TCP MSS adjustment filter on VPRN SAP interfaces

The 7705 SAR-Hm series of routers support a configurable filter that adjusts the maximum segment size (MSS) of TCP packets marked with a SYN flag that traverse VPRN SAP interfaces. The MSS adjustment filter prevents upstream and downstream TCP packets from being fragmented.

MSS adjustment is performed by the virtualized integrated BB ISA MDA when an IP filter is enabled with the action tcp-mss-adjust command. The filter can be applied on a VPRN SAP interface in the ingress direction, egress direction, or both directions. Both IPv4 and IPv6 filters are supported. For information about the virtualized BB ISA MDA, see the 7705 SAR-Hm Interface Configuration Guide, "Chassis IOM and MDAs".

To configure a TCP MSS adjustment filter on a VPRN SAP interface:

  1. Create a NAT group that will be used for MSS adjustment.

    The following CLI output is an example of the creation of a NAT group on the virtualized integrated BB ISA MDA in slot 1/6.

    config
       card 1
            mda 6 
                mda-type isa-bb-v
                no shutdown
            exit
            no shutdown
        exit
    
    configure
        isa
            nat-group 1 create
                active-mda-limit 1
                mda 1/6
                no shutdown
            exit
    
  2. Associate the NAT group with a routing instance and configure the MSS value as shown in the following example.

    config
        service
            vprn services-id
                mss-adjust-group 1 segment-size 1352
    
  3. Create ingress or egress IP filters that perform TCP MSS adjustment.

    The following example shows the configuration of IPv4 filters and IPv6 filters that perform TCP MSS adjustment at ingress and egress.

    configure
        filter
            ip-filter 1 name "1" create
                default-action forward
                description "Ingress"
                entry 1 create
                    match protocol tcp
                        tcp-syn true
                    exit
                    action
                        tcp-mss-adjust
                    exit
                exit
            exit
            ip-filter 2 name "2" create
                default-action forward
                description "Egress"
                entry 1 create
                    match protocol tcp
                        tcp-syn true
                    exit
                    action
                        tcp-mss-adjust
                    exit
                    egress-pbr default-load-balancing
                exit
            exit
            ipv6-filter 1 name "3" create
                default-action forward
                description "Ingress"
                entry 1 create 
                    match next-header tcp
                        tcp-syn true
                    exit
                    action
                        tcp-mss-adjust
                    exit
                exit
            exit
            ipv6-filter 2 name "4" create
                default-action forward
                description "Egress"
                entry 1 create
                    match next-header tcp
                        tcp-syn true
                    exit
                    action
                        tcp-mss-adjust
                    exit
                    egress-pbr default-load-balancing
                exit
            exit
        exit
    
  4. Apply the filters that perform TCP MSS adjustment to the VPRN SAP interface. The filters can be applied in the ingress direction, egress direction, or both directions. In the following example, the filters are applied in both the ingress and egress directions.

    config
        service
            vprn service-id 
                interface "int1_vprn1" create
                    address 10.10.1.1/24
                    sap 1/2/3 create
                        ingress
                            filter ip 1
                        exit
                        egress
                            filter ip 2
                        exit
                    exit
                exit
            exit
            vprn service-id2 
                interface "int1_vprn2" create
                    ipv6
                        address 10:1::1/32
                        neighbor 10:1::2 00:02:01:00:00:01
                    exit
                    sap 1/2/3:1 create
                        ingress
                            filter ipv6 3
                        exit
                        egress
                            filter ipv6 4
                        exit
                    exit
                exit
            exit