[nsp] Nachi worm mitigation finds bug in 7500 dCEF
Oleksandr Pantus
alx at vsmu.vinnica.ua
Thu Aug 28 13:07:37 EDT 2003
Hello !
On Thu, 28 Aug 2003, Oliver Boehmer (oboehmer) wrote:
> > > Named ACLs are not supported with dCEF until 12.1(5)T/12.2.
> >
> > What does "not supported" mean in this context? Will it fall back to
> > CPU switching, or will it just ignore the access list?
>
> For traffic filters (i.e. "ip access-group named-acl in") packets get
> punted to the RSP, so they are CEF switched on the RSP (not
> process-switched!).
> This should also happen for PBR, but apparently it does not, so this
> should be fixed. Named ACLs are not sent to the VIPs in 12.0S, so they
> just have no knowledge about those lists.
Just my $0.02 about ACL. Time-range featured ACL matches the packets even
"sh ip access-list NAME" shows "inactive" near the ACL rule. Revealed on
RSP4+, 12.2(14)S1 (dCEF enabled) after migration from 12.2 mainline.
--
S/Y,
Alexander, MD, nic-hdl: AJP1-UANIC
More information about the cisco-nsp
mailing list