Warning: possibly useful operational content follows. Read at your own risk. Regarding the possible denial-of-service implications of cisco routers process-switching packets which have been denied by an access-list (as was mentioned previously on this list), I received the following update in this morning's list-of-bugs-and-their-new-status via email: ----------------------------------------------------------------------------- BugID: CSCdj35407 Title: ACL: Denied packets always sent to process level Feature: ip Version: 11.2(0.0) 11.1(0.0) 11.0(0.0) 11.3(0.0) Integrated: 11.1(13.5)CA Severity: 2 State: M Release Notes: Currently all packets denied by an access list are sent to the process level to generate an ICMP administratively prohibited message. Some of these packets are dropped because Cisco routers limit ICMP generation to two packets per second. This behavior results in excessive CPU load. ----------------------------------------------------------------------------- This means that they have integrated some sort of fix into 11.1(13.5)CA, and the "M" state means that they intend to provide the same fix in other versions of their software. Jeff -- Jeffrey S. Curtis | Internetwork Manager Argonne National Laboratory | Email: curtis@anl.gov 9700 South Cass Avenue, ECT-221 | Voice: 630/252-1789 Argonne, IL 60439 | Fax: 630/252-9689