ACL matched packets and NAT matched packets are switched by CEF ?

snakayama · ‎12-16-2007

Hi everyone,

I have the question about how the packets that match the access-list and match NAT statement are switched on CEF enabled IOS router. Router is Cisco 7301, Cisco 3825 and Cisco 2811 and all of interfaces are CEF enabled.

The access-list does not use"log" keyword, so I personally think packets that match the access-list are always CEF switched that means all packets that match the access-list never punt to CPU (process switching).

I also think the packets that match the NAT statement also always CEF switched and not punt to CPU (process switching) as long as existing entries of those packets in CEF table which means if there are no entry for the packets that match NAT statement in CEF table, such as first incoming/outgoing packet, those packets punt to CPU (process switching) to resolve adjacency.

My understanding correct ?

Or first incoming/outgoing packet that match the access-list and NAT statement always punts to CPU (process switching) ?

Or all packets that match the access-list and NAT statement always punts to CPU (process switching) ?

Your information would be appreciated.

Regards,

Shinichi

bvsnarayana03 · ‎12-16-2007

For switches enabled with cef, TCAM is used.

http://books.google.com/books?id=TGbuJcM2Tz0C&pg=PA166&lpg=PA166&dq=are+acl+matches+cef+switched&source=web&ots=dynFoWyZ6Y&sig=gciXiY2NrXoIBBIDgW5IC7f9z1o#PPA165,M1

Not sure how routers process acl's.