Re: Fast Switching on IPSec interfaces
From: PB W-wa (pbubienczyk@szczesliwice.pl)
Date: Tue Mar 16 2004 - 16:05:35 GMT-3
Matt
I've had the issue with fast-switching. The crypto tunnels didn't set up
when ip addresses of peers were loopback addresses on both sides. With
disabled fast-switching tunnels worked fine.
I've had to upgrade IOS (form 12.2(5) to 12.2.(13a) I think) to resolve
this issue.
rgds - pb
----- Original Message -----
From: "Packet Man" <ccie2b@hotmail.com>
To: <james@net-brigade.com>; <MMullen@nettechgroup.com>;
<security@groupstudy.com>; <ccielab@groupstudy.com>
Sent: Tuesday, March 16, 2004 5:13 PM
Subject: Re: Fast Switching on IPSec interfaces
> Hey james,
>
> I read your response but couldn't find the answer to Matt's question in
that
> response. what am I missing?
>
>
>
>
> >From: "James R. Yeo" <james@net-brigade.com>
> >Reply-To: "James R. Yeo" <james@net-brigade.com>
> >To: "Matt Mullen" <MMullen@nettechgroup.com>, <security@groupstudy.com>,
> ><ccielab@groupstudy.com>
> >Subject: Re: Fast Switching on IPSec interfaces
> >Date: 15 Mar 2004 05:13:28 -0000
> >
> >Here is a cut & paste from Cisco.com
> >
> >Usage Guidelines
> >IP Route-Cache
> >
> >Using the route cache is often called fast switching. The route cache
> >allows outgoing packets to be load-balanced on a per-destination basis
> >rather than on a per-packet basis. The ip route-cache command with no
> >additional keywords enables fast switching.
> >
> >Entering the ip route-cache command has no effect on a subinterface.
> >Subinterfaces accept the no form of the command; however, this disables
CEF
> >or dCEF on the physical interface as well as all subinterfaces associated
> >with the physical interface.
> >
> >IP Route-Cache Same-Interface
> >
> >You can enable IP fast switching when the input and output interfaces are
> >the same interface, using the ip route-cache same-interface command. This
> >configuration normally is not recommended, although it is useful when you
> >have partially meshed media, such as Frame Relay or you are running Web
> >Cache Communication Protocol (WCCP) redirection. You could use this
feature
> >on other interfaces, although it is not recommended because it would
> >interfere with redirection of packets to the optimal path.
> >
> >IP Route-Cache Flow
> >
> >The flow caching option can be used in conjunction with CEF switching to
> >allow statistics to be gathered with a finer granularity. The statistics
> >include IP subprotocols, well-known ports, total flows, average number of
> >packets per flow, and average flow lifetime.
> >
> >IP Route-Cache Distributed
> >
> >The distributed option is supported on Cisco routers with line cards and
> >Versatile Interface Processors (VIPs) that support both CEF and flow
> >switching.
> >
> >On Cisco routers with Route Switch Processor (RSP) and VIP controllers,
the
> >VIP hardware can be configured to switch packets received by the VIP with
> >no per-packet intervention on the part of the RSP. When VIP distributed
> >switching is enabled, the input VIP interface tries to switch IP packets
> >instead of forwarding them to the RSP for switching. Distributed
switching
> >helps decrease the demand on the RSP.
> >
> >If the ip route-cache distributed, ip cef distributed, and ip route-cache
> >flow commands are configured, the VIP will perform distributed CEF
> >switching and collect a finer granularity of flow statistics.
> >
> >IP Route-Cache CEF
> >
> >In some instances, you might want to disable CEF or dCEF on a particular
> >interface because that interface is configured with a feature that CEF or
> >dCEF does not support. Because all interfaces that support CEF or dCEF
are
> >enabled by default when you enable CEF operation globally, you must use
the
> >no form of the ip route-cache cef command in the interface configuration
> >mode to turn CEF operation off a particular interface. To reenable CEF or
> >dCEF operation, use the ip route-cache cef command.
> >
> >Disabling CEF or dCEF on an interface disables CEF switching for packets
> >forwarded to the interface, but has no affect on packets forwarded out of
> >the interface.
> >
> >Additionally when you disable CEF or dCEF, Cisco IOS software switches
> >packets using the next-fastest switching path. In the case of dCEF, the
> >next-fastest switching path is CEF on the RSP.
> >
> >Thanks
> >
> >James
> >
> >On Fri, 12 Mar 2004 16:28:25 -0500, "Matt Mullen"
> ><MMullen@nettechgroup.com> wrote :
> >
> > > Is there any reason to disable fast switching (using 'no ip
route-cache)
> > > on interfaces that have a crypto map applied? The solutions in "CCIE
> > > Security Practice Labs" say to do this but there is no explanation as
to
> > > why.
> > >
> > >
> > >
> > > Thanks,
> > > Matt
> >
> >_______________________________________________________________________
> >Please help support GroupStudy by purchasing your study materials from:
> >http://shop.groupstudy.com
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
> _________________________________________________________________
> Store more e-mails with MSN Hotmail Extra Storage � 4 plans to choose
from!
> http://click.atdmt.com/AVE/go/onm00200362ave/direct/01/
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4
: Thu Apr 01 2004 - 08:15:32 GMT-3