# ICMP：需要分片但设置了DF标志，数据包大小1500，VLAN100

- **ID:** `networking/vlan-mtu-mismatch`
- **领域:** networking
- **类别:** network_error
- **错误码:** `EMSGSIZE`
- **验证级别:** ai_generated
- **修复率:** 80%

## 根因

设置了不分片（DF）标志的数据包超过了VLAN接口的MTU（例如由于QinQ或MPLS开销导致MTU为1400），路由器发送ICMP需要分片消息，但发送方忽略该消息，导致通信黑洞。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Linux kernel 5.10-6.8 | active | — | — |
| Cisco IOS XE 17.x | active | — | — |
| Juniper Junos 21.x-23.x | active | — | — |
| Nginx 1.24-1.26 | active | — | — |
| HAProxy 2.8-3.0 | active | — | — |

## 解决方案

1. ```
   Reduce the TCP MSS on the server to account for VLAN overhead: run `ip link set dev eth0 mtu 1400` on the server, then adjust MSS clamping via iptables: `iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu`
   ```
2. ```
   Configure MSS clamping on the router for the VLAN: on Cisco, `ip tcp adjust-mss 1360` on the VLAN interface; on Linux, use `ebtables` or `iptables` to rewrite MSS.
   ```
3. ```
   Increase the MTU on the entire path (e.g., set jumbo frames on switches and routers) if the infrastructure supports it, but verify end-to-end consistency.
   ```

## 无效尝试

- **Increasing MTU on the VLAN interface to 1500 without adjusting underlying physical links** — The physical path (e.g., MPLS or QinQ) adds headers, so the actual MTU remains lower; increasing VLAN MTU alone causes fragmentation at lower layers or silent drops. (85% 失败率)
- **Disabling DF flag on all TCP packets using iptables rules** — Many applications (e.g., NFS, IPsec) require DF for PMTUD; disabling it can cause path MTU discovery failure and performance degradation. (70% 失败率)
- **Ignoring the error and assuming it's a transient network issue** — The error persists and causes intermittent timeouts for large-file transfers or streaming, leading to user complaints and retransmission storms. (90% 失败率)