Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


set-dont-fragment-bit (Services Set)


Hierarchy Level


Configure the do not fragment (DF) bit in only the outer header of the IPsec packet and leave the inner header unmodified for dynamic endpoint tunnels. If the encapsulated packet size exceeds the tunnel maximum transmission unit (MTU), the packet is fragmented before encapsulation. These settings apply for dynamic endpoint tunnels and not for static tunnels, for which you need to include the set-dont-fragment-bit statement at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level to set the DF bit in the outer header of the IPv4 packets that enter the static IPsec tunnel. This functionality is supported on MX Series routers with MS-MICs and MS-MPCs.

By default, this statement is disabled on MS-MICs and MS-MPCs (the DF bit value is not configured in the outer header by default).

Required Privilege Level

interface—To view this statement in the configuration.

interface-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 14.1.