topic Re: Jumbo frame on one interface in Firewall and Security Management

Jumbo frame on one interface

Muazzam — Fri, 19 Mar 2021 15:53:23 GMT

Hardware: 23500 OR 13800
Version: GAIA R80.20 T161

1. What would happen if the switch has jumbo frames enabled but the firewall interface is set to default 1500 MTU? Is the firewall going to negotiate or drop the traffic.

2. What if one side of the firewall/switch (both) have jumbo frames enabled and other side firewall/switch (both) are on standard 1500 MTU. Any issues expected in this setup?

Thank You

Re: Jumbo frame on one interface

the_rock — Fri, 19 Mar 2021 17:22:07 GMT

Let me try answer this to best of my ability (maybe other people will have different opinions/ideas) : )

1. What would happen if the switch has jumbo frames enabled but the firewall interface is set to default 1500 MTU? Is the firewall going to negotiate or drop the traffic.

Put it this way...the bigger packet size, less amount of packets...the smaller packet size, many more packets going through...I cant say for sure if firewall would drop the traffic in this case, but to me, logically thinking about it anyway, sounds like it would actually try to negotiate. Jumbo frames from what I recall are usually 9000 bytes, though technically its anything bigger than 1500 really. Personally, I would try avoid this scenario at any cost. Are you asking this more in theory or is this a real scenario?

2. What if one side of the firewall/switch (both) have jumbo frames enabled and other side firewall/switch (both) are on standard 1500 MTU. Any issues expected in this setup?

I cant say for sure what would happen here, but sounds like the amount of traffic received on both sides would vary significantly based on the packet size, so dropped traffic in this situation would not surprise me at all.

I only remember one time when customer in UK had to enable jumbo frames to make some weird traffic issue through CP appliance work, but I believe he later discovered this was due to switch being configured the same way,

Apologies, but those are best answers I can come up with 😞

Andy

Re: Jumbo frame on one interface

HeikoAnkenbrand — Fri, 19 Mar 2021 22:48:35 GMT

Hi @Muazzam,

Jumbo Frames are Gigabit Ethernet frames of 9000 bytes, but technically this term refers to any frame larger than 1500 bytes.
Use Gaia WebUI to configure the required MTU on the relevant network interface. When Jumbo Frame arrives on the interface with standard MTU (1500), it is dropped at the interface level, and the "rx_long_length_errors" counter is increased.

Check "rx_long_length_errors" drops on interface level:

# ethtool -S eth1

The sk111407 lists Check Point appliances that support Jumbo Frames!

Re: Jumbo frame on one interface

the_rock — Fri, 19 Mar 2021 19:56:35 GMT

Man, sysconfig...we are getting old, thats good old Splat ; )

Re: Jumbo frame on one interface

PhoneBoy — Fri, 19 Mar 2021 21:40:16 GMT

MTU should be the same end to end.
Any hop with a different MTU means there will be ICMP Fragment Needed packets.
The firewall can generally handle these statefully, but it’s generally recommended to avoid these sorts of mismatches.