This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Muazzam
Contributor
Contributor
‎2021-03-19 08:53 AM

Jumbo frame on one interface

Hardware: 23500 OR 13800
Version: GAIA R80.20 T161

1. What would happen if the switch has jumbo frames enabled but the firewall interface is set to default 1500 MTU? Is the firewall going to negotiate or drop the traffic.

2. What if one side of the firewall/switch (both) have jumbo frames enabled and other side firewall/switch (both) are on standard 1500 MTU. Any issues expected in this setup?

Thank You

0 Kudos
4 Replies
the_rock
Legend
Legend
‎2021-03-19 10:22 AM

Let me try answer this to best of my ability (maybe other people will have different opinions/ideas) : )

1. What would happen if the switch has jumbo frames enabled but the firewall interface is set to default 1500 MTU? Is the firewall going to negotiate or drop the traffic.

Put it this way...the bigger packet size, less amount of packets...the smaller packet size, many more packets going through...I cant say for sure if firewall would drop the traffic in this case, but to me, logically thinking about it anyway, sounds like it would actually try to negotiate. Jumbo frames from what I recall are usually 9000 bytes, though technically its anything bigger than 1500 really. Personally, I would try avoid this scenario at any cost. Are you asking this more in theory or is this a real scenario?

2. What if one side of the firewall/switch (both) have jumbo frames enabled and other side firewall/switch (both) are on standard 1500 MTU. Any issues expected in this setup?

I cant say for sure what would happen here, but sounds like the amount of traffic received on both sides would vary significantly based on the packet size, so dropped traffic in this situation would not surprise me at all.

 

I only remember one time when customer in UK had to enable jumbo frames to make some weird traffic issue through CP appliance work, but I believe he later discovered this was due to switch being configured the same way,

Apologies, but those are best answers I can come up with 😞

 

Andy

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2021-03-19 12:26 PM

Hi @Muazzam,

Jumbo Frames are Gigabit Ethernet frames of 9000 bytes, but technically this term refers to any frame larger than 1500 bytes.
Use Gaia WebUI to configure the required MTU on the relevant network interface. When Jumbo Frame arrives on the interface with standard MTU (1500), it is dropped at the interface level, and the "rx_long_length_errors" counter is increased.

Check "rx_long_length_errors" drops on interface level:

# ethtool -S eth1

The sk111407 lists Check Point appliances that support Jumbo Frames!

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
the_rock
Legend
Legend
‎2021-03-19 12:56 PM
In response to HeikoAnkenbrand

Man, sysconfig...we are getting old, thats good old Splat ; )

0 Kudos
PhoneBoy
Admin
Admin
‎2021-03-19 02:40 PM

MTU should be the same end to end.
Any hop with a different MTU means there will be ICMP Fragment Needed packets.
The firewall can generally handle these statefully, but it’s generally recommended to avoid these sorts of mismatches.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top