-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 REPOST again as firegpg removed some important bits from acl..
Rodney, >> 1) process switching which means invoking ip_input for every packet > > That is if you have CEF disabled. Let's forget the "ip fastswitching" > discussion because after 12.4(20)T it's gone. It's process or CEF only. That was a recall. It wasn't my intention to go to deep into this. > That means you have a lot of interrupt traffic transit the box and some > is getting punted to process level after a lookup in the rx CEF routines > or either further down the CEF switching vector due to a feature punt. [...] All right, My understanding of CEF mechanism was corrent. And you are saying the best way to actually check what these packets are is to push 12.4(20)T on to the box and start sniffing? >> Does it mean the NPE-G1 is not enough to process ~400Mbps/60kpps with >> ACL like above? > > Depends on the exact ACL and other features configured. Or by looking at the ACL you are able to pin point the "bad" acl statements? The acl (extended) looks like this (from memory-dump) ! deny rogue IPs (it is interesting how many catches are here) deny ip 10.0.0.0 .... any deny ip 192... any deny ip host 0.0.0.0 any etc.... ! deny spoofing us... deny ip OURBLOCK1 any deny ip OURBLOCK2 any ! pings and traceroute permit icmp any any permit udp any any range 32xxx 34xxx ! transit providers permit tcp host THEM1 host US1 eg bgp permit tcp host THEM1 eq bgp host US1 ! Internet eXchanges - bgp/msdp permit tcp THEM2 WCARD2 host US2 eg bgp permit tcp THEM2 WCARD2 eq bgp host US2 deny ip any US1 deny ip any US2 ! some legacy stuff permit ip any host XXX ! deny access to infrastructure deny ip any NETWORK_1 ... deny ip any NETWORK_N permit ip any any also (maybe worth noting) we got CAR for icmp packets enabled on the port on (input). > Probably normal. I'd suggest looking at the new ASR1000 that can do > ACL's in hardware. any significant advantage over entry-level 6500/7600? - -- - -mat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIxYfiIvBv0k5esR4RAhZOAKDNjB8soD4o7+JXpEeq4w8/y5Z9AACfXwO4 aykwTNGqUnKd8w/Ag3GBTug= =97La -----END PGP SIGNATURE----- _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/