Building Network Automation Solutions
6 week online course starting in September 2017

Which switching path does an IOS feature use

I've got an excellent question recently: Which switching path is used in Zone-based firewalls when a packet is dropped? As usual, IOS documentation was not very helpful (which is understandable as the answer might depend on hardware platform, interface encapsulation, other features configured on the router etc.). However, there is a great tool to use - the show interface stats command.

The show interface stats command displays the number of packets switched per switching mechanism (unfortunately, CEF is lumped together with fast switching). This command thus helps us to figure out if the packets are process switched. The show cef not-cef-switched command displays all packets punted from CEF to other switching mechanisms, so together they give us a pretty strong indication of what's going on.

To answer the question, I've configured a test lab router as follows:

class-map type inspect match-all ICMP
match protocol icmp
!
!
policy-map type inspect InToOut
class type inspect ICMP
drop log
class class-default
inspect
!
zone security inside
zone security outside
zone-pair security InToOut source inside destination outside
service-policy type inspect InToOut
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
zone-member security inside
!
interface Serial0/0/0.100 point-to-point
description Link to the Internet
ip address 192.168.201.6 255.255.255.252
zone-member security outside

Note: it's best to perform these tests in very "quiet" and controlled environment to ensure the statistics are not skewed by other traffic.

I've started a continuous ping on a LAN-attached workstation (as expected, all pings failed), cleared the interface counters on the router and took a snapshot of them a while later. The counter values clearly indicate that the dropped packets are not process-switched.

fw#clear counters
...
*Dec 15 18:14:28: %FW-6-DROP_PKT: Dropping icmp pkt 10.0.0.2:8 =>
172.16.0.1:0 with ip ident 17758 due to DROP action found in policy-map
...
fw#show interface FastEthernet0/0 stats
FastEthernet0/0
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 4 553 10 919
Route cache 32 2368 0 0
Total 36 2921 10 919

fw#show cef not-cef-switched
CEF Packets passed on to next switching layer
Slot No_adj No_encap Unsupp'ted Redirect Receive Options Access Frag
RP 0 0 0 0 0 0 0 0

0 comments:

Post a Comment

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.