[原文]Vulnerability in Cisco IOS 11.1 through 11.3 with distributed fast switching (DFS) enabled allows remote attackers to bypass certain access control lists when the router switches traffic from a DFS-enabled input interface to an output interface with a logical subinterface, as described by Cisco bug CSCdk43862.
Cisco IOS contains a flaw that may allow a malicious user to send packets or fragments of packets to a subinterface even when an access control list prohibits such behaviour. The issue is triggered when distributed fast switching is enabled. It is possible that the flaw may allow traffic which ought to be prohibited by ACL to transit from a DFS-enabled input interface to an output interface with a logical subinterface, thereby resulting in a loss of integrity.
Upgrade to the version appropriate for your installation, as outlined in the vulnerable version matrix provided by Cisco. An upgrade is required as there are no known workarounds.