Configuring the Interface MTU
By default, any Ethernet interface has its maximum transmission unit (MTU) size set to 1500 bytes, which is the maximum and expected value for Ethernet frames. If a packet is larger than the MTU, it must be fragmented before being transmitted. And before the packet can be presented at the destination, all of its fragments must be reassembled in their proper order.
The whole fragmentation and reassembly process takes time, memory, and CPU resources, so it should be avoided if possible. Normally, the default 1500-byte MTU is sufficient because Ethernet frames are limited to a standard maximum of 1500 bytes of payload data. Various IEEE standards use expanded frame sizes to carry additional information. As well, data centers often leverage Ethernet “giant” or “jumbo” frames, which are much larger than normal, to move large amounts of data efficiently.
If packets larger than 1500 bytes are commonplace in a network, you can increase the MTU size to prevent the packets from being fragmented at all. In some cases, you might need to reduce the MTU to avoid having to fragment encrypted packets where the encryption protocols add too much overhead to an already maximum-sized packet. Ideally, the MTU should be increased on every network device and interface along the entire data path.
To adjust the interface MTU from ASDM, first select Configuration > Device Setup > Interfaces, select an interface, and click the Edit button. Next, select the Advanced tab and enter the new MTU value, as shown in Figure 3-21. Although ASDM lets you type a new value, it won’t permit the value to change if the interface has not been configured with a name.
)
Figure 3-21. Configuring an Interface MTU in ASDM
To accomplish the same task from the CLI, you can use the following global configuration command to adjust the MTU on an ASA interface:
ciscoasa(config)# mtu if_name bytes
Identify the interface using its name, such as “inside” or “outside,” rather than the hardware name. The transmitted MTU can be sized from 64 to 9216 bytes.
You should also use the following interface configuration command to enable jumbo frame processing as frames are received on an interface:
ciscoasa(config-if)# jumbo-frame reservation
Although you can increase the MTU size on any ASA platform, be aware that the jumbo-frame reservation command is supported only on the ASA 5585-X.
You can display the current MTU configuration for all firewall interfaces by using the show running-config mtu command. Interface MTU settings are also displayed as a part of the show interface command output. Example 3-13 shows the output from each of the commands.
Example 3-13. Displaying the Interface MTU
ciscoasa# show running-config mtumtu outside 1500 mtu inside 1500ciscoasa# show interface outside Interface Ethernet0/0 "outside", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) Input flow control is unsupported, output flow control is unsupported MAC address 001a.a22d.1ddc,MTU 1500IP address 192.168.100.10, subnet mask 255.255.255.0 1996 packets input, 127860 bytes, 0 no buffer Received 533 broadcasts, 0 runts, 0 giants