How To Configure IP SLA with DF-BIT Set and 9K MTU Payload On Cisco IOS XE

Here are instructions on how to configure an IP SLA to ping with an IP MTU of 9K and the don’t fragment (DF-BIT) set.

I used a CSR1000V (IOS XE) running Fuji. This also works on regular IOS.

First configure the IP SLA:

ip sla 1
 icmp-echo <dest IP> source-interface <source int>
 request-data-size 8964
 !vrf <vrf name>
 !tag <optional name>
 frequency 5

Note that above I used a payload size of 8964, which resulted with an IP MTU of 9000 (L2 MTU of 9014).
For some reason this “request-data-size” is not taking the headers into account like I expected.
For example if I had a 9000 IP MTU, I would subtract 8 for the ICMP header, and 20 for the IP header for a total of 8972 in the payload.
However based on my tested on a CSR1000V running Fuji, this was not the case. This also differs from the IOS/IOSXE behavior where header sizes are taken into account automatically.
An example of that would be using a normal ping “ping x.x.x.x df-bit size 9000” would result in a 9k IP MTU ping. Anyway, just know that 8964 was required for a IP MTU of 9000 in the SLA.

Then begin it

 ip sla schedule 1 life forever start-time now

Then configure a track object (optional but I like looking at “show track”

track 1 ip sla 1 reachability

Configure an ACL to match the ICMP traffic that we want to set DF-BIT on

ip access-list extended IPSLA-TRAFFIC
permit icmp host x.x.x.x host y.y.y.y

Configure the PBR to set the DF-BIT when the icmp traffic is matched

route-map IPSLA-MTU-PBR permit 10
match ip address IPSLA-TRAFFIC
set ip df 1

Activate the local PBR (for locally generated traffic)

ip local policy route-map IPSLA-MTU-PBR

Optionally you can use the embedded packet capture (EPC) feature in IOS XE (and IOS) to verify:

monitor cap MYCAP int <interface> both control-plane both buffer size 20 match any
monitor cap MYCAP start

Generate some traffic and check the buffer

sh monitor cap MYCAP buffer brief

Now stop and export the cap

monitor cap MYCAP stop
monitor cap MYCAP export ftp://username:password@ftpserver/dfbit.pcap