[c-nsp] 2960S vlan ACL eating some L2 transit packets!?
MANISH
chaurasia.manish at gmail.com
Mon Jan 13 16:53:17 EST 2014
let me put it this way
CEF is doing the job of receiving and transmitting the packets in and out
of the box as fast as it can for normal processing with out any help from
CPU.
the packets that needs special treatment like your denied statement
logging, it transfers those packets to CPU for further processing, but
before it can do that packets are put in to holding buffer in case CPU is
busy, now what if your buffer has already some packets waiting to be
processed by CPU there is no room for the packet that came in last so those
packets are dropped.
this is the best the way I understand, experts can chime me.
-Manish
On Mon, Jan 13, 2014 at 4:26 PM, Gert Doering <gert at greenie.muc.de> wrote:
> Hi,
>
> On Mon, Jan 13, 2014 at 04:15:40PM -0500, MANISH wrote:
> > when you have a statement something like
> > " access-list 100 deny ip any any log " actually what is happening all
> > the packets that are getting denied are getting punted to CPU
>
> Well, this is sort of missing the point, which is
>
> "why are the packets denied?"
>
> I know that logged packets are punted, but on a *L2 switch*, no transit(!)
> packets should ever hit a vlan ACL (which others confirmed, thanks), so
> the question "is logging good or bad" is somewhat moot.
>
> Actually it was quite good that logging was on, because otherwise we would
> have seen "some packet drops" with no hint where it was happening...
>
> gert
>
> --
> USENET is *not* the non-clickable part of WWW!
> //
> www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
>
More information about the cisco-nsp
mailing list