Re: Fast Switching on IPSec interfaces

From: Wes Stevens (wesley@stevens.name)
Date: Mon Mar 15 2004 - 11:09:29 GMT-3

• Next message: Sergio Jimenez Arguedas: "Fw: BGP no sync"
• Previous message: William Chen: "Re: DLSW+"
• Maybe in reply to: Matt Mullen: "Fast Switching on IPSec interfaces"
• Next in thread: Packet Man: "Re: Fast Switching on IPSec interfaces"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are running 12.2(15) on our vpn router and had to turn off
cef on the crypto interface. We did not have to turn off
route caching completely only cef. With cef on the router
dropped every other packet. Cisco has not been able to tell
us why or give us a fix as of yet.

---- Original message ----
>Date: 15 Mar 2004 05:13:28 -0000
>From: "James R. Yeo" <james@net-brigade.com>
>Subject: Re: Fast Switching on IPSec interfaces
>To: "Matt Mullen" <MMullen@nettechgroup.com>,
<security@groupstudy.com>, <ccielab@groupstudy.com>
>
>Here is a cut & paste from Cisco.com
>
>Usage Guidelines
>IP Route-Cache
>
>Using the route cache is often called fast switching. The
route cache
>allows outgoing packets to be load-balanced on a per-
destination basis
>rather than on a per-packet basis. The ip route-cache
command with no
>additional keywords enables fast switching.
>
>Entering the ip route-cache command has no effect on a
subinterface.
>Subinterfaces accept the no form of the command; however,
this disables CEF
>or dCEF on the physical interface as well as all
subinterfaces associated
>with the physical interface.
>
>IP Route-Cache Same-Interface
>
>You can enable IP fast switching when the input and output
interfaces are
>the same interface, using the ip route-cache same-interface
command. This
>configuration normally is not recommended, although it is
useful when you
>have partially meshed media, such as Frame Relay or you are
running Web
>Cache Communication Protocol (WCCP) redirection. You could
use this feature
>on other interfaces, although it is not recommended because
it would
>interfere with redirection of packets to the optimal path.
>
>IP Route-Cache Flow
>
>The flow caching option can be used in conjunction with CEF
switching to
>allow statistics to be gathered with a finer granularity.
The statistics
>include IP subprotocols, well-known ports, total flows,
average number of
>packets per flow, and average flow lifetime.
>
>IP Route-Cache Distributed
>
>The distributed option is supported on Cisco routers with
line cards and
>Versatile Interface Processors (VIPs) that support both CEF
and flow
>switching.
>
>On Cisco routers with Route Switch Processor (RSP) and VIP
controllers, the
>VIP hardware can be configured to switch packets received by
the VIP with
>no per-packet intervention on the part of the RSP. When VIP
distributed
>switching is enabled, the input VIP interface tries to
switch IP packets
>instead of forwarding them to the RSP for switching.
Distributed switching
>helps decrease the demand on the RSP.
>
>If the ip route-cache distributed, ip cef distributed, and
ip route-cache
>flow commands are configured, the VIP will perform
distributed CEF
>switching and collect a finer granularity of flow
statistics.
>
>IP Route-Cache CEF
>
>In some instances, you might want to disable CEF or dCEF on
a particular
>interface because that interface is configured with a
feature that CEF or
>dCEF does not support. Because all interfaces that support
CEF or dCEF are
>enabled by default when you enable CEF operation globally,
you must use the
>no form of the ip route-cache cef command in the interface
configuration
>mode to turn CEF operation off a particular interface. To
reenable CEF or
>dCEF operation, use the ip route-cache cef command.
>
>Disabling CEF or dCEF on an interface disables CEF switching
for packets
>forwarded to the interface, but has no affect on packets
forwarded out of
>the interface.
>
>Additionally when you disable CEF or dCEF, Cisco IOS
software switches
>packets using the next-fastest switching path. In the case
of dCEF, the
>next-fastest switching path is CEF on the RSP.
>
>Thanks
>
>James
>
>On Fri, 12 Mar 2004 16:28:25 -0500, "Matt Mullen"
><MMullen@nettechgroup.com> wrote :
>
>> Is there any reason to disable fast switching (using 'no
ip route-cache)
>> on interfaces that have a crypto map applied? The
solutions in "CCIE
>> Security Practice Labs" say to do this but there is no
explanation as to
>> why.
>>
>>
>>
>> Thanks,
>> Matt
>
>_____________________________________________________________
__________
>Please help support GroupStudy by purchasing your study
materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Sergio Jimenez Arguedas: "Fw: BGP no sync"
• Previous message: William Chen: "Re: DLSW+"
• Maybe in reply to: Matt Mullen: "Fast Switching on IPSec interfaces"
• Next in thread: Packet Man: "Re: Fast Switching on IPSec interfaces"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Apr 01 2004 - 08:15:26 GMT-3