Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Must this interface be "process switching " mode in ipsec vpn ?

when I  read cisco documentation , the documentation have a words :

"!−−− You must enable process switching for IPsec
!−−− to encrypt outgoing packets. ."

example :

interface Ethernet1
ip address 10.1.4.1 255.255.255.0
no ip route−cache

I have a test . The ipsec vpn can work well , when I don't use this command "no ip route-cache" .

Must this interface  be "process switching " mode in ipsec vpn ?

2 REPLIES
Cisco Employee

Re: Must this interface be "process switching " mode

Hello,

Can you please post the link to the document that specifies that you need to

enable process switching for IPSec VPN to work? In earlier versions of the

hardware/IOS, the encryption was done in software and hence the fast

switching of the packets was not supported. In the latest IOS images, the

feature was introduced to support CEF switching for VPN traffic.

Hope this helps.

Regards,

NT

New Member

Re: Must this interface be "process switching " mode in ipsec v

Hi Zhiwei,

The interface does not require process switching in order to allow IPSec functionality, and should remain CEF enabled to achieve the best possible performance.

IPSec has been supported in the CEF path for some time.  You may come across similar requirements regarding CEF support in older documents, where CEF wasn't fully integrated with all of the features of IOS.  However, with all modern code and platforms, as a general rule of thumb, we should always enable CEF switching.  The only time we should ever disable CEF is for advanced troubleshooting requiring packet inspection and analysis.

-Alex

280
Views
0
Helpful
2
Replies