Cisco Catalyst 4500 series Administration Manual page 1413
Hide thumbs
Also See for Catalyst 4500 series:
- Software configuration manual (2086 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
Chapter 54
Configuring Network Security with ACLs
Packets that match entries in partially programmed ACLs are processed in software using the CPU. This
may cause high CPU utilization and packets to be dropped. To determine whether packets are being
dropped due to high CPU utilization, reference the following:
http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a00804cef15.shtml
If the ACL and/or IPSG configuration is partially programmed in hardware, upgrading to
Cisco IOS Release 12.2(31)SGA or later and resizing the TCAM regions may enable the ACLs to be
fully programmed.
Removal of obsolete TCAM entries can take several CPU process review cycles to complete. This
Note
process may cause some packets to be switched in software if the TCAM entry or mask utilization is at
or near 100 percent.
Selecting Mode of Capturing Control Packets
In some deployments, you might want to bridge control packets in hardware rather than globally capture
and forward them in software (at the expense of the CPU). The per-VLAN capture mode feature allows
a Catalyst 4500 series switch to capture control packets only on selected VLANs and bridge traffic in
hardware on all other VLANs.
Because this feature controls specific control packets, they are captured only on the VLANs on which
the internal ACLs are installed. On all other VLANs, the control traffic is bridged in hardware rather
than forwarded to CPU.
The per-VLAN capture mode allows you to apply user-defined ACLs and QoS policers (in hardware) on
control packets. You can also subject the aggregate control traffic ingressing the CPU to control plane
policing.
When you use per-VLAN capture mode, the following four protocol groups are selectable per-VLAN.
The breakdown of protocols intercepted by each group is as follows:
•
•
Because some of the groups have multiple overlapping ACEs (for example, 224.0.0.* is present in all the
groups except for DHCP Snooping), turning on a certain group will also trigger the interception of some
protocols from other groups.
Following are the programming triggers for the four protocol groups per-VLAN:
•
•
OL_28731-01
When you use per-VLAN capture mode on your switch, it partially disables the global TCAM
capture entries internally and attaches feature-specific capture ACLs on those VLANs that are
enabled for snooping features. (All IP capture entries, and other non-IP entries are still captured
through global TCAM.)
IGMP Snooping—Cgmp, Ospf, Igmp, RipV2, Pim, 224.0.0.1, 224.0.0.2, 224.0.0.*
DHCP Snooping—Client to Server, Server to Client, Server to Server
IGMP Snooping should be enabled globally on a given VLAN.
DHCP Snooping should be enabled globally on a given VLAN.
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
Selecting Mode of Capturing Control Packets
54-7
Advertisement
Chapters
Table of Contents
Troubleshooting
