[12040] in North American Network Operators' Group
Denied packets process-switched - no longer?
daemon@ATHENA.MIT.EDU (Jeffrey S. Curtis)
Fri Aug 29 08:00:55 1997
Date: Fri, 29 Aug 1997 06:37:36 -0500
To: nanog@merit.edu
From: "Jeffrey S. Curtis" <curtis@anl.gov>
Warning: possibly useful operational content follows. Read at your own risk.
Regarding the possible denial-of-service implications of cisco routers
process-switching packets which have been denied by an access-list (as
was mentioned previously on this list), I received the following update
in this morning's list-of-bugs-and-their-new-status via email:
-----------------------------------------------------------------------------
BugID: CSCdj35407
Title: ACL: Denied packets always sent to process level
Feature: ip
Version: 11.2(0.0) 11.1(0.0) 11.0(0.0) 11.3(0.0)
Integrated: 11.1(13.5)CA
Severity: 2
State: M
Release Notes:
Currently all packets denied by an access list are sent to the process
level to generate an ICMP administratively prohibited message. Some of
these packets are dropped because Cisco routers limit ICMP generation to
two packets per second.
This behavior results in excessive CPU load.
-----------------------------------------------------------------------------
This means that they have integrated some sort of fix into 11.1(13.5)CA,
and the "M" state means that they intend to provide the same fix in
other versions of their software.
Jeff
--
Jeffrey S. Curtis | Internetwork Manager
Argonne National Laboratory | Email: curtis@anl.gov
9700 South Cass Avenue, ECT-221 | Voice: 630/252-1789
Argonne, IL 60439 | Fax: 630/252-9689
