[c-nsp] 2960S vlan ACL eating some L2 transit packets!?

MANISH chaurasia.manish at gmail.com
Mon Jan 13 16:15:40 EST 2014


when you have a statement something like
" access-list 100 deny   ip any any log " actually what is happening all
the packets that are getting denied are getting punted to CPU

normally packets should not be hitting CPU, ASIC should be able to handle
it and CEF will get the job done, but in-case if you need to see what is
getting denied you have statement as log at the end of ACL ASIC does not
handle such packets and forwards it to CPU, CPU is resource intensive and
needs handle a lot of things other than logging you denied packets hence
you seeing a sluggish response, try removing the access-list 100 deny   ip
any any log from your config and watch the results.

deny ip any any log is sort of a troubleshooting tool not as a permanent to
log whats getting denied, if you need a permanent sol get netflow to do the
job.

HTH
-Manish


On Mon, Jan 13, 2014 at 4:03 PM, Gert Doering <gert at greenie.muc.de> wrote:

> Hi,
>
> On Mon, Jan 13, 2014 at 02:59:31PM -0500, Chuck Church wrote:
> > Is there a bug that is setting the Ethernet broadcast bit accidentally
> > internally?
>
> Well, I had the assumption that it could be flooded packets due to
> missing MAC table entries, but since I've seen the same IP address
> logged both as source and destination, I'm fairly sure there is no
> flooding going on...
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                            //
> www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list