Catalyst 6500和Cisco系列环回地址漏洞

ip access-list extended block_loopback
  deny   ip any 127.0.0.0 0.255.255.255 
  permit ip any any

interface Vlan x
ip access-group block_loopback in

* 应用以下控制面整型（CoPP）：

!-- Permit all traffic with a destination IP
!-- addresses in the 127.0.0.0/8 address range sent to
!-- the affected device so that it will be policed and
!-- dropped by the CoPP feature
!

access-list 111 permit icmp any 127.0.0.0 0.255.255.255
access-list 111 permit udp any 127.0.0.0 0.255.255.255
access-list 111 permit tcp any 127.0.0.0 0.255.255.255
access-list 111 permit ip any 127.0.0.0 0.255.255.255

!
!-- Permit (Police or Drop)/Deny (Allow) all other Layer3
!-- and Layer4 traffic in accordance with existing security
!-- policies and configurations for traffic that is authorized
!-- to be sent to infrastructure devices
!
!-- Create a Class-Map for traffic to be policed by the
!-- CoPP feature
!

class-map match-all drop-127/8-netblock-class
  match access-group 111

!
!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device.
!

policy-map drop-127/8-netblock-traffic
  class drop-127/8-netblock-class
    police 32000 1500 1500 conform-action drop exceed-action drop

!
!-- Apply the Policy-Map to the Control-Plane of the
!-- device
!

control-plane
  service-policy input drop-127/8-netblock-traffic

!