[nsp] Nachi worm mitigation finds bug in 7500 dCEF

Oleksandr Pantus alx at vsmu.vinnica.ua
Thu Aug 28 13:07:37 EDT 2003

Hello !

On Thu, 28 Aug 2003, Oliver Boehmer (oboehmer) wrote:
> > > Named ACLs are not supported with dCEF until 12.1(5)T/12.2.
> >
> > What does "not supported" mean in this context?  Will it fall back to
> > CPU switching, or will it just ignore the access list?
> For traffic filters (i.e. "ip access-group named-acl in") packets get
> punted to the RSP, so they are CEF switched on the RSP (not
> process-switched!).
> This should also happen for PBR, but apparently it does not, so this
> should be fixed. Named ACLs are not sent to the VIPs in 12.0S, so they
> just have no knowledge about those lists.

Just my $0.02 about ACL. Time-range featured ACL matches the packets even
"sh ip access-list NAME" shows "inactive" near the ACL rule. Revealed on
RSP4+, 12.2(14)S1 (dCEF enabled) after migration from 12.2 mainline.

Alexander, MD, 			nic-hdl: AJP1-UANIC

More information about the cisco-nsp mailing list