Routing
Reply
Contributor
Robbie
Posts: 269
Registered: ‎06-07-2011
0
Accepted Solution

MSS for GRE

I bulid a gre tunnel with 3rd party in M7i

 

interface ge0/0/0 is the int which face outside

 

how to configure mss in this M7i

 

in whole router or under interface?

JNCIE-SP/JNCIP-SEC/CCNP
Distinguished Expert
aarseniev
Posts: 1,722
Registered: ‎08-21-2009
0

Re: MSS for GRE

[ Edited ]

Hello,

You will need an ASM module, AS-PIC or MS-PIC to be able to adjust TCP MSS on M7i router.

The config example is here

http://kb.juniper.net/InfoCenter/index?page=content&id=KB24352&cat=MX960_1&actp=LIST

HTH

Rgds

Alex

 

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Contributor
Robbie
Posts: 269
Registered: ‎06-07-2011
0

Re: MSS for GRE

 

I am confused by the config on the link

 

I need to config all 5 steps in the link?

 

would u like to give me an real example

 

ge0/0/0 is interface which is used as tunnel source

 

 

tunnel interface is gr1/2/0

 

JNCIE-SP/JNCIP-SEC/CCNP
Distinguished Expert
aarseniev
Posts: 1,722
Registered: ‎08-21-2009

Re: MSS for GRE

Hello,

You can skip step #3 if you are not using VRF/routing-instances.

Otherwise yes, all 5 steps are necessary.

Thanks

Alex

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Contributor
Robbie
Posts: 269
Registered: ‎06-07-2011
0

Re: MSS for GRE

1:service-interface sp-8/1/0.1; what is this interface?

should I configure this?

 

 

2:stateful-firewall { rule Permit-all { match-direction input-output; term 1 { then { accept; }

 

I permit in both directions

 

but here

 

 service {
                     input {
                         service-set tcp-mss service-filter mss-filter;
                     }
                     output {
                         service-set tcp-mss service-filter mss-filter;
why should we enable service set in input and out-put direction?
JNCIE-SP/JNCIP-SEC/CCNP
Distinguished Expert
aarseniev
Posts: 1,722
Registered: ‎08-21-2009

Re: MSS for GRE

Hello,

 


robert cao wrote:

1:service-interface sp-8/1/0.1; what is this interface?

should I configure this?

 

 



On M7i,:

- if you have ASM module, you should configure sp-1/2/0.

- If you have AS-PIC or MS-PIC in any other slot, you should configure sp-0/<PICslot>/0.

- If you have neither, then TCP MSS adjust is not possible on M7i.

 


robert cao wrote:

 

2:stateful-firewall { rule Permit-all { match-direction input-output; term 1 { then { accept; }

 

I permit in both directions

 

but here

 

 service {
                     input {
                         service-set tcp-mss service-filter mss-filter;
                     }
                     output {
                         service-set tcp-mss service-filter mss-filter;
why should we enable service set in input and out-put direction?

 

You must configure SFW rule and use "input-output" direction to allow the traffic flows to be established bidirectionally.
You must configure service-filter as above and apply it to both "input" and "output" interface-style service-sets because TCP MSS need to be adjusted in both SYN and SYN-ACK.

HTH

Rgds

Alex

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.