[nsp] ip verify unicast not logging in ACL

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Wed Nov 12 10:04:43 EST 2003


> > All we did was to make sure we punt the packet to process path to
> > create the log entry. Logging is not (and possibly never will be)
> > working in the interrupt switching path, so we always have to punt.
> > NOTE: "punting" packets doesn't mean that we don't cef switch the
> > packet. There is also something like the "CEF process path"..
> > 
> i believe all the folk here will appreciate if you elaborate on this

ok, let me try (now speaking for software platforms like [237]xxx
routers, asic-based platforms vary):

CEF switching path uses a FIB (instead of a destination cache as the
older legacy switching paths) to resolve next-hop as well as l2 rewrite.

Then there is an interrupt path and a process path. The interrupt path
is triggered by a CPU interrupt from the device driver, while the
process path uses the regular user CPU context (via "IP Input" process).
It should be obvious that we can't do too many fancy things (like ACL
logging) in the interrupt context, so we need to punt the pkt to process
path so "IP Input" and friends will take care of this.

CEF switching can occur in both the interrupt as well as the process
path (at least in recent IOS releases like 12.0S/12.2/12.3/etc.), the
latter is called "CEF process path". This was mainly added to enable
tag/mpls primitives (push/pop/swap) also in the process path (ex: "debug
mpls packet" causes the mpls pkts to be "process-cef-switched", "debug
ip packet" also prints a "cef process switched" or similar in the

So in summary: A CEF-switched pkt is not necessarily nterrupt switched..


More information about the cisco-nsp mailing list