Wired Intelligent Edge

 View Only
  • 1.  Tunneled-node vs RADIUS MTU

    Posted Oct 26, 2020 10:51 AM

    We are using Aruba UBT feature for our wired users.
    Currently on Aruba 2930F – jumbo ip-mtu is 1500.
    Issue is that some UDP traffic does not get through transport and maximum inner packet size on wire can be 1468 bytes. It is logical, because there is GRE overhead and GRE tunnels are established between switch and controller from IP interface.
    If we increase jumbo ip-mtu to 1600, it fixes UDP from/to PC issue, but breaks RADIUS (EAP-TLS).
    Issues is that PC during EAP sends certificate based on PC NIC MTU (1500) – on wire we see 1510 bytes. 1510 bytes is encapsulated in RADIUS and fragmented based on jumbo ip-mtu 1600. Of course our WAN/DC LAN transport does not allow such big RADIUS packets.

    Is there an option to tell Aruba 2930F to fragment RADIUS packets based on specific value and not use jumbo ip-mtu? Issue is that jumbo ip-mtu affects UDP traffic within GRE and RADIUS between switch and ClearPass at the same time.

    version 16.10.0007



  • 2.  RE: Tunneled-node vs RADIUS MTU

    Posted Oct 26, 2020 11:27 AM

    Hi,

     

    the switches are not able to perform fragmentation re using tunneled node.

     

    If using tunneled node, Jumbo frames should be enabled on the tunneled node VLAN on every device in the tunnel path with a minimum supported MTU of 1584 bytes.

     

    Regards,



  • 3.  RE: Tunneled-node vs RADIUS MTU
    Best Answer

    Posted Oct 26, 2020 11:48 AM

    It was done. Client UDP traffic issue was fixed, but that broke RADIUS communication. 

     



  • 4.  RE: Tunneled-node vs RADIUS MTU

    Posted Aug 04, 2021 02:45 AM
    Edited by ossrk Aug 04, 2021 02:49 AM
    Was this issue fixed? I don't see an option other than creating another SVI configured for jumbo and dedicated for tunneled node




  • 5.  RE: Tunneled-node vs RADIUS MTU

    Posted Sep 25, 2024 05:26 AM

    Hello,

    now you should be able to configure the EAP-TLS fragment size with following command:

    aaa port-access authenticator eap-tls-fragment towards-server <max-fragment-size>

    Link to Aruba CLI Bank: Configuring EAP-TLS fragmentation (arubanetworks.com)

    Im not 100% shure, but the command should be supported since 16.10.x.
    Anyway, I have checked the command under 16.11.0013 and the command is even present on the 2530 Series.

    Give it a try, with this command you should be able to set the EAP frament size leaving the switch to 1024 for example (ClearPass default).



    ------------------------------
    Best regards, mom
    ------------------------------