57-18
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 57 Configuring Control Plane Policing and Layer 2 Control Packet QoS
Configuring Layer 2 Control Packet QoS
Layer 2 Control Packet QoS Configuration Examples
You can use CoPP and Layer 2 control packet QoS together to prevent DoS attacks to the CPU. In the
following example, BPDUs arriving on interface gi3/1, VLAN 1 and VLAN 2 are limited to 32 Kbps and
34 Kbps, respectively. Aggregate BPDU traffic to CPU then is further rate-limited to 50 Kbps using
CoPP.
Switch(config)# qos control-packets
Switch(config)# policy-map police_bpdu_1
Switch(config-pmap)# class system-control-packet-bpdu-range
Switch(config-pmap-c)# police 32k 1000
Switch(config-pmap-c-police)# exit
Switch(config-pmap-c)# exit
Switch(config-pmap)# policy-map police_bpdu_2
Switch(config-pmap)# class system-control-packet-bpdu-range
Switch(config-pmap-c)# police 34k
Switch(config-pmap-c-police)# exit
Configuring Layer 2 Control Packet QoS
Switch(config)# interface gi3/1
Switch(config-if)# vlan-range 1
Switch(config-if-vlan-range)# service-policy in police_bpdu_1
Switch(config-if-vlan-range)# exit
Switch(config-if)# interface gi3/2
Switch(config-if)# vlan-range 2
Switch(config-if-vlan-range)# service-policy in police_bpdu_1
Switch(config-if-vlan-range)# exit
Configuring Control Plane Policy
CDP-VTP mac access-list extended system-control-packet-cdp-vtp
permit any host 0100.0ccc.cccc
class-map match-any system-control-packet-cdp-vtp
match access-group name system-control-packet-cdp-vtp
EAPOL mac access-list extended system-control-packet-eapol
permit any any 0x888E
class-map match-any system-control-packet-eapol
match access-group name system-control-packet-eapol
LLDP mac access-list extended system-control-packet-lldp
permit any host 0180.c200.000e
class-map match-any system-control-packet-lldp
match access-group name system-control-packet-lldp
PROTOCOL
TUNNEL
mac access-list extended system-control-packet-protocol-tunnel
permit any host 0100.0ccd.cdd0
class-map match-any system-control-packet-protocol-tunnel
match access-group name system-control-packet-protocol-tunnel
Table 57-2 Packet Types and Auto-Generated MACL/Class Maps
Packet Type Auto-Generated MACL/Class Map