[nsp] Nachi worm mitigation finds bug in 7500 dCEF
Greg Steele
steele at oar.net
Wed Aug 27 11:57:00 EDT 2003
I have experimentally verified (although not for an extended period)
that the problem is expressly with using a NAMED access-list rather
than a NUMBERED access-list.
using this access list and map:
ip access-list extended nachilist
permit icmp any any echo
permit icmp any any echo-reply
route-map nachiworm permit 10
match ip address nachilist
match length 92 92
set interface Null0
works on 1700/2600/3600/7200 and 7500 without dCEF
Appears to also drop other types of packets WITH dCEF as if the
access-list match is not in the route-map.
using this seems to fix:
access-list 196 permit icmp any any echo
access-list 196 permit icmp any any echo-reply
route-map nachitest permit 10
match ip address 196
match length 92 92
set interface Null0
I have asked cisco to verify.
...Greg
More information about the cisco-nsp
mailing list