[nsp] Nachi worm mitigation finds bug in 7500 dCEF
Greg Steele
steele at oar.net
Wed Aug 27 13:10:41 EDT 2003
12.0(25)S1. I remember a year or two ago seeing "issues". So far
I cannot verify that it fails on 2600/3600/1700/7200 with a pretty
wide variety of recent IOSs.
...Greg.
>
> What IOS are you running? Cisco has had "some issues" with named
> access-lists working properly in some releases. Using the policy routing
> workaround with the named access-list below, I have a 7500 running
> rsp-pv-mz.122-14.S1.bin with dCEF and no apparent issues.
>
> On Wed, 27 Aug 2003, Greg Steele wrote:
>
> > I have experimentally verified (although not for an extended period)
> > that the problem is expressly with using a NAMED access-list rather
> > than a NUMBERED access-list.
> >
> > using this access list and map:
> >
> > ip access-list extended nachilist
> > permit icmp any any echo
> > permit icmp any any echo-reply
> > route-map nachiworm permit 10
> > match ip address nachilist
> > match length 92 92
> > set interface Null0
> >
> > works on 1700/2600/3600/7200 and 7500 without dCEF
> > Appears to also drop other types of packets WITH dCEF as if the
> > access-list match is not in the route-map.
> >
> > using this seems to fix:
> >
> > access-list 196 permit icmp any any echo
> > access-list 196 permit icmp any any echo-reply
> > route-map nachitest permit 10
> > match ip address 196
> > match length 92 92
> > set interface Null0
> >
> > I have asked cisco to verify.
> >
> > ...Greg
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
> ----------------------------------------------------------------------
> Jon Lewis *jlewis at lewis.org*| I route
> System Administrator | therefore you are
> Atlantic Net |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>
More information about the cisco-nsp
mailing list