ipsec fragmentation

Use ipsec fragmentation to configure the IPsec fragmentation feature.

Use undo ipsec fragmentation to restore the default.

Syntax

ipsec fragmentation { after-encryption | before-encryption }

undo ipsec fragmentation

Default

The device fragments packets before IPsec encapsulation.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

after-encryption: Fragments packets after IPsec encapsulation.

before-encryption: Fragments packets before IPsec encapsulation.

Usage guidelines

If you configure the device to fragment packets before IPsec encapsulation, the device predetermines the encapsulated packet size before the actual encapsulation. If the encapsulated packet size exceeds the MTU of the output interface and the DF bit is not set, the device fragments the packet before encapsulation. If the packet's DF bit is set, the device drops the packet and sends an ICMP error message.

If you configure the device to fragment packets after IPsec encapsulation, the device directly encapsulates the packets and fragments the encapsulated packets in subsequent service modules.

Examples

# Configure the device to fragment packets after IPsec encapsulation.

<Sysname>system-view
[Sysname] ipsec fragmentation after-encryption