Filter
Top Products
47-15
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 47 Configuring Network Security with ACLs
TCAM Programming and ACLs for Supervisor Engine II-Plus, Supervisor Engine IV, Supervisor Engine V, and
Selecting Control Packet Capture
To select the mode of capturing control packets, perform this task:
This example shows how to configure a Catalyst 4500 series switch to capture control packets only on
VLANs where features are enabled:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# access-list hardware capture mode vlan
Switch(config)# end
Switch#
This example shows how to configure a Catalyst 4500 series switch to capture control packets globally
across all VLANs (using static ACL, the default mode):
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# access-list hardware capture mode global
Switch(config)# end
Switch#
When the capture mode changes from global to VLAN, the static CAM entries are invalidated. This
creates a window during which control packets may pass through a Catalyst 4500 series switch without
being intercepted to the CPU. This temporary situation is restored when the new per-VLAN capture
entries are programmed in the hardware.
When you configure per-VLAN capture mode, you should examine the show commands for individual
features to verify the appropriate behavior. In per-VLAN capture mode, the invalidated static CAM
entries will appear as inactive in the output of the show platform hardware acl input entries static
command. For example, the hit count for inactive entries will remain frozen because those entries are
invalidated and applied per-VLAN where the feature is enabled. The following table lists the CamIndex
entry types and the Cam regions.
Command Purpose
Step 1
Switch# conf terminal
Enters configuration mode.
Step 2
Switch(config)# [no] access-list hardware
capture mode [vlan | global]
Selects mode of capturing control packets.
The no form of the access-list hardware capture mode
command restores the capture mode to the default, which is
global.
Step 3
Switch(config)# end
Returns to enable mode.
CamIndex Entry Type Active Hit Count CamRegion
50 PermitSharedStp Y 3344 ControlPktsTwo
51 PermitLoopbackTest Y 0 ControlPktsTwo
52 PermitProtTunnel Y 0 ControlPktsTwo
53 CaptureCgmp N 440 ControlPktsTwo
55 CaptureIgmp N 0 ControlPktsTwo
0 IgmpPimv1ToCpu N N/A 0 (estimate)
0 IgmpGeneralQueryToCpu N N/A 0 (estimate)