I have a pair subnets connected via an IPSec/GRE transport mode tunnel. Yesterday I turned on CEF using the "ip cef" command. The moment I did this the hosts on the two subnets stopped talking to each other. The routers themselves looked fine. They could ping each others private LAN and tunnel addresses with no problem. I removed the "ip cef" command and rebooted and still nothing. Then I compared the current config with a saved copy. I noticed that before I issued the "ip cef" command all interfaces had "no ip route-cache" configured. I re-added this command to all interfaces and everything was back to normal. Three questions:
1) Why did "ip cef" remove this command?
2) Why is "no ip route-cache" needed for my setup to work?
3) Is there a way to use "ip cef" without breaking my network?
1. "no ip route-cache" on the interface says you want to process switch all the traffic. Turning on "ip cef" says you want to CEF switch everything, so that interface command is removed. This is IOS version dependent, it doesn't happen in every version AFAIK.
2. Again, IOS version dependent. There's tons of bugs with CEF/fast switching and IPSec or GRE/IPSec. 12.0 was especially susceptible, but generally later 12.1 and 12.2 works fine, although again there are specific versions which do have the problem.
3. Upgrade to a code version that does not have a switching/GRE/IPSec bug. What code version are you running currently? I'd upgrade to the latest mainline version that fits in your flash/memory and you should be fine to then run CEF with GRE/IPSec.
That bug will definitely affect one of the two routers that I am dealing with now so I guess an IOS upgrade won't fix all my problems. The main reason I need CEF is to do QoS classifying of traffic. The NAT and crypto stuff is on the serial interface. Assuming I can turn on CEF but somehow disable it on the serial interface will I be able to classify traffic coming in on the ethernet interface?
Hello Diego.. Did you have outbound access-groups applied? I'm working on a similar problem that was fixed when I added an element for 'gre' in the ACL applied to the interface. I'm now trying to determine if this behavior is by design or a bug....
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :