Skip to content

Commit cbc1aef

Browse files
[MT] Tunnel-in-tunnel charts (#17053)
* added tunnel-in-tunnel imgs * refined img
1 parent 776107a commit cbc1aef

File tree

3 files changed

+5
-1
lines changed

3 files changed

+5
-1
lines changed
83.6 KB
Loading
80.6 KB
Loading

src/content/partials/magic-transit/mtu-mss/mt-dsr.mdx

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,16 @@ Asymmetric routing is a common scenario especially with Magic Transit. Ingress t
66

77
In an asymmetric scenario, we want to reduce the MSS value of packets sent by Magic Transit users to the Internet in order to reduce the size of packets sent from the Internet towards their network. To accomplish this, the configuration must be done either on the customer's end-hosts or through an MSS clamp on an intermediary device on the egress path of traffic leaving their network. How MSS values affect payload sizes on both routing paths is detailed below.
88

9-
![A diagram how MSS works with Magic Transit and Direct Server Return.](~/assets/images/magic-transit/mtu-mss/dsr.png)
9+
![A diagram showing how MSS works with Magic Transit and Direct Server Return.](~/assets/images/magic-transit/mtu-mss/dsr.png)
1010

1111
_Key takeaway from the chart above: MSS clamping affects TCP packet payload sizes flowing in the opposite direction vs. where the clamp is applied._
1212

1313
## Tunnel-in-tunnel scenario with Magic Transit
1414

1515
MSS clamping only affects TCP traffic. If, for example, you have a web server on your Magic Transit prefix, then the MSS clamp will take effect on the TCP data from direct server return traffic. However, be aware that you will have to take a different approach for any tunnels inside of your Magic Transit tunnel (tunnel-in-tunnel scenario).
1616

17+
![A diagram showing where the MSS clamp goes with TCP traffic.](~/assets/images/magic-transit/mtu-mss/tcp-mss.png)
18+
1719
For example, if you have a Magic Transit GRE tunnel set up, and then another IPsec or GRE tunnel running from third-party devices on your premises, MSS clamp will have no impact on the outer packets of the encapsulated traffic. This is because MSS clamping affects only TCP traffic, and IPsec/GRE encapsulated traffic is IP. For this scenario, you will have to lower the MTU of the internal tunnel interface further, both for your ingress and egress traffic.
20+
21+
![A diagram showing where the MSS clamp goes with an IPsec tunnel inside a GRE tunnel.](~/assets/images/magic-transit/mtu-mss/ipsec-mss.png)

0 commit comments

Comments
 (0)