Your browser failed to load CSS style sheets. Your browser or web proxy might not support elliptic-curve TLS

Building network automation solutions

6 week online course

Start now!
back to overview

Which switching path does an IOS feature use

I've got an excellent question recently: Which switching path is used in Zone-based firewalls when a packet is dropped? As usual, IOS documentation was not very helpful (which is understandable as the answer might depend on hardware platform, interface encapsulation, other features configured on the router etc.). However, there is a great tool to use - the show interface stats command.

The show interface stats command displays the number of packets switched per switching mechanism (unfortunately, CEF is lumped together with fast switching). This command thus helps us to figure out if the packets are process switched. The show cef not-cef-switched command displays all packets punted from CEF to other switching mechanisms, so together they give us a pretty strong indication of what's going on.

To answer the question, I've configured a test lab router as follows:

class-map type inspect match-all ICMP
match protocol icmp
policy-map type inspect InToOut
class type inspect ICMP
drop log
class class-default
zone security inside
zone security outside
zone-pair security InToOut source inside destination outside
service-policy type inspect InToOut
interface FastEthernet0/0
ip address
zone-member security inside
interface Serial0/0/0.100 point-to-point
description Link to the Internet
ip address
zone-member security outside

Note: it's best to perform these tests in very "quiet" and controlled environment to ensure the statistics are not skewed by other traffic.

I've started a continuous ping on a LAN-attached workstation (as expected, all pings failed), cleared the interface counters on the router and took a snapshot of them a while later. The counter values clearly indicate that the dropped packets are not process-switched.

fw#clear counters
*Dec 15 18:14:28: %FW-6-DROP_PKT: Dropping icmp pkt => with ip ident 17758 due to DROP action found in policy-map
fw#show interface FastEthernet0/0 stats
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 4 553 10 919
Route cache 32 2368 0 0
Total 36 2921 10 919

fw#show cef not-cef-switched
CEF Packets passed on to next switching layer
Slot No_adj No_encap Unsupp'ted Redirect Receive Options Access Frag
RP 0 0 0 0 0 0 0 0

No comments:

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.