[nsp] Nachi worm mitigation finds bug in 7500 dCEF
Mustafa N. Deeb
mustafa at palnet.com
Wed Aug 27 19:18:16 EDT 2003
Nope
Numbered access list also drops packets
Cheers
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Greg Steele
Sent: Wednesday, August 27, 2003 4:57 PM
To: Kevin Welch
Cc: cisco-nsp at puck.nether.net
Subject: Re: [nsp] Nachi worm mitigation finds bug in 7500 dCEF
I have experimentally verified (although not for an extended period)
that the problem is expressly with using a NAMED access-list rather
than a NUMBERED access-list.
using this access list and map:
ip access-list extended nachilist
permit icmp any any echo
permit icmp any any echo-reply
route-map nachiworm permit 10
match ip address nachilist
match length 92 92
set interface Null0
works on 1700/2600/3600/7200 and 7500 without dCEF
Appears to also drop other types of packets WITH dCEF as if the
access-list match is not in the route-map.
using this seems to fix:
access-list 196 permit icmp any any echo
access-list 196 permit icmp any any echo-reply
route-map nachitest permit 10
match ip address 196
match length 92 92
set interface Null0
I have asked cisco to verify.
...Greg
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list