[nsp] Nachi worm mitigation finds bug in 7500 dCEF
jlewis at lewis.org
jlewis at lewis.org
Wed Aug 27 12:30:57 EDT 2003
What IOS are you running? Cisco has had "some issues" with named
access-lists working properly in some releases. Using the policy routing
workaround with the named access-list below, I have a 7500 running
rsp-pv-mz.122-14.S1.bin with dCEF and no apparent issues.
On Wed, 27 Aug 2003, Greg Steele wrote:
> I have experimentally verified (although not for an extended period)
> that the problem is expressly with using a NAMED access-list rather
> than a NUMBERED access-list.
>
> using this access list and map:
>
> ip access-list extended nachilist
> permit icmp any any echo
> permit icmp any any echo-reply
> route-map nachiworm permit 10
> match ip address nachilist
> match length 92 92
> set interface Null0
>
> works on 1700/2600/3600/7200 and 7500 without dCEF
> Appears to also drop other types of packets WITH dCEF as if the
> access-list match is not in the route-map.
>
> using this seems to fix:
>
> access-list 196 permit icmp any any echo
> access-list 196 permit icmp any any echo-reply
> route-map nachitest permit 10
> match ip address 196
> match length 92 92
> set interface Null0
>
> I have asked cisco to verify.
>
> ...Greg
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
----------------------------------------------------------------------
Jon Lewis *jlewis at lewis.org*| I route
System Administrator | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list