-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rodney,
>> 1) process switching which means invoking ip_input for every packet > > That is if you have CEF disabled. Let's forget the "ip fastswitching" > discussion because after 12.4(20)T it's gone. It's process or CEF only. That was a recall. It wasn't my intention to go to deep into this. > That means you have a lot of interrupt traffic transit the box and some > is getting punted to process level after a lookup in the rx CEF routines > or either further down the CEF switching vector due to a feature punt. [...] All right, My understanding of CEF mechanism was corrent. And you are saying the best way to actually check what these packets are is to push 12.4(20)T on to the box and start sniffing? >> Does it mean the NPE-G1 is not enough to process ~400Mbps/60kpps with >> ACL like above? > > Depends on the exact ACL and other features configured. Or by looking at the ACL you are able to pin point the "bad" acl statements? The acl (extended) looks like this (from memory-dump) ! deny rogue IPs (it is interesting how many catches are here) deny ip 10.0.0.0 .... any deny ip 192... any deny ip host 0.0.0.0 any etc.... ! deny spoofing us... deny ip any deny ip any ! pings and traceroute permit icmp any any permit udp any any range 32xxx 34xxx ! transit providers permit tcp host host eg bgp permit tcp host eq bgp host ! Internet eXchanges - bgp/msdp permit tcp host eg bgp permit tcp eq bgp host deny ip any deny ip any ! some legacy stuff permit ip any host ! deny access to infrastructure deny ip any ... deny ip any permit ip any any also (maybe worth noting) we got CAR for icmp packets enabled on the port on (input). > Probably normal. I'd suggest looking at the new ASR1000 that can do > ACL's in hardware. any significant advantage over entry-level 6500/7600? - -- - -mat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIxYbSIvBv0k5esR4RAgksAJ0XKkxBNTLzTQ0/MbG/pBYU5YdkFQCgpU4j 5aVcJsL7GI0+aWXUoXKAPlk= =Bmcv -----END PGP SIGNATURE----- _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/