSS 8.3.1 using Fabric IPsec Gateway

VSP 8200 Series

Not Supported

VSP 8400 Series

Not Supported

VSP 8600 Series

Not Supported

XA1400 Series

VOSS 8.2.7

XA1400 Series, VSP 4900 Series, and VSP 7400 Series switches support IPsec fragmentation before encryption of Fabric Extend tunnels; VSP 4900 Series and VSP 7400 Series provide that support using Fabric IPsec Gateway.

The best practice is to enable fragmentation before encryption only for an IPsec adjacency over a WAN.

Configure IPsec fragmentation of the packets to occur before encryption and IPsec encapsulation. Packets are fragmented based on the tunnel maximum transmission unit (MTU) without the IPsec header so that the final packet does not exceed the tunnel MTU. The MTU value is a per tunnel configuration, which means packet fragmentation occurs per tunnel. For a tunnel with this functionality enabled, packets that egress the specific NNI port are encapsulating security payload (ESP) packets only.

The following list identifies how you can implement IPsec fragmentation before encryption:

IPsec Coupled and Decoupled Mode

A device is in IPsec decoupled mode when IPsec and Fabric Extend (FE) termination takes place on two different IP addresses. A device is in IPsec coupled mode when IPsec and Fabric Extend (FE) termination takes place on the same IP address.

The XA1400 Series devices, which use VOSS for Fabric Extend over IPsec, support both IPsec decoupled and coupled modes. The VSP 4900 Series and VSP 7400 Series devices, which use Fabric IPsec Gateway for Fabric Extend over IPsec, support IPsec in decoupled mode only. You must configure the IPsec tunnel in decoupled mode to enable IPsec termination in the Fabric IPsec Gateway VM. For more information about how to configure IPsec tunnels on the VM, see Configure IPsec Tunnels on Fabric IPsec Gateway VM.

For more information, see the following tasks: