Denied packets process-switched - no longer?

Jeffrey S. Curtis curtis at
Fri Aug 29 11:37:36 UTC 1997

Warning: possibly useful operational content follows.  Read at your own risk.

Regarding the possible denial-of-service implications of cisco routers
process-switching packets which have been denied by an access-list (as
was mentioned previously on this list), I received the following update
in this morning's list-of-bugs-and-their-new-status via email:

        BugID: CSCdj35407
        Title: ACL: Denied packets always sent to process level
      Feature: ip
      Version: 11.2(0.0) 11.1(0.0) 11.0(0.0) 11.3(0.0)
   Integrated: 11.1(13.5)CA
     Severity: 2
        State: M
Release Notes:
Currently all packets denied by an access list are sent to the process
level to generate an ICMP administratively prohibited message. Some of
these packets are dropped because Cisco routers limit ICMP generation to
two packets per second.
This behavior results in excessive CPU load.

This means that they have integrated some sort of fix into 11.1(13.5)CA,
and the "M" state means that they intend to provide the same fix in
other versions of their software.

Jeffrey S. Curtis                      | Internetwork Manager
Argonne National Laboratory            | Email: curtis at
9700 South Cass Avenue, ECT-221        | Voice: 630/252-1789
Argonne, IL 60439                      | Fax:   630/252-9689

More information about the NANOG mailing list