umedryk Mon, 12/17/2007 - 14:47
User Badges:
  • Bronze, 100 points or more

The Catalyst 4500 Series implements counters per MAC Access Control Entry (ACE). Please note that the configuration required to mitigate the Cisco Catalyst 6000 and 6500 series and Cisco 7600 Series MPLS packet vulnerability would block loopback frames (EtherType 0x9000). There is no operational impact for the Catalyst 4500 Series to drop loopback frames of external stations. Due to the dropping of loopback frames, the show access-lists privileged EXEC mode command will constantly increment the number of matched frames. The default in Cisco IOS devices is to send a loopback frame every 10 seconds (keepalive interface configuration command).

Cat4500#show access-lists

Extended MAC access list ACL-Deny-Non-IP

deny any any (1151 matches)

Extended MAC access list ACL-Match-Non-IP

permit any any (820 matches)In the example output, 1151 frames were dropped by the MAC ACL used by the example PACL and 820 frames were dropped by the sample VLAN map configuration


This Discussion