Denied packets process-switched - no longer?
Jeffrey S. Curtis
curtis at anl.gov
Fri Aug 29 11:37:36 UTC 1997
Warning: possibly useful operational content follows. Read at your own risk.
Regarding the possible denial-of-service implications of cisco routers
process-switching packets which have been denied by an access-list (as
was mentioned previously on this list), I received the following update
in this morning's list-of-bugs-and-their-new-status via email:
-----------------------------------------------------------------------------
BugID: CSCdj35407
Title: ACL: Denied packets always sent to process level
Feature: ip
Version: 11.2(0.0) 11.1(0.0) 11.0(0.0) 11.3(0.0)
Integrated: 11.1(13.5)CA
Severity: 2
State: M
Release Notes:
Currently all packets denied by an access list are sent to the process
level to generate an ICMP administratively prohibited message. Some of
these packets are dropped because Cisco routers limit ICMP generation to
two packets per second.
This behavior results in excessive CPU load.
-----------------------------------------------------------------------------
This means that they have integrated some sort of fix into 11.1(13.5)CA,
and the "M" state means that they intend to provide the same fix in
other versions of their software.
Jeff
--
Jeffrey S. Curtis | Internetwork Manager
Argonne National Laboratory | Email: curtis at anl.gov
9700 South Cass Avenue, ECT-221 | Voice: 630/252-1789
Argonne, IL 60439 | Fax: 630/252-9689
More information about the NANOG
mailing list