Mental model
Networks have a maximum frame size at Layer 2. For standard Ethernet that’s 1500 bytes of IP payload (1518 bytes including the Ethernet header and FCS, 1522 with an 802.1Q tag).
A packet sent on a 1500-MTU link can be up to 1500 bytes. If a packet is larger than the next link’s MTU, one of three things happens:
- Fragment it — IPv4 router splits the packet into smaller pieces and forwards them.
- Drop it + send ICMP — if the Don’t-Fragment bit is set, router drops the packet and tells the sender “use smaller packets.”
- Drop it silently — broken middleboxes do this. Hardest to diagnose.
The right behavior is #2 (Path MTU Discovery, or PMTUD). The wrong behavior is #3, which is why “blocking ICMP” at firewalls causes subtle failures.
Common MTU values
| Link type | MTU |
|---|---|
| Ethernet (standard) | 1500 |
| Ethernet with 802.1Q tag | 1500 (payload) — needs 1504 raw |
| Ethernet with jumbo frames | 9000 (or 9216) — needs explicit config end-to-end |
| PPPoE (DSL) | 1492 |
| GRE tunnel | 1476 (1500 − 24 GRE overhead) |
| GRE over IPsec | ~1400 (1500 − 24 GRE − 52 IPsec) |
| WireGuard | 1420 |
| Wi-Fi | 2304 (theoretical) / 1500 (typical) |
For CCNA: know 1500 default, 9000 jumbo, and that tunneling reduces effective MTU.
MTU vs MSS
| Term | What it is | Layer |
|---|---|---|
| MTU | Max bytes in a Layer-3 packet (IP header + payload) | L3 / interface |
| MSS | Max bytes in a TCP segment payload (no headers) | L4 / TCP |
MSS = MTU − IP header (20) − TCP header (20) = MTU − 40 (in IPv4 without options).
For default Ethernet: MSS = 1500 − 40 = 1460.
MSS is negotiated during the TCP 3-way handshake — each side advertises its desired MSS. The smaller is used. This is how endpoints avoid sending packets too big for their first hop.
MSS clamping — fixing tunnel MTU issues
When your network has a tunnel (GRE, VPN, MPLS), the effective MTU drops. Endpoints don’t know — they still think 1500 works. Packets get fragmented (slow), dropped (silent failure), or PMTUD-handled (works but adds RTT).
MSS clamping is the fix on the router carrying the tunnel:
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip tcp adjust-mss 1360
This makes the router rewrite the MSS value in any TCP SYN passing through it. New SYNs say “1360 max” instead of “1460 max.” Endpoints negotiate down to 1360. No packet ever gets too big for the tunnel. No host reconfiguration needed.
Standard combo: set ip mtu 1400 on the tunnel + ip tcp adjust-mss 1360 to fix everything.
Path MTU Discovery (PMTUD)
When a packet has the Don’t-Fragment (DF) bit set and arrives at a router that can’t forward it without fragmenting:
- Router drops the packet.
- Router sends ICMP type 3 code 4 (“Fragmentation Needed, DF set”) back to the sender, including the next-hop MTU.
- Sender shrinks its packet size and retries.
Most TCP stacks set the DF bit by default. PMTUD is how the internet “auto-tunes” to whatever the smallest MTU on a path happens to be.
The trap: if anyone on the return path blocks ICMP type 3, the sender never gets the message. Packets keep getting dropped. Application hangs. PMTUD is useful but fragile.
Fragmentation in IPv4 — how it works
If the DF bit is not set, IPv4 fragments. Three fields in the IP header track this:
- Identification — same for all fragments of one original packet
- Flags — DF (Don’t Fragment), MF (More Fragments)
- Fragment Offset — where in the original packet this fragment sits
Reassembly happens at the destination — not at intermediate routers. So fragmentation adds CPU load both at the fragmenting router and at the destination.
IPv6 is different — no router fragmentation
In IPv6, routers don’t fragment. If a packet is too big, the router always drops it and sends ICMPv6 type 2 “Packet Too Big.” Only the sender can fragment (by adding a Fragment Extension Header).
In practice: IPv6 relies on PMTUD entirely. If PMTUD is broken, IPv6 connectivity breaks more visibly than IPv4 (no fragmentation safety net).
Commands
! Set L3 MTU on an interface
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip mtu 1400
! Set Layer-2 MTU (often needed alongside)
R1(config-if)# mtu 1500
! MSS clamping for TCP traffic crossing this interface
R1(config-if)# ip tcp adjust-mss 1360
Verify
R1# show interfaces GigabitEthernet0/0 | include MTU
R1# show ip interface GigabitEthernet0/0 | include MTU
! Test MTU end-to-end (send a max-sized ping with DF)
R1# ping 8.8.8.8 size 1500 df-bit
If ping 8.8.8.8 size 1500 df-bit succeeds but ping 8.8.8.8 size 1501 df-bit fails, your path MTU is exactly 1500. If size 1500 already fails, MTU is smaller — keep bisecting.
Common mistakes
-
Blocking all ICMP at the firewall. Breaks PMTUD silently. Symptoms: SSH connects but
git pushhangs; web pages load slowly with intermittent failures; large file transfers stall. Always allow ICMP type 3 code 4 inbound. -
Setting jumbo frames on only part of the network. Jumbo MTU (9000) must be configured end-to-end — every switch port, every router interface, every host NIC. One device at 1500 → silent fragmentation / drops.
-
Forgetting tunnel overhead. Adding a GRE tunnel reduces effective MTU by 24 bytes. Adding IPsec adds another ~52. Don’t forget MSS clamping after adding either.
-
Confusing L2 and L3 MTU.
mtu(withoutip) sets the Layer-2 frame MTU.ip mtusets the Layer-3 packet MTU. Usually L3 MTU ≤ L2 MTU. Mismatched values cause confusion. -
Testing MTU with ping that doesn’t have DF. Without DF, the router happily fragments and ping succeeds. Always use
df-bitto test actual end-to-end MTU. -
Assuming IPv4 fragments everywhere. Many modern firewalls drop fragmented packets as a security policy (fragments are sometimes used for evasion). End-to-end fragmentation isn’t reliable. PMTUD or MSS clamp instead.
Lab to try tonight
- Two routers connected via a serial / GRE tunnel with a known small MTU (configure
ip mtu 1400on the tunnel). - From a host behind R1, ping the host behind R2 with
ping <target> size 1500 df-bit. Watch it fail. - Run
traceroute --mtu <target>on Linux (orping <target> size 1500without DF) to find the path MTU. - Add
ip tcp adjust-mss 1360on R1’s tunnel interface. - Open a TCP connection through the tunnel (SSH, HTTP). Wireshark capture — note the SYN’s MSS option value is rewritten to 1360.
- Bonus: simulate a broken middlebox by blocking ICMP type 3 on the WAN. Watch HTTPS large-file transfers stall. Restore ICMP — they recover.
Cheat strip
| Concept | Plain English |
|---|---|
| MTU | Biggest frame allowed on a link |
| MSS | Biggest TCP segment payload (MTU − 40 typically) |
| DF bit | ”Don’t fragment me — bounce the packet if too big” |
| ICMP type 3 code 4 | ”Fragmentation needed, here’s the next-hop MTU” |
| PMTUD | Path MTU Discovery — sender adapts based on ICMP feedback |
| Black hole | PMTUD broken — packets dropped, no error reported back |
| MSS clamping | Router rewrites TCP MSS as packets transit — fixes tunnel MTU issues |
| IPv6 fragmentation | Only senders fragment, never routers |
| Default Ethernet MTU | 1500 |
| Jumbo MTU | 9000 — config end-to-end or don’t bother |