CHAPTER
29-1
Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide
78-17058-01
29
Configuring Control-Plane Security
This chapter describes the control-plane security feature in the Cisco ME 3400 Ethernet Access switch.
In any network, Layer 2 and Layer 3 switches exchange control packets with other switches in the
network. The Cisco ME switch, which acts as a transition between the customer network and the
service-provider network, uses control-plane security to e nsu re t hat the to pology i nfo rmat ion be tw een
the two networks is isolated. This mechanism protects against a possible denial-of-service attack from
another customer network.
This chapter includes these sections;
Understanding Control-Plane Security, page 29-1
Configuring Control-Plane Security, page 29-4
Monitoring Control-Plane Security, page 29-5

Understanding Control-Plane Security

The Cisco ME switch can have no more than four ports configured as network node interfaces (NNIs)
that connect to the service-provider network. The switch communicates with the rest of the network
through these ports, exchanging protocol control packets as we ll as regular traffic. The remainder of the
ports on the Cisco ME switch are user network interfaces (UNIs) that are used as customer-facing ports.
Each port is connected to a single customer, and exchanging network protocol control packets between
the switch and the customer is not usually required. To protect against accidental or i nte ntiona l CPU
overload, the Cisco ME switch provides control-plane security automat ical ly by d rop ping or
rate-limiting a predefined set of Layer 2 control packets and some Layer 3 control packets for UNIs.
Control-plane security is supported on a port for Layer 2 control packet s and non-IP packets with router
MAC addresses regardless of whether the port is in routing or nonrouting mode. (A por t is in rout ing
mode when global IP routing is enabled and it is configured w ith the no switchport interface
configuration command or associated with a VLAN that has a switch virtual interface [SVI] created and
active.) These packets are either dropped or rate-limited, depending upon the Layer 2 protocol
configuration. For Layer 3 control packets, on a port in routing mode (whether or not a Layer 3 service
policy is attached), control-plane security supports rate-limiting only Internet Group Management
Protocol (IGMP) control packets. For Layer 3 packets, on a port in non-r out ing mode (whether or not a
Layer 2 service policy is attached), only IP packets with router MAC addresses are dropped.