EasyManuals Logo

Cisco Catalyst 4500 Series Software Configuration Guide

Cisco Catalyst 4500 Series
2086 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #1633 background imageLoading...
Page #1633 background image
62-9
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 62 Configuring Network Security with ACLs
Selecting Mode of Capturing Control Packets
• CPU spikes and connectivity loss may be observed when an ACL applied to a VLAN interface
blocks HSRP management multicast traffic. In this scenario where both HSRP member devices may
become Active, the resulting high number of IPv6 Neighbor Discovery packets being lifted to the
CPU may cause a spike. To avoid this, ensure that the active and the standby devices in HSRP can
communicate. Additionally, do not configure the IPv6 HSRP multicast address in the ACL.
Selecting Control Packet Capture
To select the mode of capturing control packets, perform this task:
This example shows how to configure a Catalyst 4500 Series Switch to capture control packets only on
VLANs where features are enabled:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# access-list hardware capture mode vlan
Switch(config)# end
Switch#
This example shows how to configure a Catalyst 4500 Series Switch to capture control packets globally
across all VLANs (using static ACL, the default mode):
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# access-list hardware capture mode global
Switch(config)# end
Switch#
When the capture mode changes from global to VLAN, the static CAM entries are invalidated. This
creates a window during which control packets may pass through a Catalyst 4500 Series Switch without
being intercepted to the CPU. This temporary situation is restored when the new per-VLAN capture
entries are programmed in the hardware.
When you configure per-VLAN capture mode, you should examine the show commands for individual
features to verify the appropriate behavior. In per-VLAN capture mode, the invalidated static CAM
entries will appear as inactive in the output of the show platform hardware acl input entries static
command. For example, the hit count for inactive entries will remain frozen because those entries are
invalidated and applied per-VLAN where the feature is enabled. The following table lists the CamIndex
entry types and the Cam regions.
Command Purpose
Step 1
Switch# conf terminal
Enters configuration mode.
Step 2
Switch(config)# [no] access-list hardware
capture mode [vlan | global]
Selects mode of capturing control packets.
The no form of the access-list hardware capture mode
command restores the capture mode to the default, which is
global.
Step 3
Switch(config)# end
Returns to enable mode.
CamIndex Entry Type Active Hit Count CamRegion
50 PermitSharedStp Y 3344 ControlPktsTwo
51 PermitLoopbackTest Y 0 ControlPktsTwo

Table of Contents

Other manuals for Cisco Catalyst 4500 Series

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco Catalyst 4500 Series and is the answer not in the manual?

Cisco Catalyst 4500 Series Specifications

General IconGeneral
SeriesCatalyst 4500 Series
CategorySwitch
Layer SupportLayer 2, Layer 3
Form FactorModular chassis
StackableNo
Chassis Slots3, 6, 7, 10
Power Supply OptionsAC, DC
RedundancyPower supply, Supervisor engine
Network ManagementCisco IOS Software CLI, SNMP, Cisco Prime Infrastructure
FeaturesSecurity, QoS
Port DensityUp to 384 ports per chassis
Security Features802.1X, ACLs, DHCP Snooping, Dynamic ARP Inspection, IP Source Guard
Supervisor Engine8-E

Related product manuals