VLAN MTU

S8T8 · February 21, 2023, 8:10pm

Hello, days ago I found a comment on Reddit mentioning about the correct MTU for VLAN of 1508 to avoid fragmentation;

/interface vlan add interface=bridge mtu=1508 name=VLAN-10 vlan-id=10

has this sense or a specific reason?
In this example there was no mention of MPLS or routing protocols.

Thanks.

mkx · February 22, 2023, 6:43am

Nope. MTU (the layer 3, i.e. IP) for VLAN-driven IP subnet should be the same as if VLAN wasn’t used. The universal number on ethernet networks (plain or with VLANs) is 1500.

Longer explanation:
when using IP over ethernet, as mentioned, standard max packet size (including IP headers) is 1500 bytes. Ethernet adds 18 bytes of overhead when packing payload (IP packet) into ethernet frame. Which means that L2 (layer 2) MTU should be at least 1518. This is l2mtu property of individual interfaces under /interface ethernet (and similar for other L2 interfaces).

Now when L2 features some encapsulation layer, such as VLAN, MPLS or similar, those add additional headers. In case of VLAN, additional IEE 802.1Q header size is 4 bytes. As encapsulation (from outer towards inner part) goes ethernet+VLAN+IP, this means ethernet frames will rise in size by 4 bytes and L2 MTU should be increased accordingly. Note that IP packet size is not affected by VLAN encapsulation. So VLAN-tagged ethernet frame can be 1522 bytes in size. Which is something that most (even older) switches support even if they don’t have support for “jumbo packets”, but this should not be taken for granted. All VLAN-aware switches support that increased size and most support (some order of) jumbo frames (which can have L2 MTU as high as 10kB).

Layers of encapsulation can (in theory) be almost infinite, hence L2 MTU might need to be higher even. But it’s not very common, not in SOHO networks at least. But with Mikrotik gear this is generally not a problem, most devices have default L2MTU on most interfaces almost 1600 bytes, which is plenty in usual circumstances.
IMO it’s not necessary to set L2 MTU to values lower than maximum supported by individual interfaces.

L3 MTU (or IP MTU) is a different story, it has to be set to same value on all devices belonging to same L3 subnet. It has to be lower than or equal to L2 MTU reduced by L2 overhead (18 bytes for ethernet and optionally encapsulation overhead, such as VLAN) or else physical interfaces won’t be able to send/receive whole frames. But, as explained already, standard IP MTU is 1500 bytes and is universally supported almost everywhere, so it’s safe to use it. When it comes to communication towards “alien” networks, there might be links on the route which have lower L3 MTU. This is handled gracefully these days if PMTUD works (it can be broken if some zelous reouter/firewall admin blocks too much of ICMP). PMTUD makes sure original sender of packets towards a particular destination uses lower packet sizes (than it’s default MTU) if necessary meaning no packet segmentation is needed on the path.

S8T8 · February 22, 2023, 6:10pm

THANKS Guru @mkx! Very informative answer.
QinQ is a case where VLAN MTU should be increased? (Not related to my example)

mkx · February 22, 2023, 7:04pm

QinQ is simply double VLAN encapsulation, which makes full ethernet frame size equal to 1526 (when using standard 1500 byte L3 MTU). Which means that switches, involved in such traffic, have to support L2MTU at least this large.

However, MTU still remains 1500.

The gist of it: router works with IP packets. All of outer “layers” (ethernet, VLAN, etc.) are unwrapped (decapsulated) before router does its job and it doesn’t really mattter how many layers are around it. So if all router’s interfaces support (L3) MTU of 1500, fragmentation doesn’t happen. If one side of router uses simple ethernet, while the other one uses QinQ with stacked MPLS … it doesn’t matter for IP and router. Encapsulation happens on L2 and (L3) MTU doesn’t matter.
Well, actually it does but at configuration time: most devices don’t allow you to set L3 MTU larger than maximum supported by L2. E.g. if ethernet port supports L2MTU of 1520, then “plain” ethernet frames can support 1500 byte IP packets (ethernet headers add 18 bytes). If one wants use VLAN tags on such interface, then VLAN (pseudo)interface will show L2MTU of 1502 bytes and hence max L3 MTU will be 1498 bytes.
And this is the reason for MTU on PPPoE interfaces being capped at 1492 (or less, some PPOoE header fields are optional, minimum is 8 bytes) if L2MTU (the whole way between PPPoE client and server; L2 doesn’t perform fragmentation) is standard 1518 bytes.

So in short: adding encapsulation layers on L2 doesn’t mean that L3 MTU has to be increased …

S8T8 · October 28, 2023, 4:38pm

Follow up on this, there is any advantage to increasing MTU on ethernet ports but not in VLAN?
For example, setting L2MTU at the maximum and MTU to 9000 for trunk ports (both sides. Router and Switch) or for NAS, VLAN will stay at 1500 for compatibility.

Thanks!

Amm0 · October 28, 2023, 5:41pm

The lowest MTU always wins across any IP/Layer3 path. So increasing MTU on just one element in a path is not going to do anything. AND… if the NAS is on a VLAN, it be 1500 from the VLAN’s MTU, not port’s MTU.

If you have a lot of ethernet-based traffic between NAS and another devices, you can create a NEW “NAS VLAN” with 9000 MTU (and set that MTU also on NAS and other devices’s UIs). Other devices that might use from a 1500 MTU VLANs, just not use the full 9000. Keep in mind Wi-Fi can only go to ~2300 MTU.