let me put it this way CEF is doing the job of receiving and transmitting the packets in and out of the box as fast as it can for normal processing with out any help from CPU.
the packets that needs special treatment like your denied statement logging, it transfers those packets to CPU for further processing, but before it can do that packets are put in to holding buffer in case CPU is busy, now what if your buffer has already some packets waiting to be processed by CPU there is no room for the packet that came in last so those packets are dropped. this is the best the way I understand, experts can chime me. -Manish On Mon, Jan 13, 2014 at 4:26 PM, Gert Doering <[email protected]> wrote: > Hi, > > On Mon, Jan 13, 2014 at 04:15:40PM -0500, MANISH wrote: > > when you have a statement something like > > " access-list 100 deny ip any any log " actually what is happening all > > the packets that are getting denied are getting punted to CPU > > Well, this is sort of missing the point, which is > > "why are the packets denied?" > > I know that logged packets are punted, but on a *L2 switch*, no transit(!) > packets should ever hit a vlan ACL (which others confirmed, thanks), so > the question "is logging good or bad" is somewhat moot. > > Actually it was quite good that logging was on, because otherwise we would > have seen "some packet drops" with no hint where it was happening... > > gert > > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > [email protected] > fax: +49-89-35655025 > [email protected] > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
