CEF load balancing cisco 3750

Posted on 2014-09-30
Last Modified: 2014-10-03

I am trying to configure cef for our two gateways (firewalls).  I do see the cef option, but when I go to the 2 interfaces I do not see  ip load-sharing per-destination

Is there something I am missing

I plan on configuring 2 routes to the gateways with the same netrics 1 1

Thank you for your help in advance
Question by:thomasm1948
  • 4
  • 2
LVL 14

Expert Comment

Comment Utility
The details are a bit sketchy from your question.  Have you configured CEF already, but not the two default routes?  If you haven't configured the default routes yet, what routes are there currently for the Internet traffic?  If you don't have equal-cost routes in the routing table, you won't see any load-sharing when enabling CEF.

Here's the link to the Cisco Config Guide to explain the process for configuring CEF:  Once CEF is enabled, you can check the FIB table by issuing the "show ip cef"-command - Your internet routes should have two entries (via the two ISP's), which would be an indication that load-sharing takes place.

If you can post the output of the "show ip cef" command (you can remove any entries for your internal network), we can perhaps tell you what is missing.

Just one more question:  If you say that you do not see ip load-sharing per-destination, how did you check?  What did you expect, and what did you find?

Author Comment

Comment Utility

I took out all of the internal traffic stuff:          multicast         receive          drop   receive

Ok, so I wen through the CEF guide and I do not see all of the commands for CEF on the CISCO 3750.  I know that on the CISCO 3750 CEF is enabled by default and that it can do only per-destination and not per-packet.  CEF is also a global option.

I have not put multiple gateways in as of yet.  So I am unsure how the switch will handle it once I put it in being that I do not get a interface options for load-sharing.  I do get load-sharing option under the global config but I only get the option the following option:

ASAMC3750STACK(config)#ip cef load-sharing ?
  algorithm  Per-destination load sharing algorithm selection

I did set that for original.

I my main issue is that they run VOIP and if the switch handles the 2 gateways as round robin then there will occurances where the switch will have to do packet reformation and that can cause an issue for VOIP.  That is why I am just confirming the CEF because I need it to do load-sharing between the two gateways utilizing per-destination so that their VOIP works correctly

Author Comment

Comment Utility
forgot to add the following for sh ip cef

Prefix               Next Hop             Interface            Vlan16           receive
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.


Author Comment

Comment Utility
these are the options that I get under the int for IP

Interface IP configuration subcommands:
  access-group  Specify access control for packets
  admission     Apply Network Admission Control
  arp           Configure ARP features
  dhcp          Configure DHCP parameters for this interface
  igmp          IGMP interface commands
  verify        verify
  vrf           VPN Routing/Forwarding parameters on the interface
LVL 14

Accepted Solution

Otto_N earned 500 total points
Comment Utility
I think there's a couple of things you need to know.

1. CEF only expedite forwarding, and doesn't change how the packet is handled

CEF ensure fast packet forwarding (at, or close to, the line rate of the interfaces) by pre-calculating the forwarding path and header rewrite information for all entries in the routing table.  So when a packet hits the switch, the switch sends it out the correct port much quicker than with traditional process switching.  But the outgoing packet looks exactly the same, whether it was CEF-switched or process switched.

Your concern regarding VOIP packet reformation (which I do not understand at all) therefore doesn't revolve around the CEF-handling of the packets, but on how the packets will be routed.

2. CEF do per-destination load-balancing BY DEFAULT

CEF was built around the concept of flows (a series of packets between a set of processes on hosts), and forwarding decisions are made per-flow rather than per-packet.  So, if there are two equal-cost paths in the routing table, CEF will ensure that packets in the same flow will be switched in the same way.

The way flows are defined, is determined by the algorithm used.  Originally, only source-destination IP addresses were considered.  But this had a couple of drawbacks:
- If most of the traffic was between a small set of source & destination, one of the equal-cost paths would carry the bulk of the traffic, leaving much spare capacity on the other link.
- If you deployed CEF on consecutive layers, the next CEF device uses the same hash-algorithm, which would then switch all traffic it receives from the first switch out of one link, and not load-share between multiple links.

To overcome these drawbacks, the CEF algorithm was changed to add source and/or destination ports as input to the hash algorithm, or a switch identifier, to ensure that traffic are more evenly shared.  However, the principle of consistent flow switching is still maintained.

You can read more about this on the Usage Guidelines of the "ip cef load-sharing algorithm"-command, available on the Cisco Command Lookup Tool (for registered users only...).
I assume that the per-flow switching characteristics of CEF should alleviate your fears regarding the compatibility issues of VOIP with round-robin forwarding - Not being a VOIP expert, I don't have any practical knowledge to assist in this regard.  However, if you need all VOIP packets to only go one route, you can always set up PBR to ensure that it happens.

Author Closing Comment

Comment Utility
Thank you for all of your help

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now