[c-nsp] 2960S vlan ACL eating some L2 transit packets!?

Gert Doering gert at greenie.muc.de
Mon Jan 13 16:59:43 EST 2014 

Hi,

On Mon, Jan 13, 2014 at 04:53:17PM -0500, MANISH wrote:
> let me put it this way
> 
> CEF is doing the job of receiving and transmitting the packets in and out
> of the box as fast as it can for normal processing with out any help from
> CPU.
> 
> the packets that needs special treatment like your denied statement
> logging, it transfers those packets to CPU for further processing, but
> before it can do that packets are put in to holding buffer in case CPU is
> busy, now what if your buffer has already some packets waiting to be
> processed by CPU there is no room for the packet that came in last so those
> packets are dropped.

No, and in multiple ways no.

- this is a *l2 switch*, not a router, so there is no CEF involved for
  transit packets

- even on boxes with CEF forwarding, it can still be the "CPU" that forwards
  the packets - like on an ISR or a 7200

- the packets should not ever *hit* the ACL, so it's irrelevant whether 
  the ACL causes CPU load or not.  If the switch would behave as documented,
  the ACL would only show packets that are targeting 1.1.1.126, aka "the
  management IP".  Remember, it's a *L2 switch*, which doesn't need or want
  to know anything about transit IP packets (caveat: if you put an IP ACL
  on one of the "GigabitEthernet" interfaces, 2950 and 2960 will be able
  to do some limited L3 filtering, but that does not apply to vlan interfaces)

- the argument for "due to buffer overflow, there will be some loss" is
  good for packets that are *permitted* and logged.  These packets are 
  *denied* and logged, so even if it did what it tries to do, it should lose
  100% (some due to ACL deny, some due to buffer overflow), and not just 
  a few percent.

> this is the best the way I understand, experts can chime me.

You might want to refresh your memory about the different processing 
in L2 switches and L3 routing devices...

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20140113/55a575b2/attachment.sig>

More information about the cisco-nsp mailing list