CHAPTER
32-1
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-07
32
Configuring Control-Plane Security
This chapter describes the control-plane security feature in the Cisco ME 3400 Ethernet Access switch.
In any network, Layer 2 and Layer 3 switches exchange control packets with other switches in the
network. The Cisco ME switch, which acts as a transition between the customer network and the
service-provider network, uses control-plane security to ensure that the topology information between
the two networks is isolated. This mechanism protects against a possible denial-of-service attack from
another customer network.
• Understanding Control-Plane Security, page 32-1
• Configuring Control-Plane Security, page 32-5
• Monitoring Control-Plane Security, page 32-7
Understanding Control-Plane Security
In the Cisco ME switch, ports configured as network node interfaces (NNIs) connect to the
service-provider network. The switch communicates with the rest of the network through these ports,
exchanging protocol control packets as well as regular traffic. Other ports on the Cisco ME switch are
user network interfaces (UNIs) that are used as customer-facing ports. Each port is connected to a single
customer, and exchanging network protocol control packets between the switch and the customer is not
usually required. Most Layer 2 protocols are not supported on UNIs. To protect against accidental or
intentional CPU overload, the Cisco ME switch provides control-plane security automatically by
dropping or rate-limiting a predefined set of Layer 2 control packets and some Layer 3 control packets
for UNIs.
You can also configure a third port type, an enhanced network interface (ENI). An ENI, like a UNI, is a
customer-facing interface. By default on an ENI, Layer 2 control protocols, such as Cisco Discovery
Protocol (CDP), Spanning-Tree Protocol (STP), Link Layer Discovery Protocol (LLDP) are disabled.
On ENIs, unlike UNIs, you can enable these protocols. When configuring ENIs in port channels, you
can also enable Link Aggregation Control Protocol (LACP), and Port Aggregation Protocol (PAgP).
ENIs drop or rate-limit the protocol packets, depending on whether the protocol is enabled or disabled
on the interface. For all other control protocols on ENIs, the switch drops or rate-limits packets the same
way as it does for UNIs.
CPU protection, which is enabled by default, uses 19 policers per port. When it is enabled, you can
configure a maximum of 45 policers per port. If you need to configure more policers per port, you can
disable CPU protection by entering the no policer cpu uni all global configuration command and
reloading the switch. When CPU protection is disabled, you can configure a maximum of 63 policers per
port (62 on every 4th port) for user-defined classes and one for class-default.
To Next Page
Loading...
Need help?
General
