Denied packets process-switched - no longer?

Warning: possibly useful operational content follows. Read at your own risk. Regarding the possible denial-of-service implications of cisco routers process-switching packets which have been denied by an access-list (as was mentioned previously on this list), I received the following update in this morning's list-of-bugs-and-their-new-status via email: ----------------------------------------------------------------------------- BugID: CSCdj35407 Title: ACL: Denied packets always sent to process level Feature: ip Version: 11.2(0.0) 11.1(0.0) 11.0(0.0) 11.3(0.0) Integrated: 11.1(13.5)CA Severity: 2 State: M Release Notes: Currently all packets denied by an access list are sent to the process level to generate an ICMP administratively prohibited message. Some of these packets are dropped because Cisco routers limit ICMP generation to two packets per second. This behavior results in excessive CPU load. ----------------------------------------------------------------------------- This means that they have integrated some sort of fix into 11.1(13.5)CA, and the "M" state means that they intend to provide the same fix in other versions of their software. Jeff -- Jeffrey S. Curtis | Internetwork Manager Argonne National Laboratory | Email: 9700 South Cass Avenue, ECT-221 | Voice: 630/252-1789 Argonne, IL 60439 | Fax: 630/252-9689

On Fri, 29 Aug 1997, Jeffrey S. Curtis wrote: ==>Warning: possibly useful operational content follows. Read at your own risk. ==> ==>Regarding the possible denial-of-service implications of cisco routers ==>process-switching packets which have been denied by an access-list (as ==>was mentioned previously on this list), I received the following update ==>in this morning's list-of-bugs-and-their-new-status via email: I've tested this image in my lab and it works very well. 2 pps head to process level to send unreachables, the rest are quickly dropped in the fast path. /cah
participants (2)
Craig A. Huegen
Jeffrey S. Curtis