when you have a statement something like " access-list 100 deny ip any any log " actually what is happening all the packets that are getting denied are getting punted to CPU
normally packets should not be hitting CPU, ASIC should be able to handle it and CEF will get the job done, but in-case if you need to see what is getting denied you have statement as log at the end of ACL ASIC does not handle such packets and forwards it to CPU, CPU is resource intensive and needs handle a lot of things other than logging you denied packets hence you seeing a sluggish response, try removing the access-list 100 deny ip any any log from your config and watch the results. deny ip any any log is sort of a troubleshooting tool not as a permanent to log whats getting denied, if you need a permanent sol get netflow to do the job. HTH -Manish On Mon, Jan 13, 2014 at 4:03 PM, Gert Doering <[email protected]> wrote: > Hi, > > On Mon, Jan 13, 2014 at 02:59:31PM -0500, Chuck Church wrote: > > Is there a bug that is setting the Ethernet broadcast bit accidentally > > internally? > > Well, I had the assumption that it could be flooded packets due to > missing MAC table entries, but since I've seen the same IP address > logged both as source and destination, I'm fairly sure there is no > flooding going on... > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > [email protected] > fax: +49-89-35655025 > [email protected] > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
