12 Replies Latest reply on Oct 2, 2016 6:29 AM by wpns
      • Re: When should you use IP ffe?
        levi Employee

        travisrigby:

         

        Thank you for posting this question in the ADTRAN support community.  For future reference, additional information about FFE can be found in the the IPv4 Firewall Protection in AOS document.

         

        RapidRoute is ADTRAN’s fast forwarding engine (FFE). It is a packet processing architecture in routers that classifies packets into packet flows based upon the IP protocol used by the packet, the source and destination IP address, and the protocol-specific information, such as source and destination port numbers. Packet flows are defined as the unidirectional representation of a conversation between two IP hosts, and each ingress interface maintains a traffic flow table. The identifiers in the flow tables are the same as those in the firewall association table, which allows one-to-one mapping between a flow entry and the firewall’s association selector. Using RapidRoute allows the router to process traffic more quickly, because as each packet is classified, it is placed in a traffic flow of other packets with similar features. This means each packet is classified only once, rather than classified every time it is used by an AOS feature, such as the firewall, VPN, NAT, etc. RapidRoute is a beneficial routing enhancement, especially in instances where traffic must be prioritized, delivered on quality of service (QoS) requirements, or kept from monopolizing bandwidth. Using RapidRoute especially in conjunction with the AOS firewall can greatly improve performance.

        To enable RapidRoute on an interface, use the ip ffe command from the interface configuration mode prompt. This command should be applied to all active IP interfaces. For example:

        (config)# interface eth 0/1
        (config-inf-eth 0/1)# ip ffe
        (config-inf-eth 0/1)# interface ppp 1

        (config-inf-ppp 1)# ip ffe

         

        You should have FFE enabled if any of the following are true:

        • the firewall is on
        • crypto is enabled (enabled ip crypto ffe)
        • top-talkers is enabled
        • netflow is enabled
        • access-groups are enabled
        • route-cache is disabled (it is enabled by default)


        Any of these features being enabled should be an indication that FFE should be enabled on every interface and not just the interface that might have these other features enabled.

        The list of features that might cause you to disable FFE would be:

        • Websense if a majority (~90%) of the traffic is web traffic
        • VQM if a majority (~90%) of the traffic is RTP
        • The new packet capture feature if a majority of the traffic is actually being captured
        • debug ip packet
        • Locally terminated RTP streams on voice platforms if the majority of traffic is of this type
        • Multicast routing if the majority of traffic is multicast
        • route-maps used for policy-based routing (PBR) that match on packet length
        • L3 switching is enabled
        • Integrated routing and bridging (IRB)

         

        I hope that makes sense, but please do not hesitate to reply to this post with additional questions.  I will be happy to help in any way I can.

         

        Levi

        • Re: When should you use IP ffe?
          levi Employee

          travisrigby:

           

          I have marked this post as "assumed answered," but do not hesitate to reply to this thread if you have further questions on this topic.  I will be happy to help.

           

          Levi

          • Re: When should you use IP ffe?
            wpns New Member

            Not to resurrect an ancient thread, but it's still somewhat relevant.

             

            I'm upgrading from a NV3430 running R10.9.0.E to a NV3140 running R12.1.0.E

             

            The NV3430 has no ffe mentioned anywhere in the config file, and the VPN section begins with 'ip crypto'

            The NV3140 has 'ip crypto ffe', though I haven't copied the crypto section over from the NV3430

             

            Should I use 'ip crypto' on the Ethernet interface(s), the Crypto section, both?

             

            Thanks!