Re: Fast Switching on IPSec interfaces

From: Packet Man (ccie2b@hotmail.com)
Date: Tue Mar 16 2004 - 13:13:27 GMT-3

• Next message: Kenneth Wygand: "RE: IP classless with Pix?"
• Previous message: Peter van Oene: "Re: bgp queston [bcc][faked-from][bayes]"
• Maybe in reply to: Matt Mullen: "Fast Switching on IPSec interfaces"
• Next in thread: PB W-wa: "Re: Fast Switching on IPSec interfaces"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hey james,

I read your response but couldn't find the answer to Matt's question in that
response. what am I missing?

>From: "James R. Yeo" <james@net-brigade.com>
>Reply-To: "James R. Yeo" <james@net-brigade.com>
>To: "Matt Mullen" <MMullen@nettechgroup.com>, <security@groupstudy.com>,
><ccielab@groupstudy.com>
>Subject: Re: Fast Switching on IPSec interfaces
>Date: 15 Mar 2004 05:13:28 -0000
>
>Here is a cut & paste from Cisco.com
>
>Usage Guidelines
>IP Route-Cache
>
>Using the route cache is often called fast switching. The route cache
>allows outgoing packets to be load-balanced on a per-destination basis
>rather than on a per-packet basis. The ip route-cache command with no
>additional keywords enables fast switching.
>
>Entering the ip route-cache command has no effect on a subinterface.
>Subinterfaces accept the no form of the command; however, this disables CEF
>or dCEF on the physical interface as well as all subinterfaces associated
>with the physical interface.
>
>IP Route-Cache Same-Interface
>
>You can enable IP fast switching when the input and output interfaces are
>the same interface, using the ip route-cache same-interface command. This
>configuration normally is not recommended, although it is useful when you
>have partially meshed media, such as Frame Relay or you are running Web
>Cache Communication Protocol (WCCP) redirection. You could use this feature
>on other interfaces, although it is not recommended because it would
>interfere with redirection of packets to the optimal path.
>
>IP Route-Cache Flow
>
>The flow caching option can be used in conjunction with CEF switching to
>allow statistics to be gathered with a finer granularity. The statistics
>include IP subprotocols, well-known ports, total flows, average number of
>packets per flow, and average flow lifetime.
>
>IP Route-Cache Distributed
>
>The distributed option is supported on Cisco routers with line cards and
>Versatile Interface Processors (VIPs) that support both CEF and flow
>switching.
>
>On Cisco routers with Route Switch Processor (RSP) and VIP controllers, the
>VIP hardware can be configured to switch packets received by the VIP with
>no per-packet intervention on the part of the RSP. When VIP distributed
>switching is enabled, the input VIP interface tries to switch IP packets
>instead of forwarding them to the RSP for switching. Distributed switching
>helps decrease the demand on the RSP.
>
>If the ip route-cache distributed, ip cef distributed, and ip route-cache
>flow commands are configured, the VIP will perform distributed CEF
>switching and collect a finer granularity of flow statistics.
>
>IP Route-Cache CEF
>
>In some instances, you might want to disable CEF or dCEF on a particular
>interface because that interface is configured with a feature that CEF or
>dCEF does not support. Because all interfaces that support CEF or dCEF are
>enabled by default when you enable CEF operation globally, you must use the
>no form of the ip route-cache cef command in the interface configuration
>mode to turn CEF operation off a particular interface. To reenable CEF or
>dCEF operation, use the ip route-cache cef command.
>
>Disabling CEF or dCEF on an interface disables CEF switching for packets
>forwarded to the interface, but has no affect on packets forwarded out of
>the interface.
>
>Additionally when you disable CEF or dCEF, Cisco IOS software switches
>packets using the next-fastest switching path. In the case of dCEF, the
>next-fastest switching path is CEF on the RSP.
>
>Thanks
>
>James
>
>On Fri, 12 Mar 2004 16:28:25 -0500, "Matt Mullen"
><MMullen@nettechgroup.com> wrote :
>
> > Is there any reason to disable fast switching (using 'no ip route-cache)
> > on interfaces that have a crypto map applied? The solutions in "CCIE
> > Security Practice Labs" say to do this but there is no explanation as to
> > why.
> >
> >
> >
> > Thanks,
> > Matt
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Kenneth Wygand: "RE: IP classless with Pix?"
• Previous message: Peter van Oene: "Re: bgp queston [bcc][faked-from][bayes]"
• Maybe in reply to: Matt Mullen: "Fast Switching on IPSec interfaces"
• Next in thread: PB W-wa: "Re: Fast Switching on IPSec interfaces"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Apr 01 2004 - 08:15:32 GMT-3