That cef command was pretty useful. Before you scroll down to the output/stats, here are the only two
bugs that look like they might be related to my issue. With test #1, (everything disabled), it was ALL process switched. Test #2 looks slightly better with only IP virtual-reassembly enabled. Something is going on here and I'm more puzzled than ever. Test #3 caused lots of process switching when doing the speed tests(???). Test #4 is even more surprising because things seem better under "normal" traffic loads. Thoughts? I'd like to find a FTP server to test against instead of using speedguide, speakeasy, etc. CSCsa67785 Bug Details crypto-map/NAT/IPS wont work properly in CEF path Symptoms: Packets may be dropped on the interface when NAT/IPSEC/IPS is configured on the same interface. Conditions: If IPSec/NAT and CBAC or IPS/IDS is configured on the same interface and the packet gets punted by any of the features, then the packet may be dropped. Workaround: Remove from the configuration the feature which punts the packet to process path. CSCtd25213 Bug Details NAT not working for locally generated packets Symptoms: NAT is not working for locally-generated packets. Conditions: This symptom is observed when NAT is configured for inside and outside addresses, and when a self-generated packet is sent to OL. Workaround: Instead of using dynamic NAT, use static NAT for self-generated packets. 1) disabled cbac/acl and ip virtual-reassembly interface FastEthernet0/1 ip address x.x.x.x 255.255.255.0 no ip redirects ip nat outside no ip virtual-reassembly duplex auto speed auto end rtr2811#sh int fa0/1 stats FastEthernet0/1 Switching path Pkts In Chars In Pkts Out Chars Out Processor 12212 757602 133 16723 Route cache 173 20535 270 35125 Total 12385 778137 403 51848 rtr2811#sh ip cef switching statistics feature IPv4 CEF input features: Feature Drop Consume Punt Punt2Host Gave route NAT Outside 0 0 0 25 0 Total 0 0 0 25 0 IPv4 CEF output features: Feature Drop Consume Punt Punt2Host New i/f Post-routing NAT 0 0 0 68 0 Total 0 0 0 68 0 IPv4 CEF post-encap features: Feature Drop Consume Punt Punt2Host New i/f Total 0 0 0 0 0 IPv4 CEF for us features: Feature Drop Consume Punt Punt2Host New i/f Total 0 0 0 0 0 IPv4 CEF punt features: Feature Drop Consume Punt Punt2Host New i/f Total 0 0 0 0 0 IPv4 CEF local features: Feature Drop Consume Punt Punt2Host Gave route Total 0 0 0 0 0 rtr2811# 2) enabled ip virtual-reassembly ONLY interface FastEthernet0/1 ip address x.x.x.x 255.255.255.0 no ip redirects ip nat outside ip virtual-reassembly duplex auto speed auto end rtr2811#sh int fa0/1 stats FastEthernet0/1 Switching path Pkts In Chars In Pkts Out Chars Out Processor 1277 78657 16 1589 Route cache 14 3851 32 4087 Total 1291 82508 48 5676 rtr2811#sh ip cef switching statistics feature IPv4 CEF input features: Feature Drop Consume Punt Punt2Host Gave route NAT Outside 0 0 0 1 0 Total 0 0 0 1 0 IPv4 CEF output features: Feature Drop Consume Punt Punt2Host New i/f Post-routing NAT 0 0 0 12 0 Total 0 0 0 12 0 IPv4 CEF post-encap features: Feature Drop Consume Punt Punt2Host New i/f Total 0 0 0 0 0 IPv4 CEF for us features: Feature Drop Consume Punt Punt2Host New i/f Total 0 0 0 0 0 IPv4 CEF punt features: Feature Drop Consume Punt Punt2Host New i/f Total 0 0 0 0 0 IPv4 CEF local features: Feature Drop Consume Punt Punt2Host Gave route Total 0 0 0 0 0 rtr2811# NOTE: After this I enabled CBAC-int & Ext_ACL-inbound again. Performance was almost good as #2 still. I also cleared counters once more and waited 10 minutes. Here are the results again. Any ideas???? 3) I ran a speedtest on www.speakeasy.net and process switching went through the roo rtr2811#sh int fa0/1 stats FastEthernet0/1 Switching path Pkts In Chars In Pkts Out Chars Out Processor 17858 1157573 467 143934 Route cache 1072 964530 837 98966 Total 18930 2122103 1304 242900 rtr2811# rtr2811#running speedtest now ^ % Invalid input detected at '^' marker. rtr2811#sh int fa0/1 stats FastEthernet0/1 Switching path Pkts In Chars In Pkts Out Chars Out Processor 21414 1379133 507 159277 Route cache 10317 10944391 8426 7415536 Total 31731 12323524 8933 7574813 rtr2811#sh int fa0/1 stats FastEthernet0/1 Switching path Pkts In Chars In Pkts Out Chars Out Processor 21490 1384753 513 162841 Route cache 10322 10946281 8426 7415536 Total 31812 12331034 8939 7578377 rtr2811# 4) cleared counters one last time and let it from midnight to 9:39am rtr2811#sh int fa0/1 stats FastEthernet0/1 Switching path Pkts In Chars In Pkts Out Chars Out Processor 2091010 132620733 42136 13987400 Route cache 42156 32749186 36559 10473996 Total 2133166 165369919 78695 24461396 rtr2811#sh ip cef switching statistics feature IPv4 CEF input features: Feature Drop Consume Punt Punt2Host Gave route Access List 11840 0 0 13286 0 NAT Outside 0 0 0 3389 0 Total 11840 0 0 16675 0 IPv4 CEF output features: Feature Drop Consume Punt Punt2Host New i/f Post-routing NAT 0 0 0 28310 0 Firewall (inspec 57 0 0 13 0 Total 57 0 0 28323 0 IPv4 CEF post-encap features: Feature Drop Consume Punt Punt2Host New i/f Total 0 0 0 0 0 IPv4 CEF for us features: Feature Drop Consume Punt Punt2Host New i/f Total 0 0 0 0 0 IPv4 CEF punt features: Feature Drop Consume Punt Punt2Host New i/f Total 0 0 0 0 0 IPv4 CEF local features: Feature Drop Consume Punt Punt2Host Gave route Total 0 0 0 0 0 rtr2811# On Thu, Dec 22, 2011 at 4:24 PM, Reuben Farrelly <reuben-cisco-...@reub.net>wrote: > The command: > > router#show ip cef switching statistics feature > > Will show you which feature is causing traffic to be punted to CPU. > > Reuben > > > > On 23/12/2011 7:42 AM, Chuck Church wrote: > >> You're on the right path. The more important number is the packets >> in/out, >> as opposed to the characters. Look at the ratio of packets in/out for >> processor vs. Route-cache for the two interfaces. Fa0/1 is process >> switching about 80% of them inbound. That's pretty bad. The output >> looks >> better. Compare that to VLAN 10, where in both directions, only about 10% >> are process switched. The stats for the switchports are meaningless, so >> you >> can ignore those as the switch ASICs deal with those, until they hit the >> VLAN int. Figure out what feature (or IOS bug??) is causing so much >> process >> switching, and I think it'll get better. >> > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/