CEF Switching

Cisco Express Forwarding (CEF) is a switching mode that was introduced in the Cisco IOS 11.1 and 11.2 software trains and that is available across all 12.0 versions. In traditional Cisco caching solutions, cache entries are built as traffic flows through the router. CEF, on the other hand, mirrors the entire system routing table, alleviating the building on any initial cache. Therefore, CEF handles large amounts of data better than traditional switching and caching methods.

With most DoS attacks, the traffic is sent to one or a handful of victim devices, which does not have any impact on either traditional or CEF switching processes. However, many kinds of SYN flood attacks use random source addresses. The victim or victims of this attack attempt to respond back to the connection attempts, creating a large number of destinations for switching paths. With traditional switching, this would create a performance problem; with CEF, the destinations already have been cached, so there is not as much of an issue dealing with this increased amount of traffic.

When a router is using fast switching on an interface, the CPU must be involved to handle the interrupt requests from the fast-switching interfaces to move traffic from one interface to another. During periods of flooding traffic, this can create a DoS condition on the router itself in which most of its CPU cycles are handling the interface interrupts. You can limit this process by using the scheduler interval command:

Router(config)# scheduler interval #_of_milliseconds

This command causes the router to stop handling interrupt requests at the configured interval and handle other tasks. For example, you might set the value to 250 milliseconds, which tells the Cisco IOS to handle process-level tasks for no more than 250 milliseconds at a time.

Newer Cisco router platforms use the scheduler allocate command instead of the scheduler interval command:

Router(config)# scheduler allocate #_of_milliseconds_of_interrupts


This command has two parameters: The first parameter specifies the number of milliseconds in which interrupts are handled; the second parameter specifies the number of milliseconds for which interrupts are placed on hold. A common allocation configuration is scheduler allocate 3000 1000. With this configuration, interrupts are handled for 3 seconds, but for the next second, the router performs other tasks.


Cisco has stated that the scheduler interval and scheduler allocate commands have no negative side effects on the router and should be part of your router's standard configuration.