cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor II

When should you use IP ffe?

Jump to solution

When should you use IP ffe?

1 Solution

Accepted Solutions
Highlighted
Anonymous
Not applicable

Re: When should you use IP ffe?

Jump to solution

travisrigby:

Thank you for posting this question in the ADTRAN support community.  For future reference, additional information about FFE can be found in the the IPv4 Firewall Protection in AOS document.

RapidRoute is ADTRAN’s fast forwarding engine (FFE). It is a packet processing architecture in routers that classifies packets into packet flows based upon the IP protocol used by the packet, the source and destination IP address, and the protocol-specific information, such as source and destination port numbers. Packet flows are defined as the unidirectional representation of a conversation between two IP hosts, and each ingress interface maintains a traffic flow table. The identifiers in the flow tables are the same as those in the firewall association table, which allows one-to-one mapping between a flow entry and the firewall’s association selector. Using RapidRoute allows the router to process traffic more quickly, because as each packet is classified, it is placed in a traffic flow of other packets with similar features. This means each packet is classified only once, rather than classified every time it is used by an AOS feature, such as the firewall, VPN, NAT, etc. RapidRoute is a beneficial routing enhancement, especially in instances where traffic must be prioritized, delivered on quality of service (QoS) requirements, or kept from monopolizing bandwidth. Using RapidRoute especially in conjunction with the AOS firewall can greatly improve performance.

To enable RapidRoute on an interface, use the ip ffe command from the interface configuration mode prompt. This command should be applied to all active IP interfaces. For example:

(config)# interface eth 0/1
(config-inf-eth 0/1)# ip ffe
(config-inf-eth 0/1)# interface ppp 1

(config-inf-ppp 1)# ip ffe

You should have FFE enabled if any of the following are true:

  • the firewall is on
  • crypto is enabled (enabled ip crypto ffe)
  • top-talkers is enabled
  • netflow is enabled
  • access-groups are enabled
  • route-cache is disabled (it is enabled by default)


Any of these features being enabled should be an indication that FFE should be enabled on every interface and not just the interface that might have these other features enabled.

The list of features that might cause you to disable FFE would be:

  • Websense if a majority (~90%) of the traffic is web traffic
  • VQM if a majority (~90%) of the traffic is RTP
  • The new packet capture feature if a majority of the traffic is actually being captured
  • debug ip packet
  • Locally terminated RTP streams on voice platforms if the majority of traffic is of this type
  • Multicast routing if the majority of traffic is multicast
  • route-maps used for policy-based routing (PBR) that match on packet length
  • L3 switching is enabled
  • Integrated routing and bridging (IRB)

I hope that makes sense, but please do not hesitate to reply to this post with additional questions.  I will be happy to help in any way I can.

Levi

View solution in original post

12 Replies
Highlighted
Anonymous
Not applicable

Re: When should you use IP ffe?

Jump to solution

travisrigby:

Thank you for posting this question in the ADTRAN support community.  For future reference, additional information about FFE can be found in the the IPv4 Firewall Protection in AOS document.

RapidRoute is ADTRAN’s fast forwarding engine (FFE). It is a packet processing architecture in routers that classifies packets into packet flows based upon the IP protocol used by the packet, the source and destination IP address, and the protocol-specific information, such as source and destination port numbers. Packet flows are defined as the unidirectional representation of a conversation between two IP hosts, and each ingress interface maintains a traffic flow table. The identifiers in the flow tables are the same as those in the firewall association table, which allows one-to-one mapping between a flow entry and the firewall’s association selector. Using RapidRoute allows the router to process traffic more quickly, because as each packet is classified, it is placed in a traffic flow of other packets with similar features. This means each packet is classified only once, rather than classified every time it is used by an AOS feature, such as the firewall, VPN, NAT, etc. RapidRoute is a beneficial routing enhancement, especially in instances where traffic must be prioritized, delivered on quality of service (QoS) requirements, or kept from monopolizing bandwidth. Using RapidRoute especially in conjunction with the AOS firewall can greatly improve performance.

To enable RapidRoute on an interface, use the ip ffe command from the interface configuration mode prompt. This command should be applied to all active IP interfaces. For example:

(config)# interface eth 0/1
(config-inf-eth 0/1)# ip ffe
(config-inf-eth 0/1)# interface ppp 1

(config-inf-ppp 1)# ip ffe

You should have FFE enabled if any of the following are true:

  • the firewall is on
  • crypto is enabled (enabled ip crypto ffe)
  • top-talkers is enabled
  • netflow is enabled
  • access-groups are enabled
  • route-cache is disabled (it is enabled by default)


Any of these features being enabled should be an indication that FFE should be enabled on every interface and not just the interface that might have these other features enabled.

The list of features that might cause you to disable FFE would be:

  • Websense if a majority (~90%) of the traffic is web traffic
  • VQM if a majority (~90%) of the traffic is RTP
  • The new packet capture feature if a majority of the traffic is actually being captured
  • debug ip packet
  • Locally terminated RTP streams on voice platforms if the majority of traffic is of this type
  • Multicast routing if the majority of traffic is multicast
  • route-maps used for policy-based routing (PBR) that match on packet length
  • L3 switching is enabled
  • Integrated routing and bridging (IRB)

I hope that makes sense, but please do not hesitate to reply to this post with additional questions.  I will be happy to help in any way I can.

Levi

View solution in original post

Highlighted
Valued Contributor
Valued Contributor

Re: When should you use IP ffe?

Jump to solution

Wow, super-helpful answer, Levi!

Highlighted
Anonymous
Not applicable

Re: When should you use IP ffe?

Jump to solution

travisrigby:

I have marked this post as "assumed answered," but do not hesitate to reply to this thread if you have further questions on this topic.  I will be happy to help.

Levi

0 Kudos
Reply
Highlighted
New Contributor III

Re: When should you use IP ffe?

Jump to solution

Is this supported on the Adtran 3120? I do not see the command in the router on version 18.03.01.

Thanks

Jamie

0 Kudos
Reply
Highlighted
Anonymous
Not applicable

Re: When should you use IP ffe?

Jump to solution

Jamie,

FFE is supported on the 3120. You can find the command in the interface configuration mode. However, crypto FFE is not supported on the 3120.

To enable this on the "Public" ethernet interface:

router(config)# int eth 0/1

router(config-eth)# ip ffe


To enable this on the a VLAN interface:

router(config)# int vlan <VLAN ID>

router(config-vlan)# ip ffe


Please do not hesitate to let us know if you have any further questions.


Thanks,

Noor

Highlighted
Valued Contributor
Valued Contributor

Re: When should you use IP ffe?

Jump to solution

You know, I don't think RapidRoute is supported on 3120, but I'm having a difficult time verifying it.  Consider the following:

  1. A recent 3120 CFG file I saved out is missing the "ip ffe" lines I typed into my initial config
  2. ADTRAN's NetVanta Routers brochure excludes 3120 from the list of RapidRoute-capable units (bottom of page 2)
  3. However:  ADTRAN's Router Matrix web page indicates that the 3120 is capable of FFE
0 Kudos
Reply
Highlighted
Valued Contributor
Valued Contributor

Re: When should you use IP ffe?

Jump to solution

Just missed your reply, Noor.  Great to hear that!

0 Kudos
Reply
Highlighted
Anonymous
Not applicable

Re: When should you use IP ffe?

Jump to solution

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor

0 Kudos
Reply
Highlighted
Valued Contributor
Valued Contributor

Re: When should you use IP ffe?

Jump to solution

Is "ip ffe" now on by default in the latest revision(s) of AOS?

0 Kudos
Reply