62-8
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 62 Configuring Network Security with ACLs
Selecting Mode of Capturing Control Packets
Because some of the groups have multiple overlapping ACEs (for example, 224.0.0.* is present in all the
groups except for DHCP Snooping), turning on a certain group will also trigger the interception of some
protocols from other groups.
Following are the programming triggers for the four protocol groups per-VLAN:
• IGMP Snooping should be enabled globally on a given VLAN.
• DHCP Snooping should be enabled globally on a given VLAN.
Guidelines and Restrictions
Note Before configuring per-VLAN capture mode, you should examine your configuration to ensure that only
the necessary features are enabled on the desired VLANs.
The following guidelines and restrictions apply to per-VLAN capture mode:
• Starting with Cisco IOS Release 15.0(2)SG, for Supervisor Engine 6-E and Supervisor Engine 6L-E,
(with Cisco IOS XE Release 3.2.0, for Supervisor Engine 7-E; with Cisco IOS XE Release 3.2.0XO,
for Supervisor Engine 7L-E; with Cisco IOS XE Release 3.6.0, for Supervisor Engine 8-E), globally
reserved static ACL entries in the TCAM region for Layer 3 control packets are removed. The
per-VLAN CTI command is not needed and does not apply for Layer 3 control packets because these
packets are captured in per-VLAN fashion by default.
The following still function:
–
Global static capture and CTI commands for IGMP or PIM packets (both use MAC addresses
224.0.0.1 and 224.0.0.2)
–
Global and per-VLAN CTI for DHCP packets
With Cisco IOS Release 15.0(2)SG, per-VLAN capture of Layer 3 control packets is driven by SVI
configuration. Except for IGMP, PIM, or DHCP, no special configuration is required.
Enabling per-VLAN capture mode consumes additional entries in the ACL/feature TCAM. The
number of available TCAM entries depends on the type of supervisor engine. The entry and mask
count further limits the utilization of the ACL/feature TCAM.
• On Supervisor Engines IV, V and V-10 GE a maximum of 32 action entries are supported at ingress
and 64 entries are supported at egress. To avoid high CPU utilization, move ACEs with a ‘log’ action
towards end of the ACL so that the available action index can be used optimally to process other
ACE actions.
• Certain configurations can exhaust TCAM resource earlier in per-VLAN capture mode than in
global capture mode (such as, when IP Source Guard is enabled on several interfaces or on a
user-configured PACL).
You can resize TCAM regions to make more entries available to the PortAndVlan or PortOrVlan
region based on the configuration. This allows more entries to be programmed in hardware before
reaching the limit. When TCAM resources are exhausted, the packets are forwarded in software.
• In per-VLAN capture mode, you can configure ACLs to permit or deny control traffic on a VLAN
or port.
Because security ACLs are terminated by an implicit deny, you must ensure that the ACLs are
configured to permit the control packets necessary for the feature (protocol) to operate. However,
this rule does not differ from the default behavior.
To Next Page
Loading...
Need help?
General
