Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6401
Views
5
Helpful
5
Replies

CEF help please

Go to solution
burleyman
Level 8
Level 8

‎02-10-2010 01:37 PM - edited ‎03-06-2019 09:39 AM

In studying for my CCNP BCMSN I started reading more on CEF. While I had a overview understanding of this I am now looking more in depth for my exam....Now to my question. I ran the show ip cef switching statistics command to just check what it looked like on our core switch and I found some things I have questions on so I am hoping someone can help as I may have an issue....or not. I ran the command back to back 3 times and I see the counters on Punts, Drops, and Punt2Host are incrementing, is this something that could be normal or is it something I should look further into? Attached is the output.

Also can someone explain what each of these are just so I am clear...I think I know but I am not an expert.

RP LES Packet destined for us

RP LES No adjacency

RP LES TTL expired

RP LES IP redirects 

RP LES Unclassified reason

RP LES Neighbor resolution req

Thanks for your help,

Mike

Labels:
60915-6509-vss_CEF_stats.txt.zip
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-10-2010 01:48 PM

Hello Mike,

RP = route processor, LES I don't know however these are packet categories that are not processed by CEF but punted to main cpu

let's go on:

Packet destined for us: a packet for a RP ip address for example a routing protocol message or an STP BPDU or a CDP or VTP message

No adjacency: the CEF entry is not present or totally built so the packet is sent to the RP for example in order to perform an ARP request for a PC in a connected vlan.

TTL expired: sent to RP in order to build an ICMP unreachable to sent to source of expired packet

IP redirects: again an ICMP message that has to be processed by RP in order to modify a CEF entry because a better next-hop exists for the destination

Neigh  resol request:  a request for an ARP request to resolve a next-hop address typically of another networking device, probably used as next-hop in a static route

unclassified: all other possible reasons

Hope to help

Giuseppe

View solution in original post

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to burleyman

‎02-12-2010 08:37 AM

Hello Mike,

punt packets are packets sent to the main CPU for processing

drops are packets that should be sent to the main CPU, but they aren't sent in an attempt to protect the cpu from unnecessary load.

Let's make an example: suppose packets are received for a destination address that is in a connected vlan but for which no valid ARP entry exists.

Le't ssuppose it is an UDP flow: multiple packets can be sent before the ARP process completes.

First packet triggers the ARP request process if other packets arrive in a short time there is no use on sending them to the CPU, because the end result is the same a trigger for the ARP request for the same specific IP address.

So these packets can be put on some buffer waiting for the ARP process to completes.

The buffer has finite size so over time some packets have to be dropped.

To understand if these numbers are low you should compare them with total traffic statistics on the switch if they are a small percentage of total traffic you are in a normal condition.

Hope to help

Giuseppe

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-10-2010 01:48 PM

Hello Mike,

RP = route processor, LES I don't know however these are packet categories that are not processed by CEF but punted to main cpu

let's go on:

Packet destined for us: a packet for a RP ip address for example a routing protocol message or an STP BPDU or a CDP or VTP message

No adjacency: the CEF entry is not present or totally built so the packet is sent to the RP for example in order to perform an ARP request for a PC in a connected vlan.

TTL expired: sent to RP in order to build an ICMP unreachable to sent to source of expired packet

IP redirects: again an ICMP message that has to be processed by RP in order to modify a CEF entry because a better next-hop exists for the destination

Neigh  resol request:  a request for an ARP request to resolve a next-hop address typically of another networking device, probably used as next-hop in a static route

unclassified: all other possible reasons

Hope to help

Giuseppe

0 Helpful

Go to solution
burleyman
Level 8
Level 8
In response to Giuseppe Larosa

‎02-10-2010 01:55 PM

Thanks based on your post looks like I did know what some were....rate 5

Now based on my attachment I am seeing alot of Punt's and Drops are these something I should look further into or would these be normal thing I would see? Also, what could I do to track down what maybe causing these?

Thanks for your help,

Mike

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to burleyman

‎02-12-2010 08:37 AM

Hello Mike,

punt packets are packets sent to the main CPU for processing

drops are packets that should be sent to the main CPU, but they aren't sent in an attempt to protect the cpu from unnecessary load.

Let's make an example: suppose packets are received for a destination address that is in a connected vlan but for which no valid ARP entry exists.

Le't ssuppose it is an UDP flow: multiple packets can be sent before the ARP process completes.

First packet triggers the ARP request process if other packets arrive in a short time there is no use on sending them to the CPU, because the end result is the same a trigger for the ARP request for the same specific IP address.

So these packets can be put on some buffer waiting for the ARP process to completes.

The buffer has finite size so over time some packets have to be dropped.

To understand if these numbers are low you should compare them with total traffic statistics on the switch if they are a small percentage of total traffic you are in a normal condition.

Hope to help

Giuseppe

0 Helpful

Go to solution
lamav
Level 8
Level 8
In response to Giuseppe Larosa

‎02-12-2010 10:30 AM

A punted packet may also be dropped to protect the RP from a DoS attack, as is the case with CoPP. You may wanna check if CoPP is configured...

{EDIT} By the way, LES stands for different things, depending on the switch platform. On a 7200 series router it stands for low-end switching with CEF. On a 7500, it denotes the CEF switched path for an RSP. Basically, it refers to the switched path where the IP CEF statistics were taken...I dont think it gives you any qualitative information, really...{EDIT}

Go to solution
burleyman
Level 8
Level 8
In response to lamav

‎02-12-2010 01:17 PM

Thank you both for your help on this. It has helped me understand.

Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card