CEF in the switching

Discussion in 'Cisco' started by Benson, Nov 22, 2004.

  1. Benson

    Benson Guest

    Hi,

    I would like to know, as I checked the switches in my network I found
    the "cef" is enabled by default:

    1. do I need to diable this feature on the switches for security ?
    2. does this feature impact the network performance for 10Mbit
    network,
    100Mbit network, 1Gbit network ?

    3. Or does the cef is only concerned to be disabled in Router products
    ( or
    layer 3 devices ) ?

    Thank you
    Benson
    Benson, Nov 22, 2004
    #1
    1. Advertising

  2. In article <>,
    Benson <> wrote:
    :I would like to know, as I checked the switches in my network I found
    :the "cef" is enabled by default:

    :1. do I need to diable this feature on the switches for security ?

    It depends what kind of security you are looking for. If you are
    trying to SPAN or RSPAN in order to do packet snooping or IDS, then
    you have to disable cef or else the SPAN'd traffic will only include
    the first packet in each flow.

    If you are worrying about ACLs not being respected or something like
    that, don't worry unless you are doing something unusual in your
    ACLs like matching header flags. The routing decision that is made
    for the first packet takes into account any ACLs present, so you
    would only have a concern if something in your ACLs could match
    something that wasn't in the first packet [such as an URG flag.]
    If the ACLs are changed, the flow tables will be invalidated, so the
    next packet along will be matched against the new ACL.


    :2. does this feature impact the network performance for 10Mbit
    :network,
    : 100Mbit network, 1Gbit network ?

    Yes, yes, and yes.


    :3. Or does the cef is only concerned to be disabled in Router products
    :( or
    : layer 3 devices ) ?

    cef is about efficient routing. The initial routing decision might
    involve layer 3 or layer 4 information and possibly other information
    in the IP header. cef has no meaning in a pure layer 2 device.
    --
    "No one has the right to destroy another person's belief by
    demanding empirical evidence." -- Ann Landers
    Walter Roberson, Nov 22, 2004
    #2
    1. Advertising

  3. Hello, Walter!
    You wrote on 22 Nov 2004 04:32:46 GMT:

    WR> :I would like to know, as I checked the switches in my network I
    WR> found :the "cef" is enabled by default:

    WR> :1. do I need to diable this feature on the switches for security
    WR> ?

    WR> It depends what kind of security you are looking for. If you are
    WR> trying to SPAN or RSPAN in order to do packet snooping or IDS,
    WR> then you have to disable cef or else the SPAN'd traffic will only
    WR> include the first packet in each flow.

    No. First of all, I'm pretty sure it's not possible to disable CEF on any modern
    Cisco switch. Second, CEF has nothing to do with "first packet in each flow".
    Third, SPAN or RSPAN is not related to CEF.

    With best regards,
    Andrey.
    Andrey Tarasov, Nov 22, 2004
    #3
  4. Benson

    Ben Guest

    Andrey Tarasov wrote:
    > Hello, Walter!
    > You wrote on 22 Nov 2004 04:32:46 GMT:
    >
    > WR> :I would like to know, as I checked the switches in my network I
    > WR> found :the "cef" is enabled by default:
    >
    > WR> :1. do I need to diable this feature on the switches for security
    > WR> ?
    >
    > WR> It depends what kind of security you are looking for. If you are
    > WR> trying to SPAN or RSPAN in order to do packet snooping or IDS,
    > WR> then you have to disable cef or else the SPAN'd traffic will only
    > WR> include the first packet in each flow.
    >
    > No. First of all, I'm pretty sure it's not possible to disable CEF on any modern
    > Cisco switch. Second, CEF has nothing to do with "first packet in each flow".
    > Third, SPAN or RSPAN is not related to CEF.
    >
    > With best regards,
    > Andrey.
    >


    The only common reason I can imagine for disabling CEF would be if you
    are short on memory. There is no negative performance impact, quite the
    opposite.
    Ben, Nov 22, 2004
    #4
  5. Benson

    Benson Guest

    Hi, all,

    According to Cisco documents, CEF is recent feature for new Layer 3
    switching technology, from the document "How to verify Cisco Express
    forwarding switching", & "Configure Cisco Express forwarding".

    But from another document "Cisco Security Advisory: Data Leak with
    Cisco Express Forwarding Enabled".

    What do they mean ??

    In the above doc, the "affected --11.1CC, 12.0, 12.0S, 12.0T, 12.0ST
    12.1, 12.1E, 12.1T,12.2, 12.2T"

    Does it mean all products with the IOS versions have the above
    problem, so that I have to disable the CEF feature ?

    Thank you all again for the topic





    Ben <> wrote in message news:<sAiod.44747$>...
    > Andrey Tarasov wrote:
    > > Hello, Walter!
    > > You wrote on 22 Nov 2004 04:32:46 GMT:
    > >
    > > WR> :I would like to know, as I checked the switches in my network I
    > > WR> found :the "cef" is enabled by default:
    > >
    > > WR> :1. do I need to diable this feature on the switches for security
    > > WR> ?
    > >
    > > WR> It depends what kind of security you are looking for. If you are
    > > WR> trying to SPAN or RSPAN in order to do packet snooping or IDS,
    > > WR> then you have to disable cef or else the SPAN'd traffic will only
    > > WR> include the first packet in each flow.
    > >
    > > No. First of all, I'm pretty sure it's not possible to disable CEF on any modern
    > > Cisco switch. Second, CEF has nothing to do with "first packet in each flow".
    > > Third, SPAN or RSPAN is not related to CEF.
    > >
    > > With best regards,
    > > Andrey.
    > >

    >
    > The only common reason I can imagine for disabling CEF would be if you
    > are short on memory. There is no negative performance impact, quite the
    > opposite.
    Benson, Nov 23, 2004
    #5
  6. In article <>,
    Benson <> wrote:
    :But from another document "Cisco Security Advisory: Data Leak with
    :Cisco Express Forwarding Enabled".

    :What do they mean ??

    :In the above doc, the "affected --11.1CC, 12.0, 12.0S, 12.0T, 12.0ST
    :12.1, 12.1E, 12.1T,12.2, 12.2T"

    That's a summary.


    :Does it mean all products with the IOS versions have the above
    :problem, so that I have to disable the CEF feature ?

    No. Read down slightly further.

    http://www.cisco.com/warp/public/707/IOS-CEF-pub.shtml

    Look under 'Software Versions and Fixes'.

    As an approximation, the fix is in 12.0(20), 12.1(10), 12.2(3), 12.2(4)T.

    If you happen to have one of the affected software versions, then
    the above URL gives you instructions on how to get a free update,
    even if you do not have a support contract.

    --
    And the wind keeps blowing the angel / Backwards into the future /
    And this wind, this wind / Is called / Progress.
    -- Laurie Anderson
    Walter Roberson, Nov 23, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jeff Specoli
    Replies:
    2
    Views:
    1,208
    Jesper Skriver
    Dec 16, 2003
  2. ETLALAR
    Replies:
    2
    Views:
    818
    Jesper Skriver
    Jan 19, 2004
  3. Bancal
    Replies:
    3
    Views:
    7,152
    Everton
    Oct 18, 2005
  4. comp.dcom.sys.cisco

    HARDWARE cef or SOFTWARE cef ?

    comp.dcom.sys.cisco, Mar 22, 2006, in forum: Cisco
    Replies:
    2
    Views:
    3,242
    comp.dcom.sys.cisco
    Mar 23, 2006
  5. asdf
    Replies:
    7
    Views:
    7,950
    Christophe Fillot
    May 29, 2007
Loading...

Share This Page