02-10-2010 01:37 PM - edited 03-06-2019 09:39 AM
In studying for my CCNP BCMSN I started reading more on CEF. While I had a overview understanding of this I am now looking more in depth for my exam....Now to my question. I ran the show ip cef switching statistics command to just check what it looked like on our core switch and I found some things I have questions on so I am hoping someone can help as I may have an issue....or not. I ran the command back to back 3 times and I see the counters on Punts, Drops, and Punt2Host are incrementing, is this something that could be normal or is it something I should look further into? Attached is the output.
Also can someone explain what each of these are just so I am clear...I think I know but I am not an expert.
RP LES Packet destined for us
RP LES No adjacency
RP LES TTL expired
RP LES IP redirects
RP LES Unclassified reason
RP LES Neighbor resolution req
Thanks for your help,
Mike
Solved! Go to Solution.
02-10-2010 01:48 PM
Hello Mike,
RP = route processor, LES I don't know however these are packet categories that are not processed by CEF but punted to main cpu
let's go on:
Packet destined for us: a packet for a RP ip address for example a routing protocol message or an STP BPDU or a CDP or VTP message
No adjacency: the CEF entry is not present or totally built so the packet is sent to the RP for example in order to perform an ARP request for a PC in a connected vlan.
TTL expired: sent to RP in order to build an ICMP unreachable to sent to source of expired packet
IP redirects: again an ICMP message that has to be processed by RP in order to modify a CEF entry because a better next-hop exists for the destination
Neigh resol request: a request for an ARP request to resolve a next-hop address typically of another networking device, probably used as next-hop in a static route
unclassified: all other possible reasons
Hope to help
Giuseppe
02-12-2010 08:37 AM
Hello Mike,
punt packets are packets sent to the main CPU for processing
drops are packets that should be sent to the main CPU, but they aren't sent in an attempt to protect the cpu from unnecessary load.
Let's make an example: suppose packets are received for a destination address that is in a connected vlan but for which no valid ARP entry exists.
Le't ssuppose it is an UDP flow: multiple packets can be sent before the ARP process completes.
First packet triggers the ARP request process if other packets arrive in a short time there is no use on sending them to the CPU, because the end result is the same a trigger for the ARP request for the same specific IP address.
So these packets can be put on some buffer waiting for the ARP process to completes.
The buffer has finite size so over time some packets have to be dropped.
To understand if these numbers are low you should compare them with total traffic statistics on the switch if they are a small percentage of total traffic you are in a normal condition.
Hope to help
Giuseppe
02-10-2010 01:48 PM
Hello Mike,
RP = route processor, LES I don't know however these are packet categories that are not processed by CEF but punted to main cpu
let's go on:
Packet destined for us: a packet for a RP ip address for example a routing protocol message or an STP BPDU or a CDP or VTP message
No adjacency: the CEF entry is not present or totally built so the packet is sent to the RP for example in order to perform an ARP request for a PC in a connected vlan.
TTL expired: sent to RP in order to build an ICMP unreachable to sent to source of expired packet
IP redirects: again an ICMP message that has to be processed by RP in order to modify a CEF entry because a better next-hop exists for the destination
Neigh resol request: a request for an ARP request to resolve a next-hop address typically of another networking device, probably used as next-hop in a static route
unclassified: all other possible reasons
Hope to help
Giuseppe
02-10-2010 01:55 PM
Thanks based on your post looks like I did know what some were....rate 5
Now based on my attachment I am seeing alot of Punt's and Drops are these something I should look further into or would these be normal thing I would see? Also, what could I do to track down what maybe causing these?
Thanks for your help,
Mike
02-12-2010 08:37 AM
Hello Mike,
punt packets are packets sent to the main CPU for processing
drops are packets that should be sent to the main CPU, but they aren't sent in an attempt to protect the cpu from unnecessary load.
Let's make an example: suppose packets are received for a destination address that is in a connected vlan but for which no valid ARP entry exists.
Le't ssuppose it is an UDP flow: multiple packets can be sent before the ARP process completes.
First packet triggers the ARP request process if other packets arrive in a short time there is no use on sending them to the CPU, because the end result is the same a trigger for the ARP request for the same specific IP address.
So these packets can be put on some buffer waiting for the ARP process to completes.
The buffer has finite size so over time some packets have to be dropped.
To understand if these numbers are low you should compare them with total traffic statistics on the switch if they are a small percentage of total traffic you are in a normal condition.
Hope to help
Giuseppe
02-12-2010 10:30 AM
A punted packet may also be dropped to protect the RP from a DoS attack, as is the case with CoPP. You may wanna check if CoPP is configured...
{EDIT} By the way, LES stands for different things, depending on the switch platform. On a 7200 series router it stands for low-end switching with CEF. On a 7500, it denotes the CEF switched path for an RSP. Basically, it refers to the switched path where the IP CEF statistics were taken...I dont think it gives you any qualitative information, really...{EDIT}
02-12-2010 01:17 PM
Thank you both for your help on this. It has helped me understand.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide