Sh cef drop

Encap_fail is increasing , pinging the tunnel public ip of hub from spoke results in packet loss
on one of spoke:
interface Tunnel1
bandwidth 1000
ip address y.y.y.y4 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication ***********
ip nhrp map y.y.y.y x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp network-id 93
ip nhrp holdtime 300
ip nhrp nhs y.y.y.y
ip route-cache flow
delay 1000
tunnel source Serial0/0/0
tunnel mode gre multipoint
tunnel key #########
ping x.x.x.x rep 200 (from spoke)
Type escape sequence to abort.
Sending 200, 100-byte ICMP Echos to 216.116.252.70, timeout is 2 seconds:
Success rate is 97 percent (194/200), round-trip min/avg/max = 28/30/48 ms
sh cef dr
CEF Drop Statistics
Slot Encap_fail Unresolved Unsupported No_route No_adj ChkSum_Err
RP 51124 0 0 0 0 0

Hi,
I can't give you an 100% answer but to my understanding in the following conditions atleast the counter above increases
Traffic dropped by "security-level" check when not using ACLs on the interface (traffic from lower to higher denied)
Traffic is dropped by interface "access-list" attached with "access-group" command
Traffic is dropped by having the interfaces "security-level" equal and have not used "same-security-traffic " to enable it. (Even if ACLs are configured you will need this
As I said I can't say this for 100% certainty but the above situation sure do end with a ACL drop when you are testing with "packet-tracer". Unless I have remembered something wrong.
I'd assume that most of these ACL drop result in traffic hitting your ASAs external interface connected to Internet. There is usually constant scanning traffic day by day that increases the counter.
- Jouni

Similar Messages

IP cef issues

Hello -
I am having issues with cef between my VPN tunnel and my LAN interface, and was hoping someone point me in the correct direction on solving this issue.
Currently, I have been confirming conncectivity to a remote office using ICMP. IP cef by default is enabled on the 1841 router which is the end-point of the VPN tunnel originating on a VPN concentrator at the main office. For some reason, when I ping and IP address on the LAN side at the remote office (which traverses the VPN tunnel) I only get replys when my router perfroms process switching. I discovered this in the troubleshooting stages by creating ACLs that were logging. If I remove those ACLs that cause traffic to be processed switched, my pings fail to reply.
This issues seems to occur between my tunnel 1 and the fa 0/0 interface, since traffic reaches the internet fine. But since the DNS servers that the users at the remote office is our private DNS servers located in the head offfice, the DNS lookups need to traverse the VPN tunnel.
Currently I have an ACL logging all ingress traffic on my ethernet interface since I can't figure out what is going on with CEF. I know the throughput process switching is only about 800Kbps, which is kiiling my network since we have bonded T1s at this site. In addition to the addition latency this is causing, I am also getting logging overflows, which is dropping packets as well.
Any advice on where to start looking for my cef issues. Thank you in advance.

Shaun -
Thanks for your response on my problem.
According to documentation CEF is supported on all tunnel interfaces. While ASICs are not doing the actual CEF fib lookups, CEF switching should still offer greater throughput (even in software with the 1800s routers) than that of process switching.
I am noticing a lot of encap_fail for cef drops. I understand this to be an caused by incomplete adjecency issues, but when I issue a #sh adj command, all routes (including those I have pointed at the tunnel) register as valid CEF adjacencies. I also can run a #sh ip cef, which is basically a lookup of the fib table, and all the routes that I expect to see are there.
I appreciate your feedback, and if there is anything else you can think of for me to check, please let me know.
Thanks
Ryan

High CPU Usage on C6509

Good day, can someone analyze this for me, in regards with high cpu usage.
2222222222222222222222222222222222333332222244444222222222
     8888555559999955555777773333344444000007777711111555559999
100
90
80
70
60
50
40                                              *****
30 ************************          ************************
20 **********************************************************
10 **********************************************************
    0....5....1....1....2....2....3....3....4....4....5....5....
              0    5    0    5    0    5    0    5    0    5
               CPU% per second (last 60 seconds)
     4443333334443433334333333333333333333333343333333333333333
     1006530591135079734601132535328062177773414263667168577916
100
90
80
70
60
50
40 ***** ********** **     * * * * **** * * *** ****** *
30 #############**##*####*#*##*###*#*#########*##*****###****
20 ##########################################################
10 ##########################################################
    0....5....1....1....2....2....3....3....4....4....5....5....
              0    5    0    5    0    5    0    5    0    5
               CPU% per minute (last 60 minutes)
              * = maximum CPU%   # = average CPU%
     4744444545444444444444444444333344444444444444444434444444433344344444
     4547425182436632379924402500899822115303104140406471591734499730802883
100
90
80   *
70   *
60   *
50   * * **** **   ***     *          *           *   ** *           **
40 **********************************************************************
30 #*******###**********##**********#********************************####
20 ######################################################################
10 ######################################################################
    0....5....1....1....2....2....3....3....4....4....5....5....6....6....7.
              0    5    0    5    0    5    0    5    0    5    0    5    0
                   CPU% per hour (last 72 hours)
                  * = maximum CPU%   # = average CPU%
Local_Backbone#sh proc cpu sorted 5sec
CPU utilization for five seconds: 24%/16%; one minute: 27%; five minutes: 27%
PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
123 1380698152 938782622       1470 6.07% 6.66% 6.52%   0 IP Input
   9    71590456 190912340        374 0.39% 0.48% 0.47%   0 ARP Input
213    53552228 246488976        217 0.23% 0.42% 0.48%   0 SNMP ENGINE
176     2804332 35409778         79 0.15% 0.02% 0.00%   0 OSPF Hello
319      918144 11719407         78 0.15% 0.01% 0.00%   0 OSPF Router 100
   4         236       195       1210 0.07% 0.00% 0.00%   1 Virtual Exec
169     2374788   2035919       1166 0.07% 0.03% 0.00%   0 Adj Manager
118     5885520 15709517        374 0.07% 0.07% 0.07%   0 CDP Protocol
36       69788   9934569          7 0.07% 0.00% 0.00%   0 TTY Background
179    30669516 309965501         98 0.07% 0.23% 0.24%   0 IP SNMP
need a quick opinion as i have another backbone abroad that uses only 5-10% of cpu usage.
- same config
- same setup (2BB for Sec/firewall, 2BB for Integration, 6Distro SW)
- different number of users
thank you and god bless.

I also agree with Stephan that this is not a concern that the cpu you are seeing it sohuld reduce down.
If in case still want to do the troubleshooting here is the procedure:
Here are some of the commands you can refer while you see the high cpu:
•1- Show proc cpu sorted | ex 0.00% >> First check whether CPU is due to Interrupt or due to Process Switching.
Eg: CPU utilization for five seconds: 6%/2%; one minute: 2%; five minutes: 2%
6% is total CPU utilization and 2 % is due to Interrupt. You would see this on a higher bit when you have the high cpu. Total-interrupt will give you the value of Process.
More info: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00804916e0.shtml
b) Show proc cpu history :---Check since how long is the CPU been affected.
2- Check if there is any interface drops are been seen:
show interface | include line|drops   ( Check if any vlan/interface are having input drops)
3- check if there are any STP issue:
show spanning tree detail
show spann det | in ieee|from|occur|is exec
show spann det | in executing | changes
show interface | include line|drops
show cef drop
show ip traffic   >> Check the traffic utilization.
4- There are some internal debugging which would help to find out which packets ( from Src,dst) is hitting the CPU:
debug netdr capture rx <<<<( DEBUG OF NETDR IS VERY USEFULL TO CHECK WHAT PACKETSS ARE COMING TO CPU)
show netdr capture-packet >> This will give you the captured outputs were you can see the Src and dst . Then you can take the action with those src ip address guys to check why they are punting the traffic.
HTH
Regards
Inayath
***Plz rate if this info is helpfull.

6509 -sup720 problem

We are having a problem where the CPU is being driven to over 90% at times and we can't even get at this box , high input on the CPU is "ip input" . This box has all DFC3 cards in it . Under what circumstances does ip traffic get forwarded to the CPU when you have DFC cards installed ? Anyone have any ideas on how to track something like this down? Have checked all links for errors , everything clean . Looked at spanning tree , don't see an issue there . Hard to get any info off the box when this is happening . You look at any of the interfaces and the traffic is not that high , these are gig links down to access layer boxes that are trunked . Frankly I am running out of ideas on what to do with this , any ideas appreciated .

There are quite a bit of reasons traffic may be punted to the MSFC for process switching. Some include unsupported features in hardware, IP options, ttl = 1, and ICMP unreachables/redirects. Here is a link with a more complete list:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00804916e0.shtml
The best way to determine what is causing the process switching is to dump the packet buffers on the interface(s) that is seeing the large volumes of process level traffic. You can do this one of two ways:
1. "show interface switching" and look for the interfaces with increasing IP Process counter.
or
2. "show interfaces" this is probably easier. You can look at the Input Queue for drops or packets actually in the queue.
Vlan10 is up, line protocol is up
Hardware is EtherSVI, address is 00d0.0061.040a (bia 00d0.0061.040a)
Description: VLAN10: Uplink
Internet address is xxx.xxx.xxx.xxx/xx
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 33/75/3385/3367 (size/max/drops/flushes); Total output drops: 0
In this case we have 33 packets in the queue and we are seeing drops and flushes due to the amount of process level traffic. So once I have this information I can dump those packets by entering "show buffer input-interface vlan10 dump". This will dump those packets from the queue so you can take a look at whats in there. Should look like this:
Router# show buffers input-interface vlan10 dump
Buffer information for Small buffer at 0x437874D4
data_area 0x8060F04, refcount 1, next 0x5006D400, flags 0x280
linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1
if_input 0x505BC20C (GigabitEthernet4/1), if_output 0x0 (None)
inputtime 00:00:00.000 (elapsed never)
outputtime 00:00:00.000 (elapsed never), oqnumber 65535
datagramstart 0x8060F7A, datagramsize 60, maximum size 308
mac_start 0x8060F7A, addr_start 0x8060F7A, info_start 0x0
network_start 0x8060F88, transport_start 0x8060F9C, caller_pc 0x403519B4
source: xxx.xxx.xxx.xxx, destination: xxx.xxx.xxx.xxx, id: 0x0000, ttl: 63,
TOS: 0 prot: 17, source port 63, destination port 63
08060F70: 000A 42D17580 ..BQu.
08060F80: 00000000 11110800 4500002E 00000000 ........E.......
08060F90: 3F11EAF3 64646401 64646402 003F003F ?.jsddd.ddd..?.?
08060FA0: 001A261F 00010203 04050607 08090A0B ..&.............
08060FB0: 0C0D0E0F 101164 ......d
I would suggest sending this output to me as well so I can take a look at it as well. Other useful commands are:
1. show ip traffic
This command is useful to see if things like bad hop count, fragments, unreachables, redirects, and other various common traffic that can cause IP Input.
2. show cef not
3. show cef drop.
Please email me with the buffer output when you get a chance. Sup720 has some good hw rate-limiters that we can use if we can not correct the situation.
Warm Regards
Anthony
[email protected]

High CPU Utilization in 7603 router with RSP720-10GE

Hi everyone
We have a 7603 router with "RSP720-10GE" and we have high cpu utilization due to high amount of interrupts.
The output of “show cef drop” and “show ip cef switching statistics” commands show lots of packets that have been dropped by CEF.
But CEF is enabled on every physical interfaces and on every GRE tunnel that we have on this router.
As I understand the output of “show ip cef switching statistics” command shows some of the reasons for CEF dropping packets like “Routed to Null0” but I don’t know how to solve them. For example I can’t delete routes to Null0 because it’s going to cause routing loops in our network. Could you please help me

Hey,
The output shows high interrupt to CPU, So collect the last output multiple times to see if the DROP values are incrementing. Also configure NetDr captures to see what packets are punted to CPU. I am adding a link for same:
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/116475-technote-product-00.html
HTH.
Regards,
RS

Windows 8.1 Lock Screen drops network connectivity when screen locked using Win+L

Hi!
I was sent here from Microsoft Community forum. The question is:
Since Windows NT 4.0 I'm using Lock Screen to prevent people from accessing my computer when I'm leaving my room. First I was using CTRL+ALT+DEL / Lock Screen, then switched to Win+L keyboard shortcut when it was first introduced.
Everything was fine until I switched to Windows 8.1 computer (Sony Vaio Duo 13 with Broadcom wireless network controller). This machine is 8.1, not 8.0 upgraded to 8.1.
My problem is that when I hit Win+L combo the Lock Screen (with clock etc.) is displayed. Then, despite I have configured not to turn off display, the screen goes blank (after 30 seconds since lock) and network connectivity is cut off from desktop
apps (I suspect the system goes into Active Standby mode, because Modern UI apps like Tune-In radio keep working fine).
100% repeatable scenarios:
## Scenario 1 ##
1) Log in
2) Open desktop app that uses network connectivity. Outlook 2013 from Office365 subscription
3) Check that it has connected
4) Lock screen (Win+L)
5) Wait for 30 seconds (first incorrectly posted as few minutes) as screen goes black
6) Unlock screen (using password)
7) In right corner of Outlook app you will see "Unable to connect with Exchange server" and few seconds later it will reconnect sucessfuly
## Scenario 2 - the more annoying ##
1) Log in to Win 8.1 computer
2) Connect to it using SMB (in my case I wanted to transfer 30 GB of files from local hard drive C: to server) \\COMPUTER-NAME\c$ from Windows Server 2012 R2
3) Start copying files from computer to server
4) Lock the screen on computer
5) As soon as screen goes black server displays message "Lost connection to the resource. Try again?"
6) Unlock screen on the computer
7) Click "Try again" and it will continue copying files
My power settings are set to go into stand by after 5 hours and if I not lock the screen it doesn't go to sleep before 5 hours.
When I lock the screen using Win+L it goes into (probably Active) Standby mode.
Is there any way to prevent it from going to Active Standby when locking screen? I need the screen lock for security reasons but I don't want it to drop my network connectivity on remote desktops, file transfers and other desktop activities before 5 hour
timeout.
This issue is not related to more or less known wireless network connectivity problem that happens to many Intel Haswell computers. Mine doesn't exhibit those problems. I can easly push 100 - 200 GB of wireless data without network drops.
Computer information:
Sony Vaio Duo 13: SVD1322C5E
Intel Core i5-4200U
8 GB RAM
Windows 8.1 Pro 64-bit
Broadcom 802.11n SDIO network adapter
Originally posted at: http://answers.microsoft.com/en-us/windows/forum/windows8_1-networking/windows-81-lock-screen-drops-network-connectivity/099f16bd-b00d-4ba9-b833-48bf1d55ffe4
Best regards,
Sergiusz

Same issue here using Surface 3 Pro with either internal WLAN or MS USB LAN Adapter. I'm frequently used to keep open connections over SSH to some servers. On switching to lock screen explicitly by pressing Win+L or implicitly due to idle timeout all
connections to servers are lost. In addition, I don't get any notifications on incoming Skype messages (using Skype for desktop) when lock screen is active.
Neither NIC is showing "Power Management Tab" according to step 5 of instructions above.
Additionally observing USB LAN NIC seems to be kept active after activating lock screen, but traffic stops (according to its flashing light) when lock screen is switching off display. Blanking display doesn't seem to be adjustable in System Settings (Energy
Options accessed through Win+X).
Find attached log file of powercfg -energy -duration 300 ...
Log file is in German. It basically claims unset timeouts for deactivating display while running attached to power supply though lock screen is turning off displays within 1-2 minutes.
Energieeffizienzdiagnose-Bericht
Computername
KRITIAS
Überprüfungszeit
2015-01-10T15:07:47Z
Überprüfungsdauer
353 Sekunden
Systemhersteller
Microsoft Corporation
Systemproduktname
Surface Pro 3
BIOS-Datum
10/16/2014
BIOS-Version
3.11.0350
Betriebssystembuild
9600
Plattformrolle
PlatformRoleSlate
Netzbetrieb
true
Prozessanzahl
67
Threadanzahl
1319
Berichts-GUID
{1a168801-c189-46fe-811c-235e6bf2bd0d}
Analyseergebnisse
Fehler
Energierichtlinie:Verdunkelungszeitlimit ist deaktiviert (Netzbetrieb)
Der Bildschirm ist nicht so konfiguriert, dass er nach einer Zeit der Inaktivität verdunkelt wird.
Energierichtlinie:Standbyzeitlimit ist deaktiviert (Netzbetrieb)
Der Computer ist nicht so konfiguriert, dass nach einer Zeit der Inaktivität automatisch der Wechsel in den Standbymodus erfolgt.
CPU-Auslastung:Prozessorauslastung ist hoch
Die durchschnittliche Prozessorauslastung während der Ablaufverfolgung war sehr hoch. Das System verbraucht weniger Energie, wenn die durchschnittliche Prozessorauslastung sehr niedrig ist. Überprüfen Sie die Prozessorauslastung für einzelne Prozesse,
um festzustellen, welche Anwendungen und Dienste den größten Anteil an der Gesamtprozessorauslastung haben.
Durchschnittliche Auslastung (%)
45.31
Warnungen
Plattform-Zeitgeberauflösung:Plattform-Zeitgeberauflösung
Die standardmäßige Plattform-Zeitgeberauflösung beträgt 15,6 ms (15625000 ns) und sollte immer dann verwendet werden, wenn sich das System im Leerlauf befindet. Wenn die Zeitgeberauflösung erhöht wird, sind die Technologien zur Prozessorenergieverwaltung
möglicherweise nicht wirksam. Die erhöhte Zeitgeberauflösung kann auf eine Multimediawiedergabe oder Grafikanimationen zurückzuführen sein.
Aktuelle Zeitgeberauflösung (100-ns-Einheiten)
10007
Maximale Zeitgeberperiode (100-ns-Einheiten)
156250
Plattform-Zeitgeberauflösung:Ausstehende Zeitgeberanforderung
Von einem Programm oder Dienst wurde eine Zeitgeberauflösung angefordert, die kleiner als die maximale Zeitgeberauflösung der Plattform ist.
Angeforderter Zeitraum
10000
ID des anfordernden Prozesses
3476
Pfad des anfordernden Prozesses
\Device\HarddiskVolume4\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
Energierichtlinie:Bildschirmzeitlimit ist lang (Netzbetrieb)
Der Bildschirm ist so konfiguriert, dass er nach mehr als 10 Minuten Inaktivität ausgeschaltet wird.
Zeitlimit (Sekunden)
900
USB-Standbymodus:Vom USB-Gerät wird nur selten in den Modus für selektives Energiesparen gewechselt.
Von diesem Gerät wurde während der Ablaufverfolgung nur unregelmäßig in den Modus für selektives Energiesparen gewechselt. Die Prozessorenergieverwaltung ist möglicherweise nicht möglich, wenn sich dieses USB-Gerät nicht im Modus für selektives Energiesparen
befindet. Dieses Problem verhindert jedoch nicht den Wechsel des Systems in den Standbymodus.
Gerätename
USB-Verbundgerät
Hostcontroller-ID
PCI\VEN_8086&DEV_9C31
Hostcontrollerspeicherort
PCI bus 0, device 20, function 0
Geräte-ID
USB\VID_05AC&PID_0250
Portpfad
1,2
Standbydauer (%)
14
USB-Standbymodus:Vom USB-Gerät wird nur selten in den Modus für selektives Energiesparen gewechselt.
Von diesem Gerät wurde während der Ablaufverfolgung nur unregelmäßig in den Modus für selektives Energiesparen gewechselt. Die Prozessorenergieverwaltung ist möglicherweise nicht möglich, wenn sich dieses USB-Gerät nicht im Modus für selektives Energiesparen
befindet. Dieses Problem verhindert jedoch nicht den Wechsel des Systems in den Standbymodus.
Gerätename
Surface Ethernet Adapter
Hostcontroller-ID
PCI\VEN_8086&DEV_9C31
Hostcontrollerspeicherort
PCI bus 0, device 20, function 0
Geräte-ID
USB\VID_045E&PID_07AB
Portpfad
1,1
Standbydauer (%)
5
USB-Standbymodus:Vom USB-Gerät wird nur selten in den Modus für selektives Energiesparen gewechselt.
Von diesem Gerät wurde während der Ablaufverfolgung nur unregelmäßig in den Modus für selektives Energiesparen gewechselt. Die Prozessorenergieverwaltung ist möglicherweise nicht möglich, wenn sich dieses USB-Gerät nicht im Modus für selektives Energiesparen
befindet. Dieses Problem verhindert jedoch nicht den Wechsel des Systems in den Standbymodus.
Gerätename
Generischer USB-Hub
Hostcontroller-ID
PCI\VEN_8086&DEV_9C31
Hostcontrollerspeicherort
PCI bus 0, device 20, function 0
Geräte-ID
USB\VID_05AC&PID_1006
Portpfad
1
Standbydauer (%)
5
USB-Standbymodus:Vom USB-Gerät wird nur selten in den Modus für selektives Energiesparen gewechselt.
Von diesem Gerät wurde während der Ablaufverfolgung nur unregelmäßig in den Modus für selektives Energiesparen gewechselt. Die Prozessorenergieverwaltung ist möglicherweise nicht möglich, wenn sich dieses USB-Gerät nicht im Modus für selektives Energiesparen
befindet. Dieses Problem verhindert jedoch nicht den Wechsel des Systems in den Standbymodus.
Gerätename
USB-Eingabegerät
Hostcontroller-ID
PCI\VEN_8086&DEV_9C31
Hostcontrollerspeicherort
PCI bus 0, device 20, function 0
Geräte-ID
USB\VID_045E&PID_0797
Portpfad
1,3
Standbydauer (%)
14
CPU-Auslastung:Einzelner Prozess mit erheblicher Prozessorauslastung
Auf diesen Prozess ist ein erheblicher Anteil der Gesamtprozessorauslastung zurückzuführen, die während der Ablaufverfolgung aufgezeichnet wurde.
Prozessname
firefox.exe
PID
5968
Durchschnittliche Auslastung (%)
1.57
Modul
Durchschnittliche Modulauslastung (%)
\Device\HarddiskVolume4\Program Files (x86)\Mozilla Firefox\xul.dll
0.60
\Device\HarddiskVolume4\Program Files (x86)\Mozilla Firefox\mozjs.dll
0.27
\SystemRoot\system32\ntoskrnl.exe
0.16
CPU-Auslastung:Einzelner Prozess mit erheblicher Prozessorauslastung
Auf diesen Prozess ist ein erheblicher Anteil der Gesamtprozessorauslastung zurückzuführen, die während der Ablaufverfolgung aufgezeichnet wurde.
Prozessname
System
PID
4
Durchschnittliche Auslastung (%)
0.59
Modul
Durchschnittliche Modulauslastung (%)
\SystemRoot\system32\ntoskrnl.exe
0.24
\SystemRoot\system32\DRIVERS\igdkmd64.sys
0.12
\SystemRoot\system32\DRIVERS\avc3.sys
0.07
CPU-Auslastung:Einzelner Prozess mit erheblicher Prozessorauslastung
Auf diesen Prozess ist ein erheblicher Anteil der Gesamtprozessorauslastung zurückzuführen, die während der Ablaufverfolgung aufgezeichnet wurde.
Prozessname
dwm.exe
PID
6264
Durchschnittliche Auslastung (%)
0.47
Modul
Durchschnittliche Modulauslastung (%)
\SystemRoot\system32\ntoskrnl.exe
0.10
\Device\HarddiskVolume4\Windows\System32\dwmcore.dll
0.09
\SystemRoot\System32\drivers\dxgkrnl.sys
0.06
CPU-Auslastung:Einzelner Prozess mit erheblicher Prozessorauslastung
Auf diesen Prozess ist ein erheblicher Anteil der Gesamtprozessorauslastung zurückzuführen, die während der Ablaufverfolgung aufgezeichnet wurde.
Prozessname
Skype.exe
PID
11008
Durchschnittliche Auslastung (%)
0.26
Modul
Durchschnittliche Modulauslastung (%)
\Device\HarddiskVolume4\Program Files (x86)\Skype\Phone\Skype.exe
0.11
\SystemRoot\system32\ntoskrnl.exe
0.05
\SystemRoot\System32\win32k.sys
0.04
CPU-Auslastung:Einzelner Prozess mit erheblicher Prozessorauslastung
Auf diesen Prozess ist ein erheblicher Anteil der Gesamtprozessorauslastung zurückzuführen, die während der Ablaufverfolgung aufgezeichnet wurde.
Prozessname
svchost.exe
PID
1528
Durchschnittliche Auslastung (%)
0.25
Modul
Durchschnittliche Modulauslastung (%)
\SystemRoot\system32\ntoskrnl.exe
0.16
\Device\HarddiskVolume4\Windows\System32\ntdll.dll
0.02
\SystemRoot\system32\drivers\ndis.sys
0.01
Informationen
Plattform-Zeitgeberauflösung:Zeitgeberanforderungsstapel
Der Stapel mit den Modulen, die für die niedrigste Plattform-Zeitgebereinstellung in diesem Prozess verantwortlich sind.
Angeforderter Zeitraum
10000
ID des anfordernden Prozesses
3476
Pfad des anfordernden Prozesses
\Device\HarddiskVolume4\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
Aufrufender Modulstapel
\Device\HarddiskVolume4\Windows\SysWOW64\ntdll.dll
\Device\HarddiskVolume4\Windows\SysWOW64\kernel32.dll
\Device\HarddiskVolume4\Windows\SysWOW64\d3d9.dll
\Device\HarddiskVolume4\Program Files (x86)\Adobe\Adobe Creative Cloud\CEF\libcef.dll
\Device\HarddiskVolume4\Windows\SysWOW64\kernel32.dll
\Device\HarddiskVolume4\Windows\SysWOW64\ntdll.dll
Energierichtlinie:Aktiver Energieplan
Der derzeit verwendete Energieplan.
Planname
Ausbalanciert (OEM)
Plan-GUID
{381b4222-f694-41f0-9685-ff5bb260df2e}
Energierichtlinie:Energieplancharakter (Akkubetrieb)
Der Charakter des aktuellen Energieplans, wenn das System im Akkubetrieb ausgeführt wird.
Charakter
Ausbalanciert
Energierichtlinie:Videoqualität (Akkubetrieb)
Ermöglicht Windows Media Player, bei der Videowiedergabe die Qualität und die Energieeinsparung zu optimieren.
Qualitätsmodus
Videoqualität und Energieeinsparung ausbalancieren
Energierichtlinie:Energieplancharakter (Netzbetrieb)
Der Charakter des aktuellen Energieplans, wenn das System im Netzbetrieb ausgeführt wird.
Charakter
Ausbalanciert
Energierichtlinie:802.11-Energierichtlinie für Drahtlosverbindungen ist "Maximale Leistung" (Netzbetrieb)
Die aktuelle Energierichtlinie für 802.11-kompatible Drahtlosnetzwerkadapter ist nicht für die Verwendung von Energiesparmodi konfiguriert.
Energierichtlinie:Videoqualität (Netzbetrieb)
Ermöglicht Windows Media Player, bei der Videowiedergabe die Qualität und die Energieeinsparung zu optimieren.
Qualitätsmodus
Für hohe Videoqualität optimieren
Systemverfügbarkeitsanforderungen:Erfolgreiche Analyse
Die Analyse war erfolgreich. Es wurden keine Energieeffizienzprobleme festgestellt und keine Informationen zurückgegeben.
Akku:Akkuinformationen
Akku-ID
1F11LGC_LGCX863568
Hersteller
LGC_LGC
Seriennummer
1F11
Chemie
LION
Langfristig
1
Versiegelt
0
Zyklusanzahl
33
Vorgesehene Akkukapazität
42157
Letzte vollständige Aufladung
44209
Funktionen der Plattformenergieverwaltung:Unterstützte Standbystatus
Mithilfe von Standbystatus kann der Computer nach einer Zeit der Inaktivität in einen Energiesparmodus wechseln. Der S3-Standbystatus ist der standardmäßige Standbystatus für Windows-Plattformen. Im S3-Standbystatus verbraucht der Computer nur die Energie,
die notwendig ist, um den Arbeitsspeicherinhalt zu bewahren und die Arbeit mit dem Computer schnell fortsetzen zu können. Sehr wenige Plattformen unterstützen den S1- oder S2-Standbystatus.
S1-Standbymodus unterstützt
false
S2-Standbymodus unterstützt
false
S3-Standbymodus unterstützt
false
S4-Standbymodus unterstützt
true
Funktionen der Plattformenergieverwaltung:Unterstützung von Verbindungsstandby
Mit dem Verbindungsstandby kann der Computer in einen Stromsparmodus wechseln, in dem er immer eingeschaltet und verbunden ist. Der Verbindungsstandby wird soweit unterstützt anstelle der Systemstandbystatus verwendet.
Verbindungsstandby unterstützt
true
Funktionen der Plattformenergieverwaltung:Die adaptive Bildschirmhelligkeit wird unterstützt.
Dieser Computer ermöglicht die automatische Helligkeitsregelung der integrierten Anzeige durch Windows.
Funktionen der Plattformenergieverwaltung:Funktionen zur Prozessorenergieverwaltung
Mithilfe einer effektiven Prozessorenergieverwaltung kann der Computer Leistung und Energieverbrauch automatisch ausbalancieren.
Gruppieren
0
Index
0
Leerlaufstatus - Anzahl
11
Leerlaufstatustyp
Micro-Energiemodul-Plug-In
Nennfrequenz (MHz)
2301
Prozentuale maximale Leistung
100
Prozentuale niedrigste Leistung
32
Prozentuale niedrigste Drosselung
3
Leistungssteuerelementtyp
ACPI-Leistungszustände (P)/ACPI-Drosselungszustände (T)
Funktionen der Plattformenergieverwaltung:Funktionen zur Prozessorenergieverwaltung
Mithilfe einer effektiven Prozessorenergieverwaltung kann der Computer Leistung und Energieverbrauch automatisch ausbalancieren.
Gruppieren
0
Index
1
Leerlaufstatus - Anzahl
11
Leerlaufstatustyp
Micro-Energiemodul-Plug-In
Nennfrequenz (MHz)
2301
Prozentuale maximale Leistung
100
Prozentuale niedrigste Leistung
32
Prozentuale niedrigste Drosselung
3
Leistungssteuerelementtyp
ACPI-Leistungszustände (P)/ACPI-Drosselungszustände (T)
Funktionen der Plattformenergieverwaltung:Funktionen zur Prozessorenergieverwaltung
Mithilfe einer effektiven Prozessorenergieverwaltung kann der Computer Leistung und Energieverbrauch automatisch ausbalancieren.
Gruppieren
0
Index
2
Leerlaufstatus - Anzahl
11
Leerlaufstatustyp
Micro-Energiemodul-Plug-In
Nennfrequenz (MHz)
2301
Prozentuale maximale Leistung
100
Prozentuale niedrigste Leistung
32
Prozentuale niedrigste Drosselung
3
Leistungssteuerelementtyp
ACPI-Leistungszustände (P)/ACPI-Drosselungszustände (T)
Funktionen der Plattformenergieverwaltung:Funktionen zur Prozessorenergieverwaltung
Mithilfe einer effektiven Prozessorenergieverwaltung kann der Computer Leistung und Energieverbrauch automatisch ausbalancieren.
Gruppieren
0
Index
3
Leerlaufstatus - Anzahl
11
Leerlaufstatustyp
Micro-Energiemodul-Plug-In
Nennfrequenz (MHz)
2301
Prozentuale maximale Leistung
100
Prozentuale niedrigste Leistung
32
Prozentuale niedrigste Drosselung
3
Leistungssteuerelementtyp
ACPI-Leistungszustände (P)/ACPI-Drosselungszustände (T)
Gerätetreiber:Erfolgreiche Analyse
Die Analyse war erfolgreich. Es wurden keine Energieeffizienzprobleme festgestellt und keine Informationen zurückgegeben.

Default class map is dropping all Packets

Hello I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time. I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part. Any help is greatly appreciated!!!!
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
Guest VLAN has access to 2 IP's in Data for printing.
Cisco871#sh run
Building configuration...
Current configuration : 8005 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
hostname Cisco871
boot-start-marker
boot-end-marker
logging buffered 4096
no logging console
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock summer-time PST recurring
crypto pki trustpoint TP-self-signed-4004039535
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4004039535
revocation-check none
rsakeypair TP-self-signed-4004039535
crypto pki certificate chain TP-self-signed-4004039535
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303034 30333935 3335301E 170D3038 30323037 30373532
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303430
33393533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CEC2 7B89C73F AB4860EE 729C3B64 82139630 239A2301 8EA8B4C4 05505E25
B0F24E7F 26ECEC53 3E266E80 F3104F61 BDDC5592 40E12537 2262D272 08D38F8E
147F5059 7F632F5E 635B9CDF 652FFE82 C2F45C60 5F619AF0 72E640E0 E69EA9EF
41C6B06C DD8ACF4B 0A1A33CF AF3C6BFB 73AD6BE0 BD84DD7F 435BD943 0A22E0E5
F4130203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 144C7570 696E2E44 61627567 61626F6F 732E6F72 67301F06
03551D23 04183016 801473C6 E0784818 29A89377 23A22F5E BDD430CE E282301D
0603551D 0E041604 1473C6E0 78481829 A8937723 A22F5EBD D430CEE2 82300D06
092A8648 86F70D01 01040500 03818100 299AD241 442F976F 4F030B33 C477B069
D356C518 8132E61B 1220F999 A30A4E0C D337DCE5 C408E3BC 0439BB66 543CF585
8B26AA77 91FA510B 14796239 F272A306 C942490C A44336E0 A9430B81 9FC62524
E55017FA 5C5463D7 B3492753 42315BEC 32B78F24 D10B0CA7 D1844CD5 C3E466B9
3543BD68 A4B2692D 05CBF6DC C93C8142
            quit
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.5
ip dhcp excluded-address 172.16.15.1 172.16.15.5
ip dhcp excluded-address 172.16.15.14
ip dhcp excluded-address 172.16.17.1 172.16.17.5
ip dhcp excluded-address 192.168.19.1 192.168.19.5
ip dhcp pool MyNetNative
   import all
   network 10.0.0.0 255.255.255.248
   default-router 10.0.0.1
   domain-name MyNetNet.org
   dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
   lease 0 2
ip dhcp pool MyNetData
   import all
   network 172.16.15.0 255.255.255.240
   dns-server 172.16.15.14 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
   default-router 172.16.15.1
   domain-name MyDomain.org
ip dhcp pool MyNetVoice
   import all
   network 172.16.17.0 255.255.255.240
   dns-server 172.16.15.14
   default-router 172.16.17.1
   domain-name MyDomain.org
ip dhcp pool MyNetGuest
   import all
   network 192.168.19.0 255.255.255.240
   default-router 192.168.19.1
   domain-name MyNetGuest.org
   dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
ip domain name MyDomain.org
ip name-server 172.16.15.14
ip name-server 4.2.2.4
ip inspect log drop-pkt
multilink bundle-name authenticated
parameter-map type inspect TCP_PARAM
parameter-map type inspect global
username MyAdmin privilege 15 secret 5 MyPassword
archive
log config
hidekeys
class-map type inspect match-all MyNetGuest-access-list
match access-group 110
class-map type inspect match-any Base-protocols
match protocol http
match protocol https
match protocol ftp
match protocol ssh
match protocol dns
match protocol ntp
match protocol ica
match protocol pptp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all MyNetGuest-Class
match class-map MyNetGuest-access-list
match class-map Base-protocols
class-map type inspect match-all MyNetNet-access-list
match access-group 100
class-map type inspect match-any Voice-protocols
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any Extended-protocols
match protocol pop3
match protocol pop3s
match protocol imap
match protocol imaps
match protocol smtp
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
class type inspect MyNetGuest-access-list
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
class type inspect MyNetGuest-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone
class class-default
pass
zone security MyNetNet-zone
zone security MyNetGuest-zone
zone security MyNetWAN-zone
zone-pair security MyNetNet->MyNetGuest source MyNetNet-zone destination MyNetGuest-zone
service-policy type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetWAN source MyNetGuest-zone destination MyNetWAN-zone
service-policy type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetNet source MyNetGuest-zone destination MyNetNet-zone
service-policy type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
interface FastEthernet0
description Cisco-2849-Switch
switchport mode trunk
speed 100
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
description SBS-Server
switchport access vlan 10
spanning-tree portfast
interface FastEthernet4
description WAN
no ip address
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security MyNetWAN-zone
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
interface Vlan1
description MyNetNative
ip address 10.0.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
ip tcp adjust-mss 1452
interface Vlan10
description MyNetData
ip address 172.16.15.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan20
description MyNetVoice
ip address 172.16.17.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan69
description MyNetGuest
ip address 192.168.19.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetGuest-zone
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
access-list 100 remark MyNetnet
access-list 100 permit ip 10.0.0.0 0.0.0.7 any
access-list 100 permit ip 172.16.15.0 0.0.0.31 any
access-list 100 permit ip 172.16.17.0 0.0.0.15 any
access-list 110 remark MyNetGuest
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.2
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.3
access-list 110 deny   ip 192.168.19.0 0.0.0.15 10.0.0.0 0.0.0.7
access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.15.0 0.0.0.31
access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.17.0 0.0.0.15
access-list 110 permit ip 192.168.19.0 0.0.0.15 any
control-plane
banner login ^CC
You know if you should be here or not.
         if not please leave
NOW
^C
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
ntp server 172.16.15.14
webvpn cef
end
Cisco871#sh zone security
zone self
Description: System defined zone
zone MyNetNet-zone
Member Interfaces:
    Vlan1
    Vlan10
    Vlan20
zone MyNetGuest-zone
Member Interfaces:
    Vlan69
zone MyNetWAN-zone
Member Interfaces:
    FastEthernet4
Cisco871#sh zone-pair security
Zone-pair name MyNetNet->MyNetGuest
    Source-Zone MyNetNet-zone Destination-Zone MyNetGuest-zone
    service-policy MyNetNet-zone_to_MyNetGuest-zone_policy
Zone-pair name MyNetNet->MyNetWAN
    Source-Zone MyNetNet-zone Destination-Zone MyNetWAN-zone
    service-policy MyNetNet-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetWAN
    Source-Zone MyNetGuest-zone Destination-Zone MyNetWAN-zone
    service-policy MyNetGuest-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetNet
    Source-Zone MyNetGuest-zone Destination-Zone MyNetNet-zone
    service-policy MyNetGuest-zone_to_MyNetNet-zone_policy
Cisco871#sh int faste4
FastEthernet4 is up, line protocol is up
Hardware is PQUICC_FEC, address is 0016.9d29.a667 (bia 0016.9d29.a667)
Description: WAN
Internet address is 10.38.177.98/25
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:34:50, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 2000 bits/sec, 3 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     593096 packets input, 73090812 bytes
     Received 592752 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog
     0 input packets with dribble condition detected
     9940 packets output, 1016025 bytes, 0 underruns
     0 output errors, 0 collisions, 3 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
Zone-pair: MyNetNet->MyNetWAN
Service-policy inspect : MyNetNet-zone_to_MyNetWAN-zone_policy
    Class-map: MyNetNet-Class (match-all)
      Match: class-map match-all MyNetNet-access-list
        Match: access-group 100
      Match: class-map match-any Voice-protocols
        Match: protocol h323
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol skinny
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol sip
          0 packets, 0 bytes
          30 second rate 0 bps
      Match: class-map match-any Extended-protocols
        Match: protocol pop3
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol pop3s
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol imap
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol imaps
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol smtp
          0 packets, 0 bytes
          30 second rate 0 bps
      Match: class-map match-any Base-protocols
        Match: protocol http
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol https
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ftp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ssh
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol dns
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ntp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ica
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol pptp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol icmp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol tcp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol udp
          0 packets, 0 bytes
          30 second rate 0 bps
      Inspect
        Session creations since subsystem startup or last reset 0
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [0:0:0]
        Last session created never
        Last statistic reset never
        Last session creation rate 0
        Maxever session creation rate 0
        Last half-open session total 0
    Class-map: class-default (match-any)
      Match: any
      Drop (default action)
        5196 packets, 256211 bytes
Cisco871#sh log
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
    Console logging: disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 1745 messages logged, xml disabled,
                     filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
    Trap logging: level informational, 1785 message lines logged
Log Buffer (4096 bytes):
001779: *Feb 15 11:00:55.979: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:61806 => 168.94.0.1:53 with ip ident 511 due to policy match failure
001780: *Feb 15 11:00:59.739: %FW-6-DROP_TCP_PKT: Dropping Other pkt 172.16.15.6:4399 => 168.94.69.30:443 due to policy match failure -- ip ident 515 tcpflags 0x7002 seq.no 974122240 ack 0
001781: *Feb 15 11:01:26.507: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:51991 => 168.94.0.1:53 with ip ident 625 due to policy match failure
001783: *Feb 15 11:01:57.891: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:64470 => 168.94.0.1:53 with ip ident 677 due to policy match failure

Hello Charlie,
I would recomend you to investigate a little bit more about how the ZBFW features works
Now I am going to help you on this one at least, then I will give you a few links you could use to study
We are going to study traffic from MyNetNet-zone to the MyNetWan-zone
First the zone-pair
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
so lets go policy-map
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
Finally to the class map
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
That keyword MATCH-ALL is the one causing the issues!!
Why?
Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol )
So here are the links
http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/
https://supportforums.cisco.com/thread/2138873
http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
You have some work to do
Please remember to rate all the helpful posts
Julio
CCSP

CEF/Point to Point link in ASR 903 not working

Hi there,
I have been having some issues with ASR 903 connected to a OLT and upon further testing in the lab I came across a strange issue.I have R1 and R2 connected directly on the p2p link Tengig interface.I have configured below ips but somehow cannot get connectivity.I can see the mac resolved in one router but no in the other and cef entries in both reflects drop.
Have you guys come across this before?Surely I'm missing something here but considering both routers are straight out of the box, I'running out of ideas here as the setup cannot be any simpler than this however I am unable to establish connectivity.
Router2#
Interface IP-Address OK? Method Status Protocol
Te0/1/0 10.10.10.2 YES manual up up
uilding configuration...
Current configuration : 78 bytes
interface TenGigabitEthernet0/1/0
ip address 10.10.10.2 255.255.255.0
end
Router1#
Te0/1/0 10.10.10.1 YES manual up up
uilding configuration...
Current configuration : 78 bytes
interface TenGigabitEthernet0/1/0
ip address 10.10.10.1255.255.255.0
end
Router1#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.1 - e0d1.73dd.7909 ARPA TenGigabitEthernet0/1/0
Internet 10.10.10.2 0 Incomplete ARPA
Router2#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.1 0 e0d1.73dd.7909 ARPA TenGigabitEthernet0/1/0
Internet 10.10.10.2 - e089.9d0b.2389 ARPA TenGigabitEthernet0/1/
Router1#sh ip cef exact-route 10.10.10.2 255.255.255.0
10.10.10.2 -> 255.255.255.0 =>drop
Router2#sh ip cef exact-route 10.10.10.1 255.255.255.0
10.10.10.1 -> 255.255.255.0 =>drop

Hi,
According to your post, my understanding is that the Office 365 link on Left suite Bar(Blue bar) failed to work on Sharepoint.
If you click the “Office 365” logo, it will redirect to the “Office 365 admin center” which URL is
https://portal.microsoftonline.com/Default.aspx.
Please make sure you have permission to log on to the Office 365 portal.
You can use an account that has administrative permissions for your organization.
Regarding SharePoint Online, for quick and accurate answers to your questions, it is recommended that you initial a new thread in Office 365 forum.
Office 365 forum
http://community.office365.com/en-us/forums/default.aspx
Best Regards,
Linda Li
Linda Li
TechNet Community Support

Drop Down Menu Prebuilt Site

Hello i have been playing for a week with no results so i am looking for specific help. I have enherited a website designed by someone else as an html template yet i am unable to edit anything in the template section, can only update each and every code and page individually. I am using Dreamweaver CC on windows 8 platform. the site i am working on is cef.forgivenitsolutions.org (where i am hosting while i check it out). I have set up a temp server on my computer and it is working fine. So on to the question i was given the template and ask to mimac http://cefindiana.com/ when it comes to the drop down menu in the upper right hand corner. I have tried everything from simply copying the code to installing my own drop down menu with out any luck--i am sure it is extremely simple but i just find an article or video to help. Please help they want to go live with this site friday but i cant fique this out. Please be nice as Dreamweaver is not my expertise i am a graphic designer, but i am trying to help a non-profit out.
thanks for you help

forgiven IT Solutions wrote:
yes the site cef.forgivenitsolutions.org is exactly what i have on my computer and i copied the code you gave me
Then you don't have the css or the jQuery files right - as they reside on the site below?
http://cefindiana.com/
What you are attempting to do is lift the menu code, css and .js scripts from cefindiana.com site and insert them into your site, right?
Below is the html code for the menu:
<div id="nav-site">
<div id="nav-site-dropdown"><p><a href="/contact/">View CEF Indiana Chapters</a></p></div>
<div id="nav-site-dropdown-hover">
<ul>
<li><a href="/central/">Central Indiana</a></li>
<li><a href="/evansville/">Evansville</a></li>
<li><a href="/fortwayne/">Fort Wayne</a></li>
<li><a href="/northcentral/">North Central</a></li>
<li><a href="/northeast/">Northeast</a></li>
<li><a href="/northwest/">Northwest</a></li>
<li><a href="/sixcounty/">Six County</a></li>
<li><a href="/southeast/">Southeast</a></li>
<li class="last"><a href="/westcentral/">West Central</a></li>
</ul>
</div>
</div>

BELOW IS THE CSS THAT YOU NEED TO STYLE THE MENU: this needs to either go in the head section (<head></head) of the page in which you are inserting the menu or you can include it in a linked css stylesheet.
<style>
#nav-site {position:absolute; top:0; left:660px; width:300px;}
#nav-site-dropdown {background: url(http://cefindiana.com/assets/images/nav-view-chapters.png); width: 300px; height: 33px;}
#nav-site-dropdown p {display:none;}
#nav-site-dropdown-hover {display:none; background: #fffbe6; margin-left:11px; width: 277px;}
#nav-site-dropdown-hover ul {margin:0; padding:0;}
#nav-site-dropdown-hover li {margin:0; padding:10px 0 10px 0; list-style:none; border-bottom:1px solid #f4e1a7;}
#nav-site-dropdown-hover li.last {border:0;}
#nav-site-dropdown-hover li a {margin-left:40px; font-weight: bold;}
</style>
BELOW IS THE .js FILES and SCRIPT: you also need to include this in the <head></head> section of the page in which you are inserting the menu.
<script type="text/javascript" src="http://cefindiana.com/assets/scripts/jquery/jquery-1.4.2.js"></script>
    <script type="text/javascript" src="http://cefindiana.com/assets/scripts/jquery/jquery.cycle.lite.min.js"></script>
    <script>
var inputtext = {};
var submenuvisible = false;
var submenucleanup = false;
$(document).ready(function(){
    $('#nav-site-dropdown,#nav-site-dropdown-hover')
        .hover(
            function(){
                clearTimeout(submenucleanup);
                submenucleanup = null;
                if(submenuvisible===false) {
                    submenuvisible = true;
                    $('#nav-site-dropdown').css('background','url(http://cefindiana.com/assets/images/nav-view-chapters.png)');
                    $('#nav-site-dropdown-hover').slideDown();
            function() {
                clearTimeout(submenucleanup);
                submenucleanup = null;
                submenucleanup = setTimeout(function(){
                    submenuvisible = false;
                    $('#nav-site-dropdown-hover').slideUp(function(){$('#nav-site-dropdow n').css('background','url(http://cefindiana.com/assets/images/nav-view-chapters.png)');});
                },500);
</script>
If you follow the above instructions you will have a working menu identical to the one on the cefindiana.com site.
Once working you obviously need to replace the menu links with the ones applicable to your site.
Once every thing is working correctly you need to grab the .js scripts from the links below and save them to your own .js files and link those to your page/s.
http://cefindiana.com/assets/scripts/jquery/jquery-1.4.2.js
http://cefindiana.com/assets/scripts/jquery/jquery.cycle.lite.min.js

High CPU Usage / Dropped Packets - Switch Blade WS-CBS3120X-S

Hi all,
I have a couple of Switches Blade 3120, working as active-standby model (HSRP) on a new site deployment. There are other 20 sites more or less, working on the same model, without issues. But in this one, we are seeing a high cpu usage. The traffic going through the platform is 600Mbps (on peaks), and in this case we have 40% of CPU usage. Traffic should be close to 3 Gbps. When we tried to send the whole traffic through the platform, active switch began to drop packets on the majority of interfaces.
When we analyze the CPU usage, there is a special process called "HL3U bkgrd proce" always have the most CPU use, but we do not know what concerns. We do not know if it is caused because there are PBRs configured. It should not matter. How I mentioned, there are other sites working fine and have had always the same PBR number.
Could you guys help us?. Any idea what is causing the high usage?. Is there a special debug we could to perform to diagnose the issue?. Also, we have seen a high interrupt CPU usage (9% in this case).
Find attached the whole diagnosis outputs.
Thanks for your assistance guys.
Cheers,
Juan Pablo
bog-sib-INT-rtr-1#show processes cpu sorted 5sec
CPU utilization for five seconds: 30%/9%; one minute: 25%; five minutes: 23%
PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process
157   140004809   107071220       1307 14.24% 10.19% 9.01%   0 HL3U bkgrd proce
119     6860957     1519183       4516 0.79% 0.59% 0.53%   0 hpm counter proc
166     2511492      302802       8294 0.15% 0.15% 0.15%   0 HQM Stack Proces
199     4182906    15255882        274 0.15% 0.21% 0.20%   0 IP Input
357      237531      782101        303 0.15% 0.03% 0.00%   0 IP SNMP
186         101         148        682 0.15% 0.09% 0.02%   1 Virtual Exec
242       63071     2330717         27 0.15% 0.02% 0.00%   0 CEF: IPv4 proces
12      163754      620353        263 0.15% 0.01% 0.00%   0 ARP Input
   9           0           2          0 0.00% 0.00% 0.00%   0 License Client N
   8          41        1827         22 0.00% 0.00% 0.00%   0 WATCH_AFS
11          50           4      12500 0.00% 0.00% 0.00%   0 Image License br
   7           0           2          0 0.00% 0.00% 0.00%   0 Timers
bog-sib-INT-rtr-1#sh ip cef summary
IPv4 CEF is enabled for distributed and running
VRF Default
119 prefixes (119/0 fwd/non-fwd)
Table id 0x0
Database epoch:        2 (119 entries at this epoch)

Hi Leolaohoo,
I had not played with this one too !!!!...
1). IOS version (It was recently updated)
bog-sib-INT-rtr-1#sh ver
Cisco IOS Software, CBS31X0 Software (CBS31X0-UNIVERSALK9-M), Version 12.2(58)SE1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 05-May-11 04:08 by prod_rel_team
ROM: Bootstrap program is CBS31X0 boot loader
BOOTLDR: CBS31X0 Boot Loader (CBS31X0-HBOOT-M) Version 12.2(0.0.951)SE3, CISCO DEVELOPMENT TEST VERSION
bog-sib-INT-rtr-1 uptime is 2 weeks, 3 days, 17 hours, 14 minutes
System returned to ROM by power-on
System restarted at 00:59:27 UTC Sat Jun 9 2012
System image file is "flash:cbs31x0-universalk9-mz.122-58.SE1.bin"
2). What interface do you want to see?, do you want to see all interfaces? . This switch has 16 interfaces that connect servers, and other going to our client. Below, the state of the two kind of interfaces:
Interface to Client (Bearer)
TenGigabitEthernet1/0/1 is up, line protocol is up (connected)
Hardware is Ten Gigabit Ethernet, address is 001f.275d.d81b (bia 001f.275d.d81b)
Description: BearerNContent_Aggregrate
MTU 1500 bytes, BW 10000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 10/255, rxload 14/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 10Gb/s, link type is auto, media type is 10GBase-LR
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 2w3d, output hang never
Last clearing of "show interface" counters 07:07:56
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 562469000 bits/sec, 83641 packets/sec
5 minute output rate 430500000 bits/sec, 73141 packets/sec
     2020563158 packets input, 1739897855828 bytes, 0 no buffer
     Received 13257 broadcasts (13257 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 13257 multicast, 0 pause input
     0 input packets with dribble condition detected
     1745065310 packets output, 1347244137726 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out
Interface to Server
GigabitEthernet1/0/8 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 001f.275d.d808 (bia 001f.275d.d808)
Description: bog-15
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 15/255, rxload 12/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, link type is auto, media type is 1000BaseX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:17, output hang never
Last clearing of "show interface" counters 07:09:12
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 19418
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 47705000 bits/sec, 7155 packets/sec
5 minute output rate 58897000 bits/sec, 8011 packets/sec
     178178750 packets input, 153802177226 bytes, 0 no buffer
     Received 4091 broadcasts (0 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     212233312 packets output, 206621942776 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out
Thanks for your help. I am losing my hair with this issue.
Cheers,
Juan P.

Show ip cef switching statistic output - some clarifications required

Good morning, everyone!
I need some clarifications regarding ouput of show ip cef switching statistic on Catalyst 6k and some entries apply to other platforms as well. Consider output:
#show ip cef switching statistics
       Reason                          Drop       Punt Punt2Host
RP LES No route                      179269          0      12866
RP LES Packet destined for us             0 153061543          2
RP LES No adjacency                12460594          0          0
RP LES Incomplete adjacency           10400          0          0
RP LES Unresolved route                1476          0          0
RP LES Bad checksum                      17          0          0
RP LES TTL expired                        0          0   24725338
RP LES IP options set                     0          0          3
RP LES Fragmentation failed, DF 1757274333          0     481160
RP LES Features                         975          0       5278
RP LES IP redirects                       0          0          7
RP LES Unknown input if                 192          0          0
RP LES Neighbor resolution req     32540982       7290          0
RP LES Total                     1802468238 153068833   25224654
All    Total                     1802468238 153068833   25224654
Questions are:
1) What the difference between rows
RP LES No adjacency
RP LES Incomplete adjacency
RP LES Neighbor resolution req
2) What the difference between rows
RP LES No route
RP LES Unresolved route
3) What does mean collum name - Punt2Host?
I will higly aprecciate your answers! Thnx in advance.

So far I partially have found answer on first question.
RP LES Neighbor resolution req - here counted packets that have no adjacency and they are punted to arp request to send.
RP LES No adjacency - after ARP request sent throttling adjacency is installed for this destination for 2 seconds and all subsequent packets get drop. Those packets are counted here.
RP LES Incomplete adjacency - here packets counted which matches to incomplete adjacencies. Which are stays in adjacency table marked incomplete - as i understand it can happen after arp entry aged out. But those adjacencies must be deleted as well, but as i can see in my environment some of them stays for a while, i am a bit confused here.

Autoroute Announce is dropping traffic

I'm running 15.3(3)S on a group of three ME3600X switches and I'm having some issues testing autoroute announce. I've built a tunnel from one of my ME3600X switches to a remote router and the tunnel is up and accepts traffic from the local switch:
P2P TUNNELS/LSPs:
TUNNEL NAME                     DESTINATION     UP IF     DOWN IF   STATE/PROT
me3600-4.lab_to_cr3_lab         10.10.8.3     -         Vl100     up/up
ME3600X-4.lab#ping 10.10.8.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.8.3, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
ME3600X-4.lab#sh int tun1 | inc pack
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     5 packets output, 520 bytes, 0 underruns
However, as soon as I add 'tunnel mpls traffic-eng autoroute announce' to the tunnel configuration, IP traffic to destinations that are preferred through the tunnel drop from anywhere behind this ME3600:
ME3600X-4.lab#sh ip route 10.10.8.11
Routing entry for 10.10.8.11/32
Known via "isis", distance 115, metric 600, type level-2
Redistributing via isis lab-test
Last update from 10.10.8.3 on Tunnel1, 00:10:06 ago
Routing Descriptor Blocks:
* 172.16.24.149, from 10.10.8.11, 00:10:06 ago, via Vlan100
     Route metric is 600, traffic share count is 1
   10.10.8.3, from 10.10.8.11, 00:10:06 ago, via Tunnel1
     Route metric is 600, traffic share count is 1
Here's a ping from a switch behind the ingress ME3600:
ME3600X-1.lab#ping 10.10.8.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.8.11, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Traffic is not making it into the tunnel at all, according to the tunnel stats, unless I ping from the ingress ME3600 switch:
ME3600X-4.lab#sh int tun1 | inc pack
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     0 packets output, 0 bytes, 0 underruns
Traceroutes show the traffic dying at the ingress switch and packet captures on the upstream link from the ingress switch show no packets, plain IP or otherwise, exiting its upstream interface:
ME3600X-1.lab#traceroute 10.10.8.11
Type escape sequence to abort.
Tracing the route to 10.10.8.11
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.32.1 [MPLS: Label 27 Exp 0] 0 msec 0 msec 0 msec
2 * * *
3
I'm just wondering what it is I'm doing wrong, it has to be something simple. A cluebat upside the head would be much appreciated. Here's the relevant config of the ingress switch:
ME3600X-4.lab#sh run int vl100
Building configuration...
Current configuration : 223 bytes
interface Vlan100
mtu 9000
ip address 172.16.24.150 255.255.255.252
ip mtu 1500
ip router isis lab-test
mpls ip
mpls traffic-eng tunnels
isis circuit-type level-2-only
isis metric 100
isis hello-interval 3
end
ME3600X-4.lab#sh run int vl4000
Building configuration...
Current configuration : 279 bytes
interface Vlan4000
mtu 9000
ip address 172.16.32.1 255.255.255.0
ip mtu 1500
ip router isis lab-test
mpls ip
mpls mtu 1546
mpls traffic-eng tunnels
isis metric 200
isis hello-interval 3
end
ME3600X-4.lab#sh run int tun1
Building configuration...
Current configuration : 242 bytes
interface Tunnel1
description me3600-4.lab_to_cr3_lab
ip unnumbered Loopback1
tunnel mode mpls traffic-eng
tunnel destination 10.10.8.3
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng path-option 1 dynamic
end
ME3600X-4.lab#sh run partition router isis lab-test
Building configuration...
Current configuration : 343 bytes
Configuration of Partition - router isis lab-test
router isis lab-test
net 47.0000.0101.8820.8024.00
is-type level-2-only
metric-style wide
passive-interface Loopback1
mpls traffic-eng router-id Loopback1
mpls traffic-eng level-1
mpls traffic-eng level-2
end

Looks like the switch 24 is not able to either impose a tag or swap the tag and send out to next hop.
That's what I thought, too, as the traffic is not even leaving the 24 switch, according to packet captures taken between the 24 switch and the 12 router.
1. "show ip route 10.10.8.3" from switch 21 and 24 before and after the command addition.
Switch 21 before the command addition:
ME3600X-1.lab#sh ip route 10.10.8.3
Routing entry for 10.10.8.3/32
Known via "isis", distance 115, metric 700, type level-2
Redistributing via isis
Last update from 172.16.32.1 on Vlan4000, 3d09h ago
Routing Descriptor Blocks:
* 172.16.32.1, from 10.10.8.3, 3d09h ago, via Vlan4000
      Route metric is 700, traffic share count is 1
ME3600X-1.lab#sh ip cef 10.10.8.3 detail
10.10.8.3/32, epoch 0
local label info: global/23
nexthop 172.16.32.1 Vlan4000 label 39
ME3600X-1.lab#sh ip cef 10.10.8.3 internal
10.10.8.3/32, epoch 0, RIB[I], refcount 5, per-destination sharing
sources: RIB, LTE
feature space:
   IPRM: 0x00028000
   LFD: 10.10.8.3/32 1 local label
   local label info: global/23
        contains path extension list
        disposition chain 0x12BB5E40
        label switch chain 0x12BB5E40
ifnums:
   Vlan4000(4144): 172.16.32.1
path 1291D528, path list 12A78CDC, share 1/1, type attached nexthop, for IPv4
    MPLS short path extensions: MOI flags = 0x0 label 39
nexthop 172.16.32.1 Vlan4000 label 39, adjacency IP adj out of Vlan4000, addr 172.16.32.1 12841840
output chain: label 39 TAG adj out of Vlan4000, addr 172.16.32.1 128413E0
ME3600X-1.lab#sh ip cef exact-route 10.10.8.21 10.10.8.3
10.10.8.21 -> 10.10.8.3 => label 39 TAG adj out of Vlan4000, addr 172.16.32.1
Switch 24 before the command addition:
ME3600X-4.lab#sh ip route 10.10.8.3
Routing entry for 10.10.8.3/32
Known via "isis", distance 115, metric 500, type level-2
Redistributing via isis
Last update from 172.16.24.149 on Vlan100, 00:03:44 ago
Routing Descriptor Blocks:
* 172.16.24.149, from 10.10.8.3, 00:03:44 ago, via Vlan100
      Route metric is 500, traffic share count is 1
ME3600X-4.lab#sh ip cef 10.10.8.3 detail
10.10.8.3/32, epoch 0
local label info: global/39
nexthop 172.16.24.149 Vlan100 label 302032
ME3600X-4.lab#sh ip cef 10.10.8.3 internal
10.10.8.3/32, epoch 0, RIB[I], refcount 5, per-destination sharing
sources: RIB, LTE
feature space:
   IPRM: 0x00028000
   LFD: 10.10.8.3/32 1 local label
   local label info: global/39
        contains path extension list
        disposition chain 0x12B16A58
        label switch chain 0x12B16A58
ifnums:
   Vlan100(244): 172.16.24.149
path 124EF1A0, path list 12504414, share 1/1, type attached nexthop, for IPv4
    MPLS short path extensions: MOI flags = 0x0 label 302032
nexthop 172.16.24.149 Vlan100 label 302032, adjacency IP adj out of Vlan100, addr 172.16.24.149 128322A0
output chain: label 302032 TAG adj out of Vlan100, addr 172.16.24.149 12831E40
ME3600X-4.lab#sh ip cef exact-route 10.10.8.21 10.10.8.3
10.10.8.21 -> 10.10.8.3 => label 302032 TAG adj out of Vlan100, addr 172.16.24.149
Switch 21 after the command addition:
ME3600X-1.lab#sh ip route 10.10.8.3
Routing entry for 10.10.8.3/32
Known via "isis", distance 115, metric 700, type level-2
Redistributing via isis atlantech
Last update from 172.16.32.1 on Vlan4000, 3d09h ago
Routing Descriptor Blocks:
* 172.16.32.1, from 10.10.8.3, 3d09h ago, via Vlan4000
      Route metric is 700, traffic share count is 1
ME3600X-1.lab#sh ip cef 10.10.8.3 detail
10.10.8.3/32, epoch 0
local label info: global/23
nexthop 172.16.32.1 Vlan4000 label 39
ME3600X-1.lab#sh ip cef 10.10.8.3 internal
10.10.8.3/32, epoch 0, RIB[I], refcount 5, per-destination sharing
sources: RIB, LTE
feature space:
   IPRM: 0x00028000
   LFD: 10.10.8.3/32 1 local label
   local label info: global/23
        contains path extension list
        disposition chain 0x12BB5E40
        label switch chain 0x12BB5E40
ifnums:
   Vlan4000(4144): 172.16.32.1
path 1291D528, path list 12A78CDC, share 1/1, type attached nexthop, for IPv4
    MPLS short path extensions: MOI flags = 0x0 label 39
nexthop 172.16.32.1 Vlan4000 label 39, adjacency IP adj out of Vlan4000, addr 172.16.32.1 12841840
output chain: label 39 TAG adj out of Vlan4000, addr 172.16.32.1 128413E0
ME3600X-1.lab#sh ip cef exact-route 10.10.8.21 10.10.8.3
10.10.8.21 -> 10.10.8.3 => label 39 TAG adj out of Vlan4000, addr 172.16.32.1
Switch 24 after the command addition:
ME3600X-4.lab#sh ip route 10.10.8.3
Routing entry for 10.10.8.3/32
Known via "isis", distance 115, metric 500, type level-2
Redistributing via isis
Last update from 10.10.8.3 on Tunnel1, 00:02:01 ago
Routing Descriptor Blocks:
* 10.10.8.3, from 10.10.8.3, 00:02:01 ago, via Tunnel1
      Route metric is 500, traffic share count is 1
ME3600X-4.lab#sh ip cef 10.10.8.3 detail
10.10.8.3/32, epoch 0
local label info: global/39
nexthop 10.10.8.3 Tunnel1
ME3600X-4.lab#sh ip cef 10.10.8.3 internal
10.10.8.3/32, epoch 0, RIB[I], refcount 5, per-destination sharing
sources: RIB, LTE
feature space:
   IPRM: 0x00028000
   LFD: 10.10.8.3/32 1 local label
   local label info: global/39
        contains path extension list
        disposition chain 0x12B18078
        label switch chain 0x12B16A58
ifnums:
   Tunnel1(4303)
path 124EEB80, path list 125042D4, share 1/1, type attached nexthop, for IPv4
    MPLS short path extensions: MOI flags = 0x1 label implicit-null
nexthop 10.10.8.3 Tunnel1, adjacency IP midchain out of Tunnel1 12832FC0
output chain: IP midchain out of Tunnel1 12832FC0 label 302096 TAG adj out of Vlan100, addr 172.16.24.149 12831E40
ME3600X-4.lab#sh ip cef exact-route 10.10.8.21 10.10.8.3
10.10.8.21 -> 10.10.8.3 => label 302096 TAG adj out of Vlan100, addr 172.16.24.149
5. sho mpls forwarding-table 10.10.8.3 from switch 24
ME3600X-4.lab#show mpls forwarding-table 10.10.8.3 detail
Local      Outgoing   Prefix           Bytes Label   Outgoing   Next Hop
Label      Label      or Tunnel Id     Switched      interface
39         Pop Label 10.10.8.3/32 126           Tu1        point2point
        MAC/Encaps=14/18, MRU=9000, Label Stack{302096}, via Vl100
        009069C7FC3E5017FF5A18408847 49C10000
        No output feature configured
3. Are the interfaces from 21 switch is MPLS enabled until 24 or it is like plain IP and then converted to MPLS on 24 switch?
The interface connecting the 21, 22, and 24 switches is an SVI, VLAN4000, and has 'mpls ip' configured on it. I've tried disabling MPLS on the SVI on each switch with no change.
Thanks for these commands, as some of them are new ones to me that can help me in the future.

Distributed CEF

Hi,
I read some information about dCEF wherein a copy of the FIB will be pushed to the linecard to offload traffic from the RP.
My question is, is this applicable to 6500 switches with cards that has DFCs? I have a 6500 switch with Sup720-3B, some linecards does not have DFC, some have CFC, and some have DFCs. Would it be better to turn on "ip cef distributed"? Is the performance going to improve?
If I enable distributed CEF, is there going to be an impact or downtime? I know it is always advisable to do this during window time but we are running 24/7.
Thanks in advance.
JL

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Distributed CEF might be the default for 6500's DFCs. (I recall back in the 7500 days, you needed to explictly enable it for VIP cards to run CEF too.)
Try show cef state, and see if you see dCEF enabled/running in the output.
If you have DFC, yes it's better for distributed CEF to be active. Whether you would "see" a performance difference is a "it depends" answer.
I'm not positive, but I suspect enabling or disabling dCEF would cause no or minimal impact (minimal, as in, drop a few packets in transit).

CEF operation

hello
I have 2 questions about the CEF and its operation as it may affect my network
1- when I'm using the default route 0.0.0.0 , and I have packets routed via this default route as no specific route in the routing tables
those packets will be proccess switched or CEF switched ?
2- I know the operation of the CEF and the using of FIB table adjacency table , but what I need to know about the lookup for matching on the cef table , how this lookup done , software process or H/W proccess
Thanks & BR
Moamen

Hi Moamen,
That is not true.. packets routed using the default route are certainly CEF-switched, if enabled.
I have just tried this in my lab and here are my results:
Before sending 5 pings:
LABCE-2651XM#show int fast0/0 switching
FastEthernet0/0
Throttle count 0
Drops RP 0 SP 0
SPD Flushes Fast 0 SSE 0
SPD Aggress Fast 0
SPD Priority Inputs 194829 Drops 0
Protocol IP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 194729 19676627 193956 21470330
Cache misses 0 - - -
Fast 128892 14697688 8367 953838
Auton/SSE 0 0 0 0
Protocol DEC MOP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 3256 250712
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol ARP
Switching path Pkts In Chars In Pkts Out Chars Out
Note that the number of packets fast (CEF) switched was 128892.
Now I did a ping from another route that went through this router and was routed via the default route.
LABCE-2651XM#show int fast0/0 switching
FastEthernet0/0
Throttle count 0
Drops RP 0 SP 0
SPD Flushes Fast 0 SSE 0
SPD Aggress Fast 0
SPD Priority Inputs 194838 Drops 0
Protocol IP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 194738 19677340 193958 21470450
Cache misses 0 - - -
Fast 128897 14698258 8372 954408
Auton/SSE 0 0 0 0
Protocol DEC MOP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 3256 250712
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol ARP
Switching path Pkts In Chars In Pkts Out Chars Out
LABCE-2651XM#
Note that the number of packets fast (CEF) switched is now 128897 - a difference of 5.
That proves that traffic routed via the default route is CEF-switched.
Hope that helps - pls rate the post if it does.
Paresh.

7609 - CEF with multiple VRFs

Hi,
I have a 7609 with multiple VRFs (VRF Lite).
Below is a sh mod
Mod Sub-Module Model Serial Hw Status
1 7600 ES+ DFC LITE 7600-ES+3C 1.0 Ok
1 7600 ES+ 20xGE SFP 7600-ES+20G 1.0 Ok
5 Policy Feature Card 3 7600-PFC3C 1.1 Ok
5 C7600 MSFC4 Daughterboard 7600-MSFC4 1.1 Ok
6 Policy Feature Card 3 7600-PFC3C 1.1 Ok
6 C7600 MSFC4 Daughterboard 7600-MSFC4 1.1 Ok
8 Centralized Forwarding Card WS-F6700-CFC 2.0 Ok
9 ESM20G/PFC3C Distributed Fo 7600-ES20-D3C 1.0 Ok
9/0 10XGE Port 7600-ES20-20GE 1.0 Ok
9/1 10XGE Port 7600-ES20-20GE 1.0 Ok
When I issue the command show cef linecard detail I get the following output.
CEF linecard slot number 5/0 (5), status up
Input packets 7451981697, bytes 9737285426086
Output packets 0, bytes 0, drops 0
CEF Table statistics:
Table name Status
IPv4:x-voice Inactive
IPv4:public Inactive
IPv4:x-video Inactive
IPv4:x-server Inactive
IPv4:x-voice Inactive
IPv4:x-lan Active, sync, table-up
IPv4:x-mgmt Active, sync, table-up
IPv4:net Active, sync, table-up
IPv4:Default Active, sync, table-up
IPv6:Default Active, sync, table-up
CEF linecard slot number 9/0 (9), status up
Input packets 4546951053, bytes 3153775353471
Output packets 0, bytes 0, drops 0
CEF Table statistics:
Table name Status
IPv4:x-voice Inactive
IPv4:public Inactive
IPv4:x-video Inactive
IPv4:x-server Inactive
IPv4:x-voice Inactive
IPv4:x-lan Active, sync, table-up
IPv4:x-mgmt Active, sync, table-up
IPv4:net Active, sync, table-up
IPv4:Default Active, sync, table-up
IPv6:Default Active, sync, table-up
CEF linecard slot number 6/1 (20), status up
Input packets 0, bytes 0
Output packets 0, bytes 0, drops 0
CEF Table statistics:
Table name Status
IPv4:x-voice Inactive
IPv4:public Inactive
IPv4:x-video Inactive
IPv4:x-server Inactive
IPv4:x-voice Active, sync, table-up
IPv4:x-lan Active, sync, table-up
IPv4:x-mgmt Active, sync, table-up
IPv4:net Active, sync, table-up
IPv4:Default Active, sync, table-up
IPv6:Default Active, sync, table-up
CEF linecard slot number 6/0 (6), status up
Input packets 0, bytes 0
Output packets 0, bytes 0, drops 0
CEF Table statistics:
Table name Status
IPv4:x-voice Inactive
IPv4:public Inactive
IPv4:x-video Inactive
IPv4:x-server Inactive
IPv4:x-voice Active, sync, table-up
IPv4:x-lan Active, sync, table-up
IPv4:x-mgmt Active, sync, table-up
IPv4:net Active, sync, table-up
IPv4:Default Active, sync, table-up
IPv6:Default Active, sync, table-up
Can anyone tell me why I am getting a status of inactive in some VRFs and active in others.
The configuration of all VRFs and associated l2 and l3 interfaces are similar and I cannot see what might be causing this.
A

Hi,
It's a cosmetic issue so don't worry about it. This command is not relevant for 7600 chassis
HTH
Laurent.

Sh cef drop

Similar Messages

Maybe you are looking for