Support
Community

Anonymous · ‎03-10-2012

When should you use IP ffe?

Anonymous · ‎03-12-2012

travisrigby:

Thank you for posting this question in the ADTRAN support community. For future reference, additional information about FFE can be found in the the IPv4 Firewall Protection in AOS document.

RapidRoute is ADTRAN’s fast forwarding engine (FFE). It is a packet processing architecture in routers that classifies packets into packet flows based upon the IP protocol used by the packet, the source and destination IP address, and the protocol-specific information, such as source and destination port numbers. Packet flows are defined as the unidirectional representation of a conversation between two IP hosts, and each ingress interface maintains a traffic flow table. The identifiers in the flow tables are the same as those in the firewall association table, which allows one-to-one mapping between a flow entry and the firewall’s association selector. Using RapidRoute allows the router to process traffic more quickly, because as each packet is classified, it is placed in a traffic flow of other packets with similar features. This means each packet is classified only once, rather than classified every time it is used by an AOS feature, such as the firewall, VPN, NAT, etc. RapidRoute is a beneficial routing enhancement, especially in instances where traffic must be prioritized, delivered on quality of service (QoS) requirements, or kept from monopolizing bandwidth. Using RapidRoute especially in conjunction with the AOS firewall can greatly improve performance.

To enable RapidRoute on an interface, use the ip ffe command from the interface configuration mode prompt. This command should be applied to all active IP interfaces. For example:

(config)# interface eth 0/1
(config-inf-eth 0/1)# ip ffe
(config-inf-eth 0/1)# interface ppp 1

(config-inf-ppp 1)# ip ffe

You should have FFE enabled if any of the following are true:

the firewall is on
crypto is enabled (enabled ip crypto ffe)
top-talkers is enabled
netflow is enabled
access-groups are enabled
route-cache is disabled (it is enabled by default)

Any of these features being enabled should be an indication that FFE should be enabled on every interface and not just the interface that might have these other features enabled.

The list of features that might cause you to disable FFE would be:

Websense if a majority (~90%) of the traffic is web traffic
VQM if a majority (~90%) of the traffic is RTP
The new packet capture feature if a majority of the traffic is actually being captured
debug ip packet
Locally terminated RTP streams on voice platforms if the majority of traffic is of this type
Multicast routing if the majority of traffic is multicast
route-maps used for policy-based routing (PBR) that match on packet length
L3 switching is enabled
Integrated routing and bridging (IRB)

I hope that makes sense, but please do not hesitate to reply to this post with additional questions. I will be happy to help in any way I can.

Levi

View solution in original post

Anonymous · ‎03-12-2012

travisrigby:

Thank you for posting this question in the ADTRAN support community. For future reference, additional information about FFE can be found in the the IPv4 Firewall Protection in AOS document.

RapidRoute is ADTRAN’s fast forwarding engine (FFE). It is a packet processing architecture in routers that classifies packets into packet flows based upon the IP protocol used by the packet, the source and destination IP address, and the protocol-specific information, such as source and destination port numbers. Packet flows are defined as the unidirectional representation of a conversation between two IP hosts, and each ingress interface maintains a traffic flow table. The identifiers in the flow tables are the same as those in the firewall association table, which allows one-to-one mapping between a flow entry and the firewall’s association selector. Using RapidRoute allows the router to process traffic more quickly, because as each packet is classified, it is placed in a traffic flow of other packets with similar features. This means each packet is classified only once, rather than classified every time it is used by an AOS feature, such as the firewall, VPN, NAT, etc. RapidRoute is a beneficial routing enhancement, especially in instances where traffic must be prioritized, delivered on quality of service (QoS) requirements, or kept from monopolizing bandwidth. Using RapidRoute especially in conjunction with the AOS firewall can greatly improve performance.

To enable RapidRoute on an interface, use the ip ffe command from the interface configuration mode prompt. This command should be applied to all active IP interfaces. For example:

(config)# interface eth 0/1
(config-inf-eth 0/1)# ip ffe
(config-inf-eth 0/1)# interface ppp 1

(config-inf-ppp 1)# ip ffe

You should have FFE enabled if any of the following are true:

the firewall is on
crypto is enabled (enabled ip crypto ffe)
top-talkers is enabled
netflow is enabled
access-groups are enabled
route-cache is disabled (it is enabled by default)

Any of these features being enabled should be an indication that FFE should be enabled on every interface and not just the interface that might have these other features enabled.

The list of features that might cause you to disable FFE would be:

Websense if a majority (~90%) of the traffic is web traffic
VQM if a majority (~90%) of the traffic is RTP
The new packet capture feature if a majority of the traffic is actually being captured
debug ip packet
Locally terminated RTP streams on voice platforms if the majority of traffic is of this type
Multicast routing if the majority of traffic is multicast
route-maps used for policy-based routing (PBR) that match on packet length
L3 switching is enabled
Integrated routing and bridging (IRB)

I hope that makes sense, but please do not hesitate to reply to this post with additional questions. I will be happy to help in any way I can.

Levi

Anonymous · ‎03-12-2012

Wow, super-helpful answer, Levi!

Anonymous · ‎03-15-2012

travisrigby:

I have marked this post as "assumed answered," but do not hesitate to reply to this thread if you have further questions on this topic. I will be happy to help.

Levi

Anonymous · ‎05-03-2012

Is this supported on the Adtran 3120? I do not see the command in the router on version 18.03.01.

Thanks

Jamie

Anonymous · ‎05-03-2012

Jamie,

FFE is supported on the 3120. You can find the command in the interface configuration mode. However, crypto FFE is not supported on the 3120.

To enable this on the "Public" ethernet interface:

router(config)# int eth 0/1

router(config-eth)# ip ffe

To enable this on the a VLAN interface:

router(config)# int vlan <VLAN ID>

router(config-vlan)# ip ffe

Please do not hesitate to let us know if you have any further questions.

Thanks,

Noor

Anonymous · ‎05-03-2012

You know, I don't think RapidRoute is supported on 3120, but I'm having a difficult time verifying it. Consider the following:

A recent 3120 CFG file I saved out is missing the "ip ffe" lines I typed into my initial config
ADTRAN's NetVanta Routers brochure excludes 3120 from the list of RapidRoute-capable units (bottom of page 2)
However: ADTRAN's Router Matrix web page indicates that the 3120 is capable of FFE

Anonymous · ‎05-03-2012

Just missed your reply, Noor. Great to hear that!

Anonymous · ‎02-20-2013

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor

Anonymous · ‎03-27-2013

Is "ip ffe" now on by default in the latest revision(s) of AOS?

Anonymous · ‎03-27-2013

cj - Levi answered this in one of my therads....

"The fast forwarding engine (FFE) was enabled by default, starting in AOS firmware version R10.4.0. The release notes (attached) for that firmware revision have it listed under the "Features and Enhancements" heading:

Added IPv6 support for RapidRoute, AOS's fast forwarding engine. Both IPv6 and IPv4 RapidRoute are now enabled by default." - Levi

Anonymous · ‎03-27-2013

Great to know, thanks danb.

Anonymous · ‎10-02-2016

Not to resurrect an ancient thread, but it's still somewhat relevant.

I'm upgrading from a NV3430 running R10.9.0.E to a NV3140 running R12.1.0.E

The NV3430 has no ffe mentioned anywhere in the config file, and the VPN section begins with 'ip crypto'

The NV3140 has 'ip crypto ffe', though I haven't copied the crypto section over from the NV3430

Should I use 'ip crypto' on the Ethernet interface(s), the Crypto section, both?

Thanks!

Support
Community

When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

SupportCommunity

When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Re: When should you use IP ffe?

Support
Community