[nsp] Nachi worm mitigation finds bug in 7500 dCEF

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Thu Aug 28 09:13:32 EDT 2003


> 
> On Wed, Aug 27, 2003 at 07:07:29PM +0200, Oliver Boehmer (oboehmer)
> wrote: 
> > Named ACLs are not supported with dCEF until 12.1(5)T/12.2.
> 
> What does "not supported" mean in this context?  Will it fall back to
> CPU switching, or will it just ignore the access list?

For traffic filters (i.e. "ip access-group named-acl in") packets get
punted to the RSP, so they are CEF switched on the RSP (not
process-switched!).
This should also happen for PBR, but apparently it does not, so this
should be fixed. Named ACLs are not sent to the VIPs in 12.0S, so they
just have no knowledge about those lists.

	oli



More information about the cisco-nsp mailing list