cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
New Contributor II

When should you use IP ffe?

Jump to solution

When should you use IP ffe?

1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: When should you use IP ffe?

Jump to solution

travisrigby:

Thank you for posting this question in the ADTRAN support community.  For future reference, additional information about FFE can be found in the the IPv4 Firewall Protection in AOS document.

RapidRoute is ADTRAN’s fast forwarding engine (FFE). It is a packet processing architecture in routers that classifies packets into packet flows based upon the IP protocol used by the packet, the source and destination IP address, and the protocol-specific information, such as source and destination port numbers. Packet flows are defined as the unidirectional representation of a conversation between two IP hosts, and each ingress interface maintains a traffic flow table. The identifiers in the flow tables are the same as those in the firewall association table, which allows one-to-one mapping between a flow entry and the firewall’s association selector. Using RapidRoute allows the router to process traffic more quickly, because as each packet is classified, it is placed in a traffic flow of other packets with similar features. This means each packet is classified only once, rather than classified every time it is used by an AOS feature, such as the firewall, VPN, NAT, etc. RapidRoute is a beneficial routing enhancement, especially in instances where traffic must be prioritized, delivered on quality of service (QoS) requirements, or kept from monopolizing bandwidth. Using RapidRoute especially in conjunction with the AOS firewall can greatly improve performance.

To enable RapidRoute on an interface, use the ip ffe command from the interface configuration mode prompt. This command should be applied to all active IP interfaces. For example:

(config)# interface eth 0/1
(config-inf-eth 0/1)# ip ffe
(config-inf-eth 0/1)# interface ppp 1

(config-inf-ppp 1)# ip ffe

You should have FFE enabled if any of the following are true:

  • the firewall is on
  • crypto is enabled (enabled ip crypto ffe)
  • top-talkers is enabled
  • netflow is enabled
  • access-groups are enabled
  • route-cache is disabled (it is enabled by default)


Any of these features being enabled should be an indication that FFE should be enabled on every interface and not just the interface that might have these other features enabled.

The list of features that might cause you to disable FFE would be:

  • Websense if a majority (~90%) of the traffic is web traffic
  • VQM if a majority (~90%) of the traffic is RTP
  • The new packet capture feature if a majority of the traffic is actually being captured
  • debug ip packet
  • Locally terminated RTP streams on voice platforms if the majority of traffic is of this type
  • Multicast routing if the majority of traffic is multicast
  • route-maps used for policy-based routing (PBR) that match on packet length
  • L3 switching is enabled
  • Integrated routing and bridging (IRB)

I hope that makes sense, but please do not hesitate to reply to this post with additional questions.  I will be happy to help in any way I can.

Levi

View solution in original post

12 Replies
Anonymous
Not applicable

Re: When should you use IP ffe?

Jump to solution

travisrigby:

Thank you for posting this question in the ADTRAN support community.  For future reference, additional information about FFE can be found in the the IPv4 Firewall Protection in AOS document.

RapidRoute is ADTRAN’s fast forwarding engine (FFE). It is a packet processing architecture in routers that classifies packets into packet flows based upon the IP protocol used by the packet, the source and destination IP address, and the protocol-specific information, such as source and destination port numbers. Packet flows are defined as the unidirectional representation of a conversation between two IP hosts, and each ingress interface maintains a traffic flow table. The identifiers in the flow tables are the same as those in the firewall association table, which allows one-to-one mapping between a flow entry and the firewall’s association selector. Using RapidRoute allows the router to process traffic more quickly, because as each packet is classified, it is placed in a traffic flow of other packets with similar features. This means each packet is classified only once, rather than classified every time it is used by an AOS feature, such as the firewall, VPN, NAT, etc. RapidRoute is a beneficial routing enhancement, especially in instances where traffic must be prioritized, delivered on quality of service (QoS) requirements, or kept from monopolizing bandwidth. Using RapidRoute especially in conjunction with the AOS firewall can greatly improve performance.

To enable RapidRoute on an interface, use the ip ffe command from the interface configuration mode prompt. This command should be applied to all active IP interfaces. For example:

(config)# interface eth 0/1
(config-inf-eth 0/1)# ip ffe
(config-inf-eth 0/1)# interface ppp 1

(config-inf-ppp 1)# ip ffe

You should have FFE enabled if any of the following are true:

  • the firewall is on
  • crypto is enabled (enabled ip crypto ffe)
  • top-talkers is enabled
  • netflow is enabled
  • access-groups are enabled
  • route-cache is disabled (it is enabled by default)


Any of these features being enabled should be an indication that FFE should be enabled on every interface and not just the interface that might have these other features enabled.

The list of features that might cause you to disable FFE would be:

  • Websense if a majority (~90%) of the traffic is web traffic
  • VQM if a majority (~90%) of the traffic is RTP
  • The new packet capture feature if a majority of the traffic is actually being captured
  • debug ip packet
  • Locally terminated RTP streams on voice platforms if the majority of traffic is of this type
  • Multicast routing if the majority of traffic is multicast
  • route-maps used for policy-based routing (PBR) that match on packet length
  • L3 switching is enabled
  • Integrated routing and bridging (IRB)

I hope that makes sense, but please do not hesitate to reply to this post with additional questions.  I will be happy to help in any way I can.

Levi

View solution in original post

Valued Contributor
Valued Contributor

Re: When should you use IP ffe?

Jump to solution

Wow, super-helpful answer, Levi!

Anonymous
Not applicable

Re: When should you use IP ffe?

Jump to solution

travisrigby:

I have marked this post as "assumed answered," but do not hesitate to reply to this thread if you have further questions on this topic.  I will be happy to help.

Levi

New Contributor III

Re: When should you use IP ffe?

Jump to solution

Is this supported on the Adtran 3120? I do not see the command in the router on version 18.03.01.

Thanks

Jamie

Anonymous
Not applicable

Re: When should you use IP ffe?

Jump to solution

Jamie,

FFE is supported on the 3120. You can find the command in the interface configuration mode. However, crypto FFE is not supported on the 3120.

To enable this on the "Public" ethernet interface:

router(config)# int eth 0/1

router(config-eth)# ip ffe


To enable this on the a VLAN interface:

router(config)# int vlan <VLAN ID>

router(config-vlan)# ip ffe


Please do not hesitate to let us know if you have any further questions.


Thanks,

Noor

Valued Contributor
Valued Contributor

Re: When should you use IP ffe?

Jump to solution

You know, I don't think RapidRoute is supported on 3120, but I'm having a difficult time verifying it.  Consider the following:

  1. A recent 3120 CFG file I saved out is missing the "ip ffe" lines I typed into my initial config
  2. ADTRAN's NetVanta Routers brochure excludes 3120 from the list of RapidRoute-capable units (bottom of page 2)
  3. However:  ADTRAN's Router Matrix web page indicates that the 3120 is capable of FFE
Valued Contributor
Valued Contributor

Re: When should you use IP ffe?

Jump to solution

Just missed your reply, Noor.  Great to hear that!

Anonymous
Not applicable

Re: When should you use IP ffe?

Jump to solution

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor

Valued Contributor
Valued Contributor

Re: When should you use IP ffe?

Jump to solution

Is "ip ffe" now on by default in the latest revision(s) of AOS?

Contributor
Contributor

Re: When should you use IP ffe?

Jump to solution

cj - Levi answered this in one of my therads....

"The fast forwarding engine (FFE) was enabled by default, starting in AOS firmware version R10.4.0.  The release notes (attached) for that firmware revision have it listed under the "Features and Enhancements" heading:

  • Added IPv6 support for RapidRoute, AOS's fast forwarding engine. Both IPv6 and IPv4 RapidRoute are now enabled by default."  - Levi
Valued Contributor
Valued Contributor

Re: When should you use IP ffe?

Jump to solution

Great to know, thanks danb.

New Contributor

Re: When should you use IP ffe?

Jump to solution

Not to resurrect an ancient thread, but it's still somewhat relevant.

I'm upgrading from a NV3430 running R10.9.0.E to a NV3140 running R12.1.0.E

The NV3430 has no ffe mentioned anywhere in the config file, and the VPN section begins with 'ip crypto'

The NV3140 has 'ip crypto ffe', though I haven't copied the crypto section over from the NV3430

Should I use 'ip crypto' on the Ethernet interface(s), the Crypto section, both?

Thanks!