57-15
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 57 Configuring Control Plane Policing and Layer 2 Control Packet QoS
Configuring Layer 2 Control Packet QoS
Configuring Layer 2 Control Packet QoS
Layer 2 control packet QoS enables you to police control packets arriving on a physical port or LAN.
This section includes these topics:
• Understanding Layer 2 Control Packet QoS, page 57-15
• Default Configuration, page 57-15
• Enabling Layer 2 Control Packet QoS, page 57-15
• Disabling Layer 2 Control Packet QoS, page 57-17
• Layer 2 Control Packet QoS Configuration Examples, page 57-18
• Layer 2 Control Packet QoS Guidelines and Restrictions, page 57-20
Understanding Layer 2 Control Packet QoS
You might want to police incoming Layer 2 control packets such as STP, CDP, VTP, SSTP, BPDU,
EAPOL and LLDP on a specific port before the packets reach CPU. This could serve as a first line of
defense before aggregate traffic is subjected to policing (through CoPP). By default, policers cannot be
applied to Layer 2 control packets in the input direction. This prevents users from inadvertently policing
or dropping critical Layer 2 control packets.
While this approach protects a user who is wrongly policing control packets, it introduces a more serious
problem. If a flood of Layer 2 control packets is received on any of the switch interfaces at a very high
rate due to a DoS attack or to a loop introduced in the customer network because of misconfiguration,
CPU utilization can increase quickly. This can have adverse impacts such as loss of protocol keep-alives
and routing protocol updates. The Layer 2 control packet QoS feature allows you to police Layer 2
control packets at the port, VLAN, or port- VLAN level in the input direction.
Default Configuration
Layer 2 control packet QoS is disabled by default.
Enabling Layer 2 Control Packet QoS
To enable Layer 2 control packet QoS, perform this task:
Table 57-1 lists the types of packets impacted by this feature.
Command Purpose
Step 1
Switch# config terminal
Enters configuration mode.
Step 2
Switch(config)# [no] qos control-packets
[bpdu-range | cdp-vtp | eapol | sstp |
protocol-tunnel | lldp]
Enables QoS on all or a specific packet type.
Use the no keyword to disable QoS on all or a specific
packet type.
Step 3
Switch(config)# end
Exits configuration mode.
Step 4
Switch# show run | inc qos control-packets
Verifies the configuration.
To Next Page
Loading...
