How good is CEF?

I have a router that is currently doing all the internal routing for our network. There are several different subnets and vlans, and all traffic is going through the routers subinterfaces.

Due to a Cisco IOS bug, I had to turn off CEF. I'm noticing that the router is averaging high 90's for CPU usage due to all the IP traffic.

Would enabling CEF give me a large performance boost? This router has a large routing table and connects many hosts across many networks.

Just pinging from one host to another is taking 5ms... these hosts are only 1 switch down, but are on different VLANs (and subnets, obviously).

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

kryolla

Due to a Cisco IOS bug, I had to turn off CEF

Why are you going to turn on cef if you have identified a bug? First I would fix the bug maybe an IOS upgrade then turn on cef. I dont know what your CPU util will be after you turn on cef but it will definitely go down that is why cisco made it a default. Im suprised you let it get that high without any planning of load shedding or migrations.

I have a router that is currently doing all the internal routing

I guess there is no redundancy which is not good and also what type of router is this

tiersten

mzinz wrote: »

Due to a Cisco IOS bug, I had to turn off CEF.

What bug? Upgrade, downgrade or shout at Cisco to get that bug fixed or worked around.

mzinz wrote: »

Would enabling CEF give me a large performance boost?

Yes. If you disable CEF then the router will fall back to process switching which is slow and extremely CPU intensive.

redwarrior

CEF is all that and a bag of chips whereas process-switching is 80's style. Have you called TAC to identify a way to get around that "bug?"

mzinz

Hi guys. Thank you for all the responses. I'll sorta go down the list here:

Why are you going to turn on cef if you have identified a bug? First I would fix the bug maybe an IOS upgrade then turn on cef. I dont know what your CPU util will be after you turn on cef but it will definitely go down that is why cisco made it a default. Im suprised you let it get that high without any planning of load shedding or migrations.

I'm not going to turn on CEF until I upgrade the IOS. This particular bug only surfaces after a high amount of VPN tunnels are created - because of that, I was not able to predict it in my initial testing. Turning off CEF was what had to be done to keep sites up - slowing connections was the lesser of two evils in this case.

I guess there is no redundancy which is not good and also what type of router is this

Correct, there currently is no redundancy. These were the limitations I was given, though. 3800 series.

What bug? Upgrade, downgrade or shout at Cisco to get that bug fixed or worked around.

Implementation has only been live one week, and sites work around the clock. Upgrading the IOS will require scheduled downtime, which I'm working on now.

Yes. If you disable CEF then the router will fall back to process switching which is slow and extremely CPU intensive.

Is there any way to predict how much more CPU is used by not using CEF?

CEF is all that and a bag of chips whereas process-switching is 80's style. Have you called TAC to identify a way to get around that "bug?"

To be totally honest, this is the worst build I've ever used. There is no way around it other than upgrading the IOS. This implementation has been live for exactly a week now, and I've already identified three different bugs - ALL significant. This particular bug (CEF) is the worst, and there is also another one in another post I made which is causing static routes to not redistribute through EIGRP.

I'll be scheduling some downtime for next week, hopefully. Thanks again for your help.

tiersten

mzinz wrote: »

I'm not going to turn on CEF until I upgrade the IOS. This particular bug only surfaces after a high amount of VPN tunnels are created - because of that, I was not able to predict it in my initial testing. Turning off CEF was what had to be done to keep sites up - slowing connections was the lesser of two evils in this case.

Is that what Cisco TAC suggested?

mzinz wrote: »

Is there any way to predict how much more CPU is used by not using CEF?

Put it this way, the rated performance for a 3845 with CEF is 500KPPS and 256Mbps. A 3845 with process switching is only 35KPPS and 17.92Mbps.

Disabling CEF or forcing a large percentage of traffic through process switching is not a good idea as you can see. The only time it ever happens if is there is a configuration issue or you're debugging something. In normal usage, you shouldn't ever have that.

mzinz wrote: »

To be totally honest, this is the worst build I've ever used. There is no way around it other than upgrading the IOS. This implementation has been live for exactly a week now, and I've already identified three different bugs - ALL significant. This particular bug (CEF) is the worst, and there is also another one in another post I made which is causing static routes to not redistribute through EIGRP.

What version of IOS do you have on there?

networker050184

You should really tell your employer that a bug of this caliber can not wait until next week to fix. If its running around 90% CPU the thing could drop at any time due to a traffic spike or anything that would spike the CPU a couple percent. Very dangerous IMO and I would upgrade ASAP. Haven't they ever heard of emergency down time?

shednik

networker050184 wrote: »

You should really tell your employer that a bug of this caliber can not wait until next week to fix. If its running around 90% CPU the thing could drop at any time due to a traffic spike or anything that would spike the CPU a couple percent. Very dangerous IMO and I would upgrade ASAP. Haven't they ever heard of emergency down time?

Agreed completely...is there any other device that can pick up the routing? How much space is on the flash for the 3845 could you upload it and schedule the down time, It shouldn't be that long. Its a risk but what happens if the device just drops? Then what you have no redundancy!

marlon23

Can you give me SR number or Bug IDs ?

APA

networker050184 wrote: »

You should really tell your employer that a bug of this caliber can not wait until next week to fix. If its running around 90% CPU the thing could drop at any time due to a traffic spike or anything that would spike the CPU a couple percent. Very dangerous IMO and I would upgrade ASAP. Haven't they ever heard of emergency down time?

I second this..... absolutely no good reason to disable CEF...

jrs91

I have tested running routers with and without CEF and it makes a LARGE difference in cpu utilization.

There is a document on the cisco site the shows the theoretical performance of most router platforms with CEF both enabled and disabled. Wish I had the link handy but i'd have to search for it and i'm busy studying right now.

dtlokee

jrs91 wrote: »

I have tested running routers with and without CEF and it makes a LARGE difference in cpu utilization.

There is a document on the cisco site the shows the theoretical performance of most router platforms with CEF both enabled and disabled. Wish I had the link handy but i'd have to search for it and i'm busy studying right now.

I think this is the link:

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

The only reason I have ever know for disabling CEF was because it used additional memory for the CEF tables but this is probably irrevelant these days where routers and switches will typically have enough memory. I guess another case is where you have hit a documented bug and TAC tells you to turn it off (cringe!)