Chapter 51
Configuring Network Security with ACLs
This example shows how to configure a Catalyst 4500 series switch to capture control packets only on
VLANs where features are enabled:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# access-list hardware capture mode vlan
Switch(config)# end
Switch#
This example shows how to configure a Catalyst 4500 series switch to capture control packets globally
across all VLANs (using static ACL, the default mode):
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# access-list hardware capture mode global
Switch(config)# end
Switch#
When the capture mode changes from global to VLAN, the static CAM entries are invalidated. This
creates a window during which control packets may pass through a Catalyst 4500 series switch without
being intercepted to the CPU. This temporary situation is restored when the new per-VLAN capture
entries are programmed in the hardware.
When you configure per-VLAN capture mode, you should examine the show commands for individual
features to verify the appropriate behavior. In per-VLAN capture mode, the invalidated static CAM
entries will appear as inactive in the output of the show platform hardware acl input entries static
command. For example, the hit count for inactive entries will remain frozen because those entries are
invalidated and applied per-VLAN where the feature is enabled. The following table lists the CamIndex
entry types and the Cam regions.
CamIndex Entry Type
50 PermitSharedStp
51 PermitLoopbackTest
52 PermitProtTunnel
53 CaptureCgmp
55 CaptureIgmp
0 IgmpPimv1ToCpu
0 IgmpGeneralQueryToCpu
2 IgmpToCpu
3 IgmpPimv2ToCpu
2048 Ipv6MldGeneralQueryCopyToCpu
2050 Ipv6MldGeneralQueryCopyToCpu
2052 Ipv6MldQueryOrReportV1ToCpu
2054 Ipv6MldQueryOrReportV1ToCpu
2056 Ipv6MldReportV2ToCpu
2058 Ipv6MldReportV2ToCpu
2060 Ipv6MldDoneToCpu
2064 Ipv6MldPimv2ToCpu
OL-25340-01
Active
Y
Y
Y
N
N
N
N
N
N
N
N
N
N
N
N
N
N
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
Selecting Mode of Capturing Control Packets
Hit Count
CamRegion
3344
ControlPktsTwo
0
ControlPktsTwo
0
ControlPktsTwo
440
ControlPktsTwo
0
ControlPktsTwo
N/A
0 (estimate)
N/A
0 (estimate)
N/A
0 (estimate)
N/A
0 (estimate)
N/A
0 (estimate)
N/A
0 (estimate)
N/A
0 (estimate)
N/A
0 (estimate)
N/A
0 (estimate)
N/A
0 (estimate)
N/A
0 (estimate)
N/A
0 (estimate)
51-9