ipsec fragmentation ignore df-bit

Function

The ipsec fragmentation ignore df-bit command enables the function of ignoring the Don't Fragment (DF) flag bit of original packets.

The undo ipsec fragmentation ignore df-bit command disables the function of ignoring the DF flag bit of original packets.

By default, the function of ignoring the DF flag bit of original packets is disabled.

The virtual system does not support this command.

Format

ipsec fragmentation ignore df-bit

undo ipsec fragmentation ignore df-bit

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the IPsec fragmentation before encryption function is enabled, whether or not a packet is fragmented is subject to the value of the DF flag bit of the original packet.

If the value of the DF flag bit is 1, the original packet cannot be fragmented.
If the value of the DF flag bit is 0, the original packet can be fragmented.

Therefore, in a scenario where the value of the DF flag bit of the original packet is 1, even if the IPsec fragmentation before encryption function is enabled, the packet cannot be fragmented before being encrypted.

In a scenario where the IPsec fragmentation before encryption function is enabled, if you run the ipsec fragmentation ignore df-bit command to enable the function of ignoring the DF flag bit of the original packet, the original packet is fragmented before being encrypted, regardless of whether the value of the DF flag bit of the original packet is 0.

Example

# Enable the function of ignoring the DF flag bit of original packets.

<sysname> system-view
[sysname] ipsec fragmentation ignore df-bit