IPsec Fragmentation Before Encryption

XA1400 Series, VSP 4900 Series, and VSP 7400 Series switches support IPsec fragmentation before encryption of Fabric Extend tunnels; VSP 4900 Series and VSP 7400 Series provide that support using Fabric IPsec Gateway.

The best practice is to enable fragmentation before encryption only for an IPsec adjacency over a WAN.

Configure IPsec fragmentation of the packets to occur before encryption and IPsec encapsulation. Packets are fragmented based on the tunnel maximum transmission unit (MTU) without the IPsec header so that the final packet does not exceed the tunnel MTU. The MTU value is a per tunnel configuration, which means packet fragmentation occurs per tunnel. For a tunnel with this functionality enabled, packets that egress the specific NNI port are encapsulating security payload (ESP) packets only.

The following list identifies how you can implement IPsec fragmentation before encryption:

IPsec Coupled and Decoupled Mode

A device is in IPsec decoupled mode when IPsec and Fabric Extend (FE) termination takes place on two different IP addresses. A device is in IPsec coupled mode when IPsec and Fabric Extend (FE) termination takes place on the same IP address.

The XA1400 Series devices, which use VOSS for Fabric Extend over IPsec, support both IPsec decoupled and coupled modes. The VSP 4900 Series and VSP 7400 Series devices, which use Fabric IPsec Gateway for Fabric Extend over IPsec, support IPsec in decoupled mode only. You must configure the IPsec tunnel in decoupled mode to enable IPsec termination in the Fabric IPsec Gateway VM. For more information about how to configure IPsec tunnels on the VM, see Configure IPsec Tunnels on Fabric IPsec Gateway VM.

For more information, see the following tasks:

9037147-00 Rev AB