CEF help please

Answered Question
Feb 10th, 2010

In studying for my CCNP BCMSN I started reading more on CEF. While I had a overview understanding of this I am now looking more in depth for my exam....Now to my question. I ran the show ip cef switching statistics command to just check what it looked like on our core switch and I found some things I have questions on so I am hoping someone can help as I may have an issue....or not. I ran the command back to back 3 times and I see the counters on Punts, Drops, and Punt2Host are incrementing, is this something that could be normal or is it something I should look further into? Attached is the output.

Also can someone explain what each of these are just so I am clear...I think I know but I am not an expert.

RP LES Packet destined for us

RP LES No adjacency

RP LES TTL expired

RP LES IP redirects 

RP LES Unclassified reason

RP LES Neighbor resolution req

Thanks for your help,

Mike

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 6 years 10 months ago

Hello Mike,

punt packets are packets sent to the main CPU for processing

drops are packets that should be sent to the main CPU, but they aren't sent in an attempt to protect the cpu from unnecessary load.

Let's make an example: suppose packets are received for a destination address that is in a connected vlan but for which no valid ARP entry exists.

Le't ssuppose it is an UDP flow: multiple packets can be sent before the ARP process completes.

First packet triggers the ARP request process if other packets arrive in a short time there is no use on sending them to the CPU, because the end result is the same a trigger for the ARP request for the same specific IP address.

So these packets can be put on some buffer waiting for the ARP process to completes.

The buffer has finite size so over time some packets have to be dropped.

To understand if these numbers are low you should compare them with total traffic statistics on the switch if they are a small percentage of total traffic you are in a normal condition.

Hope to help

Giuseppe

Correct Answer by Giuseppe Larosa about 6 years 10 months ago

Hello Mike,

RP = route processor, LES I don't know however these are packet categories that are not processed by CEF but punted to main cpu

let's go on:

Packet destined for us: a packet for a RP ip address for example a routing protocol message or an STP BPDU or a CDP or VTP message

No adjacency: the CEF entry is not present or totally built so the packet is sent to the RP for example in order to perform an ARP request for a PC in a connected vlan.

TTL expired: sent to RP in order to build an ICMP unreachable to sent to source of expired packet

IP redirects: again an ICMP message that has to be processed by RP in order to modify a CEF entry because a better next-hop exists for the destination

Neigh  resol request:  a request for an ARP request to resolve a next-hop address typically of another networking device, probably used as next-hop in a static route

unclassified: all other possible reasons

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Giuseppe Larosa Wed, 02/10/2010 - 13:48

Hello Mike,

RP = route processor, LES I don't know however these are packet categories that are not processed by CEF but punted to main cpu

let's go on:

Packet destined for us: a packet for a RP ip address for example a routing protocol message or an STP BPDU or a CDP or VTP message

No adjacency: the CEF entry is not present or totally built so the packet is sent to the RP for example in order to perform an ARP request for a PC in a connected vlan.

TTL expired: sent to RP in order to build an ICMP unreachable to sent to source of expired packet

IP redirects: again an ICMP message that has to be processed by RP in order to modify a CEF entry because a better next-hop exists for the destination

Neigh  resol request:  a request for an ARP request to resolve a next-hop address typically of another networking device, probably used as next-hop in a static route

unclassified: all other possible reasons

Hope to help

Giuseppe

burleyman Wed, 02/10/2010 - 13:55

Thanks based on your post looks like I did know what some were....rate 5

Now based on my attachment I am seeing alot of Punt's and Drops are these something I should look further into or would these be normal thing I would see? Also, what could I do to track down what maybe causing these?

Thanks for your help,

Mike

Correct Answer
Giuseppe Larosa Fri, 02/12/2010 - 08:37

Hello Mike,

punt packets are packets sent to the main CPU for processing

drops are packets that should be sent to the main CPU, but they aren't sent in an attempt to protect the cpu from unnecessary load.

Let's make an example: suppose packets are received for a destination address that is in a connected vlan but for which no valid ARP entry exists.

Le't ssuppose it is an UDP flow: multiple packets can be sent before the ARP process completes.

First packet triggers the ARP request process if other packets arrive in a short time there is no use on sending them to the CPU, because the end result is the same a trigger for the ARP request for the same specific IP address.

So these packets can be put on some buffer waiting for the ARP process to completes.

The buffer has finite size so over time some packets have to be dropped.

To understand if these numbers are low you should compare them with total traffic statistics on the switch if they are a small percentage of total traffic you are in a normal condition.

Hope to help

Giuseppe

lamav Fri, 02/12/2010 - 10:30

A punted packet may also be dropped to protect the RP from a DoS attack, as is the case with CoPP. You may wanna check if CoPP is configured...

{EDIT} By the way, LES stands for different things, depending on the switch platform. On a 7200 series router it stands for low-end switching with CEF. On a 7500, it denotes the CEF switched path for an RSP. Basically, it refers to the switched path where the IP CEF statistics were taken...I dont think it gives you any qualitative information, really...{EDIT}

burleyman Fri, 02/12/2010 - 13:17

Thank you both for your help on this. It has helped me understand.

Mike

Actions

This Discussion