EasyManuals Logo

Cisco ME 3400 User Manual

Cisco ME 3400
1138 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #620 background imageLoading...
Page #620 background image
32-2
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-07
Chapter 32 Configuring Control-Plane Security
Understanding Control-Plane Security
Note When CPU is turned off, protocol packets can reach the CPU, which could cause CPU processing
overload and storm control through software.
Control-plane security is supported on a port for Layer 2 control packets and non-IP packets with router
MAC addresses, regardless of whether the port is in routing or nonrouting mode. (A port is in routing
mode when global IP routing is enabled and the port is configured with the no switchport interface
configuration command or is associated with a VLAN that has an active switch virtual interface [SVI].)
These packets are either dropped or rate-limited, depending upon the Layer 2 protocol configuration. For
Layer 3 control packets, on a port in routing mode (whether or not a Layer 3 service policy is attached),
control-plane security supports rate-limiting only Internet Group Management Protocol (IGMP) control
packets. For Layer 3 packets, on a port in nonrouting mode (whether or not a Layer 2 service policy is
attached), only IP packets with router MAC addresses are dropped.
These types of control packets are dropped or rate-limited:
• Layer 2 protocol control packets:
–
Control packets that are always dropped on UNIs and ENIs, such as Dynamic Trunking Protocol
(DTP) packets and some bridge protocol data units (BPDUs).
–
Control packets that are dropped by default but can be enabled or tunneled, such as CDP, STP,
LLDP, VLAN Trunking Protocol (VTP), UniDirectional Link Detection (UDLD) Protocol,
LACP, and PAgP packets. When enabled, these protocol packets are rate-limited and tunneled
through the switch.
–
Control or management packets that are required by the switch, such as keepalive packets.
These control packets are processed by the CPU but are rate-limited to normal and safe limits
to prevent CPU overload.
• Non-IP packets with router MAC addresses
• IP packets with router MAC addresses
• IGMP control packets that are enabled by default and need to be rate-limited. However, when IGMP
snooping and IP multicast routing are disabled, the packets are treated like data packets, and no
policers are assigned to them.
The switch uses policing to accomplish control-plane security by either dropping or rate-limiting
Layer
2 control packets. If a Layer 2 protocol is enabled on a UNI or ENI port or tunneled on the switch,
those protocol packets are rate-limited; otherwise control packets are dropped.
By default, some protocol traffic is dropped by the CPU, and some is rate-limited. Table 32-1 shows the
default action and the action taken for Layer 2 protocol packets when the feature is enabled or when
Layer 2 protocol tunneling is enabled for the protocol. Note that some features cannot be enabled on
UNIs, and not all protocols can be tunneled (shown by dashes). If Layer 2 protocol tunneling is enabled
for any of the supported protocols (CDP, STP, VTP, LLDP, LACP, PAgP, or UDLD), the switch Layer 2
protocol tunneling protocol uses the rate-limiting policer on every port. If UDLD is enabled on a port or
UDLD tunneling is enabled, UDLD packets are rate-limited.

Table of Contents

Other manuals for Cisco ME 3400

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco ME 3400 and is the answer not in the manual?

Cisco ME 3400 Specifications

General IconGeneral
CategorySwitch
Rack MountableYes
Jumbo Frame SupportYes
Authentication MethodRADIUS, TACACS+
RAM128 MB
Flash Memory32 MB
Power DeviceInternal power supply
ModelME 3400
LayerLayer 2
MAC Address Table Size8000 entries
Remote Management ProtocolSNMP, Telnet, SSH, HTTP, HTTPS
FeaturesVLAN support, IGMP snooping, Quality of Service (QoS)
Compliant StandardsIEEE 802.3, IEEE 802.3u, IEEE 802.1D, IEEE 802.1Q, IEEE 802.3ab, IEEE 802.3x
Memory128 MB
Power SupplyAC 120/230 V (50/60 Hz)
Dimensions (H x W x D)4.4 cm x 44.5 cm x 24.2 cm
Routing ProtocolStatic routing

Related product manuals