[nsp] Nachi worm mitigation finds bug in 7500 dCEF

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Wed Aug 27 20:07:29 EDT 2003


Named ACLs are not supported with dCEF until 12.1(5)T/12.2.

	oli

----Original Message----
From: jlewis at lewis.org [mailto:jlewis at lewis.org]
Sent: Mittwoch, 27. August 2003 17:31
To: Greg Steele
Cc: cisco-nsp at puck.nether.net
Subject: Re: [nsp] Nachi worm mitigation finds bug in 7500 dCEF

> What IOS are you running?  Cisco has had "some issues" with named
> access-lists working properly in some releases.  Using the policy
> routing workaround with the named access-list below, I have a 7500
> running rsp-pv-mz.122-14.S1.bin with dCEF and no apparent issues.
> 
> On Wed, 27 Aug 2003, Greg Steele wrote:
> 
> > I have experimentally verified (although not for an extended period)
> > that the problem is expressly with using a NAMED access-list rather
> > than a NUMBERED access-list. 
> > 
> > using this access list and map:
> > 
> > ip access-list extended nachilist
> >  permit icmp any any echo
> >  permit icmp any any echo-reply
> > route-map nachiworm permit 10
> >  match ip address nachilist
> >  match length 92 92
> >  set interface Null0
> > 
> > works on 1700/2600/3600/7200 and 7500 without dCEF
> > Appears to also drop other types of packets WITH dCEF as if the
> > access-list match is not in the route-map.
> > 
> > using this seems to fix:
> > 
> > access-list 196 permit icmp any any echo
> > access-list 196 permit icmp any any echo-reply
> > route-map nachitest permit 10
> >  match ip address 196
> >  match length 92 92
> >  set interface Null0
> > 
> > I have asked cisco to verify.
> > 
> > ...Greg
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> 
> ----------------------------------------------------------------------
>  Jon Lewis *jlewis at lewis.org*|  I route
>  System Administrator        |  therefore you are
>  Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list