|
Feature |
Product |
Release introduced |
|---|---|---|
|
IPsec fragmentation before encryption |
5320 Series |
Not Supported |
|
5420 Series |
Not Supported |
|
|
5520 Series |
Not Supported |
|
|
5720 Series |
Fabric Engine 8.7 5720-24MXW and 5720-48MXW using Fabric IPsec Gateway |
|
|
7520 Series |
Fabric Engine 8.10 using Fabric IPsec Gateway |
|
|
7720 Series |
Fabric Engine 8.10 using Fabric IPsec Gateway |
|
|
VSP 4450 Series |
Not Supported |
|
|
VSP 4900 Series |
VOSS 8.3.1 VSP4900-12MXU-12XE and VSP4900-24XE using Fabric IPsec Gateway |
|
|
VSP 7200 Series |
Not Supported |
|
|
VSP 7400 Series |
VOSS 8.3.1 using Fabric IPsec Gateway |
|
|
VSP 8200 Series |
Not Supported |
|
|
VSP 8400 Series |
Not Supported |
|
|
VSP 8600 Series |
Not Supported |
|
|
XA1400 Series |
VOSS 8.2.7 |
XA1400 Series, VSP 4900 Series, and VSP 7400 Series switches support IPsec fragmentation before encryption of Fabric Extend tunnels; VSP 4900 Series and VSP 7400 Series provide that support using Fabric IPsec Gateway.
The best practice is to enable fragmentation before encryption only for an IPsec adjacency over a WAN.
Configure IPsec fragmentation of the packets to occur before encryption and IPsec encapsulation. Packets are fragmented based on the tunnel maximum transmission unit (MTU) without the IPsec header so that the final packet does not exceed the tunnel MTU. The MTU value is a per tunnel configuration, which means packet fragmentation occurs per tunnel. For a tunnel with this functionality enabled, packets that egress the specific NNI port are encapsulating security payload (ESP) packets only.
The following list identifies how you can implement IPsec fragmentation before encryption:
You can configure IPsec fragmentation before encryption for each logical-interface.
You must configure IPsec over Fabric Extend in IPsec decoupled mode, which means the IPsec source and destination IP addresses are different than the Fabric Extend addresses.
You cannot configure IPsec compression if fragmentation before encryption is already enabled on the logical interface.
A device is in IPsec decoupled mode when IPsec and Fabric Extend (FE) termination takes place on two different IP addresses. A device is in IPsec coupled mode when IPsec and Fabric Extend (FE) termination takes place on the same IP address.
The XA1400 Series devices, which use VOSS for Fabric Extend over IPsec, support both IPsec decoupled and coupled modes. The VSP 4900 Series and VSP 7400 Series devices, which use Fabric IPsec Gateway for Fabric Extend over IPsec, support IPsec in decoupled mode only. You must configure the IPsec tunnel in decoupled mode to enable IPsec termination in the Fabric IPsec Gateway VM. For more information about how to configure IPsec tunnels on the VM, see Configure IPsec Tunnels on Fabric IPsec Gateway VM.
For more information, see the following tasks: