ipsec fragmentation
Use ipsec fragmentation to configure the IPsec fragmentation feature.
Use undo ipsec fragmentation to restore the default.
Syntax
ipsec fragmentation { after-encryption | before-encryption }
undo ipsec fragmentation
Default
The device fragments packets before IPsec encapsulation.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
after-encryption: Fragments packets after IPsec encapsulation.
before-encryption: Fragments packets before IPsec encapsulation.
Usage guidelines
If you configure the device to fragment packets before IPsec encapsulation, the device predetermines the encapsulated packet size before the actual encapsulation. If the encapsulated packet size exceeds the MTU of the output interface and the DF bit is not set, the device fragments the packet before encapsulation. If the packet's DF bit is set, the device drops the packet and sends an ICMP error message.
If you configure the device to fragment packets after IPsec encapsulation, the device directly encapsulates the packets and fragments the encapsulated packets in subsequent service modules.
Examples
# Configure the device to fragment packets after IPsec encapsulation.
<Sysname>system-view [Sysname] ipsec fragmentation after-encryption