Fragmentation
I have access to RouterA which is a Cisco device. Int gig 0/0/1 uplinks to RouterB which I don’t have access to. I’m pulling a pcap from RouterA on gig 0/0/1 and I’m seeing a lot of fragmentation. This is actually expected. Not ideal but expected.
The source address on the fragments is RouterB. It’s a GRE tunnel and that’s the tunnel interface, next hop is my RouterA. My ip mtu is 1424. I see an IP packet that’s 1424, source is RouterB’s address and a fragment that’s 768, with the internal IP (no second IPHeader or GRE header) I know jumbo frames is enabled on RouterB. Given the setup this is working as designed.
I’m trying to determine which device is doing the fragmentation.
Based on this info can I state unequivocally that RouterB is fragmenting?
Or is RouterB handing me a jumbo frame of nearly 2200 bytes and RouterA is actually fragmenting?
Look at the source IP address of the fragmented packet.
Derp! Just wanted to be sure it was as I was seeing it. Gracias.
Intermediate systems can do fragmentation too, so the source IP is not always the system doing the IP fragmentation.
However, in this case, AFAIK if the packet was too big for RouterA, it would have been dropped on ingress (and not be in the pcap) and it would only fragment the packet itself on the egress side. So All points to the fragmentation being done on RouterB after it received a Jumbo frame from another interface, and then tunnels it on the interface towards RouterB (on which I suspect it also has an MTU of 1424 configured).
Awesome details. I know what’s happening on the RouterB network so I’m pretty positive it’s doing the fragmentation. I just wanted to be really sure before I burst that proverbial bubble with my findings. Thanks a bunch.