[c-nsp] 3640 and 3DES IPSec

Reuben Farrelly reuben-cisco-nsp at reub.net
Sat Sep 24 04:53:07 EDT 2005 

On 24/09/2005 8:15 p.m., Ted Mittelstaedt wrote:
> 
>> -----Original Message-----
>> From: Tim Franklin [mailto:tim at colt.net]
>> Sent: Friday, September 23, 2005 2:10 AM
>> To: 'Ted Mittelstaedt'; 'Kevin Graham'; 'barney gumbo'
>> Cc: cisco-nsp at puck.nether.net
>> Subject: RE: [c-nsp] 3640 and 3DES IPSec
>>
>>
>>> Oh come off it, there's been reports of problems with CEF for
>>> years.  And it hasn't gone away anytime soon, I had a new
>>> load-balanced ip cef setup blow chunks running 12.2 IOS about
>>> 3-4 months ago on a 3620.  I finally threw the config in the trash
>>> and went to MPPP and it's run fine ever since.
>>>
>>> The only time I've had CEF work right was on our 7206's running
>>> 12.2 and none of them are doing load balancing.  And that only
>>> happened in the last year or so, previously I'd get random reboots
>>> on them when it was enabled.
>> Are you mixing up "CEF" and "CEF load-sharing"?
> 
> yes.  It was just an example.  The router I had blow chunks ran fine
> with ip cef before trying the load balancing horseshit.  Of course it was
> running 12.2  I have had trouble with regular ip cef on 12.1 and earlier
> IOS trains.  I was using that as an example to illustrate that cef hasn't
> been fully debugged yet.  They have fixed the obvious stuff like regular
> packet forwarding, but the load balancing code in cef is still shakey.

I agree.  I have found that upon calling the TAC with what often appears to be 
a bug or issue with things like IPSec, NAT or WCCP, turning CEF off at least 
on the smaller platforms is one of the first things I get asked to try.  That 
is probably quite telling - if CEF was rarely implicated one would expect it 
would hardly ever be suggested.

My understanding is also that CEF (or in fact any sort of fast switching) is 
useless on a router which is doing Firewall Inspection, due to the fact that 
inspection must be done at interrupt level.  If I'm wrong someone please 
correct me........but my understanding is that it is one of the main 
limitations of using a router as a stateful inspected firewall :(

reuben

More information about the cisco-nsp mailing list