Niels Bakker <niels@euro.net> wrote:
> If you're not running CEF, isn't that the case only for packets
> that don't get fast-switched, i.e. all except the first one in
> a flow?
No, I believe that isn't the case; _all_ packets in that flow are
process switched (at least in the most archaic versions of IOS
we're running - 11.2(8)P, and I believe in 11.2(13)P and 11.1(24)CC
as well).
> On FastEthernet interfaces with lots of secondary addresses I'd
> rather waste bandwidth due to a machine not honouring or receiving
> an ICMP redirect than waste CPU cycles on the router
Me too - particularly since hosts (Windows 9x and Solaris 2.x in
particular) ignore redirects for networks on which they do not
have IP interfaces (for security - to avoid local spoofing attacks
I believe).
> (So it's only useful if you're not running CEF on a high-speed
> interface... hmm, I can see cisco's reasoning for not making it
> default to on, I think. ;)
I believe that it should be the default for Ciscos without CEF
support to avoid DoS attacks.
M.
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:08 EDT