NGE adds overhead packets to services. Table: NGE overhead for MPLS shows the additional overhead for the worst-case scenario of MPLS services encryption. Table: NGE overhead for router interface shows the additional overhead for the worst-case scenario of router interface. Additional overhead depends on which encryption and authentication algorithms are chosen.
| Item | Number of bytes |
|---|---|
|
Encryption label |
4 |
|
ESP |
24 |
|
ICV |
32 |
|
Padding |
17 |
|
Control word copy |
4 |
|
Total |
81 |
For MP-BGP-based VPRNs, the total is 77 bytes because the control word copy is not required.
| Item | Number of bytes |
|---|---|
|
ESP |
24 |
|
ICV |
32 |
|
Padding |
17 |
|
Total |
73 |
For Layer 3 packets for router interface encryption, the total is 73 bytes because the encryption label and control word copy are not required.
The overhead values in Table: NGE overhead for MPLS must be considered for services that are supported by NGE.
The calculations in Table: Accounting for NGE overhead SDP and service MTU — calculation examples show how NGE overhead affects SDP MTU and service MTU values for MPLS-based, GRE-based, and VPRN-based services. The calculations are with and without NGE enabled.
| Service type | MTU values with and without NGE enabled | |
|---|---|---|
|
MPLS-based services |
SDP MTU (MPLS): = 1572 (network port MTU) – 14 (Ethernet header) – 4 (outer label) – 4 (inner label) = 1550 bytes (without NGE enabled) => 1469 bytes (with NGE enabled) |
|
|
Service MTU (MPLS) considerations with NGE enabled:
|
||
|
GRE-based services |
SDP MTU (GRE): = 1572 (network port MTU) – 14 (Ethernet header) – 20 (IP header) – 4 (GRE header) – 4 (inner label) = 1530 bytes (without NGE enabled) => 1449 bytes (with NGE enabled) |
|
|
Service MTU (GRE) considerations with NGE enabled:
|
||
|
VPRN-based services |
Each interface inherits its MTU from the SAP or spoke SDP to which it is bound and the MTU value can be manually changed using the ip-mtu command. |
|
|
MP-BGP-based VPRN services: The MTU of the egress IP interface is used. When NGE is enabled on a VPRN service, customers must account for the additional 77 bytes of overhead needed by NGE for any egress IP interface used by the VPRN service. |
||
When an unencrypted Layer 3 packet ingresses the node and routing determines that the egress interface is a router interface NGE-enabled interface, the node calculates whether the packet size is greater than the MTU of the egress interface after the router interface NGE overhead is added. If the packet cannot be forwarded out from the network interface, an ICMP message is sent back to the sender and the packet is dropped. Users must configure new MTU values to adjust for the overhead associated with NGE.
If an IP exception ACL that matches the ingressing packet exists on the egress interface, the MTU check applied to the ingress packet includes the router interface NGE overhead. This is because the ingress interface cannot determine which IP exceptions are configured on the egress interface, and therefore the worst-case MTU check that includes the router interface NGE overhead is performed.