32-2
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-07
Chapter 32 Configuring Control-Plane Security
Understanding Control-Plane Security
Note When CPU is turned off, protocol packets can reach the CPU, which could cause CPU processing
overload and storm control through software.
Control-plane security is supported on a port for Layer 2 control packets and non-IP packets with router
MAC addresses, regardless of whether the port is in routing or nonrouting mode. (A port is in routing
mode when global IP routing is enabled and the port is configured with the no switchport interface
configuration command or is associated with a VLAN that has an active switch virtual interface [SVI].)
These packets are either dropped or rate-limited, depending upon the Layer 2 protocol configuration. For
Layer 3 control packets, on a port in routing mode (whether or not a Layer 3 service policy is attached),
control-plane security supports rate-limiting only Internet Group Management Protocol (IGMP) control
packets. For Layer 3 packets, on a port in nonrouting mode (whether or not a Layer 2 service policy is
attached), only IP packets with router MAC addresses are dropped.
These types of control packets are dropped or rate-limited:
• Layer 2 protocol control packets:
–
Control packets that are always dropped on UNIs and ENIs, such as Dynamic Trunking Protocol
(DTP) packets and some bridge protocol data units (BPDUs).
–
Control packets that are dropped by default but can be enabled or tunneled, such as CDP, STP,
LLDP, VLAN Trunking Protocol (VTP), UniDirectional Link Detection (UDLD) Protocol,
LACP, and PAgP packets. When enabled, these protocol packets are rate-limited and tunneled
through the switch.
–
Control or management packets that are required by the switch, such as keepalive packets.
These control packets are processed by the CPU but are rate-limited to normal and safe limits
to prevent CPU overload.
• Non-IP packets with router MAC addresses
• IP packets with router MAC addresses
• IGMP control packets that are enabled by default and need to be rate-limited. However, when IGMP
snooping and IP multicast routing are disabled, the packets are treated like data packets, and no
policers are assigned to them.
The switch uses policing to accomplish control-plane security by either dropping or rate-limiting
Layer
2 control packets. If a Layer 2 protocol is enabled on a UNI or ENI port or tunneled on the switch,
those protocol packets are rate-limited; otherwise control packets are dropped.
By default, some protocol traffic is dropped by the CPU, and some is rate-limited. Table 32-1 shows the
default action and the action taken for Layer 2 protocol packets when the feature is enabled or when
Layer 2 protocol tunneling is enabled for the protocol. Note that some features cannot be enabled on
UNIs, and not all protocols can be tunneled (shown by dashes). If Layer 2 protocol tunneling is enabled
for any of the supported protocols (CDP, STP, VTP, LLDP, LACP, PAgP, or UDLD), the switch Layer 2
protocol tunneling protocol uses the rate-limiting policer on every port. If UDLD is enabled on a port or
UDLD tunneling is enabled, UDLD packets are rate-limited.
To Next Page
Loading...
Need help?
General
