What is your recommendation for CEF, per packet or per destination when VPN tunnels traverse the circuits?
Our ISP provides 3 T1s. 2 of which are on one router utilizing CEF to load balance. The load sharing option was set at per packet. This we think is Ideal. How ever this is a new setup from our ISP and we utilize these 2 t1s for our VPN traffic. We were experiencing poor performance and opened a service ticket with our ISP. During troubleshooting it was suggested we change the CEF option to per destination. This worked for tunnels established over one circuit and not the other. We had the ISP run extensive testing on the suspect physical circuit and they reported finding no trouble. We plug both circuits back in and all is well, go figure.
I would like to hear opinions on whether I should ask that the CEF option be put back to per packet.
Note: The router is controled by my ISP. I cannot redesign the topology.
I believe that it is best if you leave the cef option at per destination. When you configure per destination it introduces the liklihood of out of order packets. Some protocols can re-order out of order packets. I am pretty sure that IPSec does not do that. IPSec watches sequence numbers in incoming packets (partly as a defence against replay attacks and man-in-the-middle attacks. I suspect that out of order packets cause problems for IPSec though I have never tried to construct a test of this. So I suggest that you leave the cef option at per destination.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...