Junos OS

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about Junos OS.
  • 1.  How to set MTU value through JDHCP access address-assignment

    Posted 06-17-2022 05:23
    Dear colleagues and forum members,

    I am facing a hopefully solvable problem and ask for your help.

    It's about the MTU value I want to set within the SRX DHCP server settings so that the devices get the MTU value assigned by the DHCP server when connecting to the network.

    Here is my configuration and further details:

    I am currently configuring an SRX210H2 (JUNOS software release [12.3X48-D105.4]).

    The ISP provides a connection through DHCP client (fiber network). The MTU value I have to set in the wan-interface configuration to get an IP address is 1500.

    root@SRX210# show interfaces ge-1/0/0
    description ISP_Fiber;
    per-unit-scheduler;
    mtu 1500;
    link-mode full-duplex;
    gigether-options {
    auto-negotiation;
    }
    unit 0 {
    family inet {
    dhcp-client;
    }
    }

    So far so good. The connection works and is stable.

    But, the logical interface ge-1/0/0.0 no longer has the MTU value of 1500 after the IP address has been assigned, but only 1486.

    root@SRX210# run show interfaces ge-1/0/0
    [...]
    Logical interface ge-1/0/0.0 (Index 87) (SNMP ifIndex 533)
    Flags: SNMP-Traps 0x0 Encapsulation: ENET2
    Input packets : 585528
    Output packets: 220947
    Security: Zone: Internet
    Allowed host-inbound traffic : bootp bfd bgp dvmrp igmp ldp msdp nhrp ospf
    pgm pim rip router-discovery rsvp sap vrrp dhcp ping
    Protocol inet, MTU: 1486
    Flags: Sendbcast-pkt-to-re, Is-Primary
    Addresses, Flags: Is-Default Is-Preferred Is-Primary
    Destination: x.x.x.x, Local: x.x.x.x
    Broadcast: x.x.x.x

    My PCs and Wifi devices get their IP addresses assigned by DHCP servers (JDHCP, access address-assignment settings), like e.g.

    root@SRX210# show access address-assignment
    pool LAN-pool {
    family inet {
    network 10.0.0.0/24;
    range LAN-range {
    low 10.0.0.100;
    high 10.0.0.199;
    }
    dhcp-attributes {
    name-server {
    8.8.8.8;
    }
    router {
    10.0.0.1;
    }
    }
    ...

    However, these computers and devices have the standard MTU value of 1500, which causes the Internet connections to stick, break or some websites cannot be called up at all.

    If I manually change the MTU value of the devices' network adapter to 1486 through Windows PowerShell, the Internet connection works fine.

    Now my question: How can I set the MTU value of the workstations using the SRX configuration of the DHCP servers so that all devices are automatically assigned get the mandatory MTU value 1486?

    Or is there perhaps a completely different approach?

    Any help is greatly appreciated.

    ------------------------------
    Steve
    ------------------------------


  • 2.  RE: How to set MTU value through JDHCP access address-assignment

    Posted 06-17-2022 12:58
    The default ge interface MTU is 1514 and that includes L2 headers and the like.  The L3 protocol MTU is 14bytes lower so by default it is 1500.  Lowering your MTU to 1500 lowers the protocol MTU by 14 bytes.

    That said, DHCP does not have an MTU options that I've ever heard of.

    What service is this fiber as a hard 1500 byte MTU (as calculated with full headers( is odd-- its usually 1514 or 1518.

    If you can't correct with the ISP look at TCP Clamping (tcp-mss settings in flow) and fragmentation options.

    ------------------------------
    David Divins
    ------------------------------



  • 3.  RE: How to set MTU value through JDHCP access address-assignment

    Posted 06-18-2022 08:58
    Hi David, Many thanks for your answer.

    Unfortunately, the MTU value of the ISP interface is 1500 and not 1514 or 1518. I tried increasing the value to 1514 (since my header's size is 14 bytes), but then the DHCP client no longer works.

    So that wasn't the solution.

    Then, I followed your suggestion (TCP Clamping (tcp-mss settings in flow) and fragmentation options):

    I have set the initial-tcp-mss in the corresponding policy configurations as follows:

    security policies from-zone trust to zone untrust {
    policy trust-to-untrust {
    match {
    source address any;
    destination-address any;
    application any;
    }
    then {
    permit {
    tcp-options {
    initial-tcp-mss 1438;
    } } } } }

    That's it! Everything is now running perfectly and without interruptions.


    Thanks again!

    ------------------------------
    Steve
    ------------------------------