There are other techniques that can be used to help alleviate the problem of ICMP being completely blocked.
?Clear the DF bit on the router and allow fragmentation anyway (This may not be a good idea, though. See Issues with IP Fragmentation for more information).
?Manipulate the TCP MSS option value MSS using the interface command ip tcp adjust-mss <500-1460>.
In Scenario 5 below, Router A and Router B are in the same administrative domain. Router C is inaccessible and is blocking ICMP, so PMTUD is broken. A workaround for this situation is to clear the DF bit in both directions on Router B to allow
fragmentation. This can be done using policy routing. The syntax to clear the DF bit is available in Cisco IOS? Software Release 12.1(6) and later.
interface serial0 ... ip policy route-map clear-df-bit route-map clear-df-bit permit 10 match ip address 111 set ip df 0 access-list 111 permit tcp any any
有三种情况会中断PMTUD,其中两种情况并不常见,而另一情况却经常发生。
? 路由器可能会丢弃数据包,并且不发送ICMP消息。(不常见) ? 路由器可以生成和发送ICMP消息,但ICMP消息被该路由器和发送者
之间的路由器或防火墙阻止。(共同性)
? 路由器可以生成和发送ICMP消息,但发送者忽略了该消息。(不常见)
以上三项中的第一项和第三项并不常见,并且通常由错误所致,但中间一项描述的问题却较为常见。实现ICMP数据包过滤器的人员往往会阻止所有
21
ICMP消息类型,而不仅仅阻止特定的ICMP消息类型。除“无法到达”或“超时”消息以外,数据包过滤器可以阻止所有ICMP消息类型。PMTUD成功与否取决于到达TCP/IP数据包的发送者的ICMP无法到达消息。ICMP超时消息对其他IP问题至关重要。下面显示了在路由器上实现的此类数据包过滤器的示例。
access-list 101 permit icmp any any unreachable access-list 101 permit icmp any any time-exceeded access-list 101 deny icmp any any access-list 101 permit ip any any
There are other techniques that can be used to help alleviate the problem of ICMP being completely blocked.
?Clear the DF bit on the router and allow fragmentation anyway (This may not be a good idea, though. See Issues with IP Fragmentation for more information).
?Manipulate the TCP MSS option value MSS using the interface command ip tcp adjust-mss <500-1460>.
也可以使用其他技术来帮助排除完全阻止ICMP的问题。
? 在路由器上清除DF位,并允许以任何方式进行分段(尽管这并不是
一个好方法。有关详细信息,请参阅IP分段问题)。
? 使用接口命令ip tcp adjust-mss <500-1460>调整TCP MSS选项值
MSS。
In Scenario 5 below, Router A and Router B are in the same administrative domain. Router C is inaccessible and is blocking ICMP, so PMTUD is broken. A workaround for this situation is to clear the DF bit in both directions on Router B to allow
fragmentation. This can be done using policy routing. The syntax to clear the DF bit is available in Cisco IOS? Software Release 12.1(6)
22
and later.
在下面的场景5中,路由器A和路由器B位于同一管理域中。路由器C不可访问,并且将阻止ICMP,因此PMTUD将中断。此情况的解决方法是:在路由器B的两个方向上清除DF位,以允许进行分段。可使用策略路由来完成此操作。Cisco IOS? 软件版本12.1(6)和更高版本中提供了用于清除DF位的语法。
interface serial0 ... ip policy route-map clear-df-bit route-map clear-df-bit permit 10 match ip address 111 set ip df 0 access-list 111 permit tcp any any
场景5(和后面的编号冲突)
Another option is to change the TCP MSS option value on SYN packets that traverse the router (available in Cisco IOS 12.2(4)T and later). This reduces the MSS option value in the TCP SYN packet so that it's smaller than the value (1460) in the ip tcp adjust-mss command. The result is that the TCP sender will send segments no larger than this value. The IP packet size will be 40 bytes larger (1500) than the MSS value (1460 bytes) to account for the TCP header (20 bytes) and the IP header (20 bytes).
You can adjust the MSS of TCP SYN packets with the ip tcp adjust-mss command. The following syntax will reduce the MSS value
23
on TCP segments to 1460. This command effects traffic both inbound and outbound on interface serial0.
int s0
ip tcp adjust-mss 1460
IP fragmentation issues have become more widespread since IP tunnels have become more widely deployed. The reason that tunnels cause more fragmentation is because the tunnel encapsulation adds \Encapsulation (GRE) adds 24 bytes to a packet, and after this increase the packet may need to be fragmented because it is larger then the outbound MTU. In a later section of this document, you will see examples of the kinds of problems that can arise with tunnels and IP fragmentation.
另一种选择是更改经过此路由器的SYN数据包上的TCP MSS选项值(Cisco IOS 12.2(4)T 和更高版本中可用)。这会减小TCP SYN数据包中的MSS选项的值,使其小于ip tcp adjust-mss命令中的值(1460)。结果是TCP发送器将发送不大于该值的分段。IP数据包大小(1500)将比MSS值(1460字节)大40字节,这是因为它包括TCP报头(20字节)和IP报头(20字节)。
您可以使用ip tcp adjust-mss命令调整TCP SYN数据包的MSS。以下语法将TCP 数据段的MSS值减小至1460。此命令将影响serial0接口上的入站和出站流量。
ints0 ip tcp adjust-mss 1460
由于IP隧道部署日益广泛,因此IP分段问题也越来越普遍。隧道导致更多分段的原因是因为隧道封装增加了数据包大小的“开销”。例如,增加通用路由器封装(GRE)将在数据包中增加24个字节,增加字节之后,数据包将大于出站MTU,因此可能需要对该数据包进行分段。在后文中,您将了解隧道和IP分段可能导致的各种问题类型的示例。
24
8、需要 PMTUD 的常见网络拓扑
PMTUD is needed in network situations where intermediate links have smaller MTUs than the MTU of the end links. Some common reasons for the existence of these smaller MTU links are:
?Token Ring (or FDDI)-connected end hosts with an Ethernet connection between them. The Token Ring (or FDDI) MTUs at the ends are greater then the Ethernet MTU in the middle.
?PPPoE (often used with ADSL) needs 8 bytes for its header. This reduces the effective MTU of the Ethernet to 1492 (1500 - 8).
Tunneling protocols like GRE, IPsec, and L2TP also need space for their respective headers and trailers. This also reduces the effective MTU of the outgoing interface.
In the following sections we will study the impact of PMTUD where a tunneling protocol is used somewhere between the two end hosts. Of the three cases above this case is the most complex, covering all of the issues that you might see in the other cases.
在网络环境中,如果中间链路的MTU小于终端链路的MTU,则需要PMTUD。存在这些较小的MTU链路的一些常见原因是:
? 与令牌环(或FDDI)相连的终端主机之间存在以太网连接。终端上的
令牌环(或FDDI)MTU大于中间的以太网MTU。
? PPPoE(通常与ADSL配合使用)的报头需要8个字节。这使得以太网
的有效MTU减小至1492 (1500 - 8)。
? 隧道协议(如GRE、IPsec L2TP)还需要为它们各自的报头和报尾提
供空间。这也会降低传出接口的有效MTU。
在下面的部分中,我们将学习在两个终端主机之间的某个位置使用隧道协议时对PMTUD的影响。在上述三个案例中,本例最为复杂,它涵盖了您可能会在其他案例中看到的所有问题。
25