How to clear Don't Fragment (DF) bit

Hamish, forgive me if it seems I'm being argumentative but this is a lot like the conversations I have with people about Virtual Addresses not needing to be in the same subnet as any Self IP; the understanding that an apparent restriction or 'rule' doesn't exist can completely change a design or approach. I post this only for the benefit of others, not to annoy you ;-) I'm happy to discuss this privately if you'd like.

 

 

The MTUs on a local subnet don't need to be the same. The layer two MTU (it's a VLAN setting on BIG-IP) will dictate the layer three MSS and therefore MTU. As long as the device with the different MTU is acting as an IP endpoint it'll inform the other endpoint of what its MSS is and things will work just fine. Where the F5 is concerned Content Spooling will smooth out any differences between client-side and server-side MTUs. The only situation where this might break things is where a layer two VS is used. Some may consider this a hack but considering that Cisco routers offer commands to clear the DF bit in packets or overwrite the MSS setting (or both) there's clearly a need here and tweaking and changing things at the network level is surely what BIG-IP is all about. Also, anything outside of the base TCP/IP specification could be considered a hack, from NAT to SACK.

 

 

Of course, as with anything, lowering the MTU should be considered carefully and the benefits and drawbacks thought through. If you have a great deal of Internet or VPN sourced clients, lowering the MTU on your external VLAN will probably be useful (and you could also create a dedicated VLAN to target things more specifically). If you don't, it's probably best not to touch it..

 

 

Best I don't mention using static ARP entries on a VLAN without Self IPs to direct traffic to the BIG-IP. :-)