29-2
Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide
78-17058-01
Chapter29 Conf iguring Control-Plane Security
Understanding Control-Plane Security
These types of control packets are dropped or rate-limited:
Layer 2 protocol control packets:
Control packets that are always dropped on UNIs, such as Dynamic Trunking Protocol (DTP)
packets and some bridge protocol data units (BPDUs).
Control packets that are dropped by default but can be enabled or tunneled, such as Cisco
Discovery Protocol (CDP), Spanning-Tree Protocol (STP), VLAN Trunking Protocol (VTP),
UniDirectional Link Detection (UDLD) protocol, Link Aggregation Control Prot oc ol (LACP),
and Port Aggregation Protocol (PAgP) packets. When enabled, these protocol packets are
rate-limited and tunneled through the switch.
Control or management packets that are required by the switch, such as keepalive packets.
These control packets are processed by the CPU but rate-limited to normal and safe limits to
prevent CPU overload.
Non-IP packets with router MAC addresses
IP packets with router MAC addresses
IGMP control packets that are enabled by default and need to be rate- limited. Ho we v er , wh en IGMP
snooping and IP multicast routing are disabled, the packets are treated like data packets, and no
policers are assigned to them.
The switch uses policing to accomplish control-plane security by either dropping or rate-limiting
Layer 2 control packets. If a Layer 2 protocol is enabled on a UNI port or tunneled on the swi tch, those
protocol packets are rate-limited; otherwise control packets are dropped.
By default, some protocol traffic is dropped by the CPU, and some is rate-limited. Table 29-1 shows the
default action and the action taken for Layer 2 protocol packets when the feature is enabled or when
Layer 2 protocol tunneling is enabled for the protocol. Note that some features cannot be enabled on
UNIs, and not all protocols can be tunneled (shown by dashes). If Layer 2 protocol tu nneling is enabled
for any of the supported protocols (CDP, STP, VTP, LA CP, PAgP, or UDLD), the switch Layer 2 protocol
tunneling protocol uses the rate-limiting policer on every port. If UD LD is enab le d on a po rt or U DLD
tunneling is enabled, UDLD packets are rate-limited.
Table29-1 CPU Protection Actions When Layer 2 Protocol Packets Are Received on a UNI
Protocol Default When Feature Is Enabled
When Layer 2
Protocol Tunneling
Is Enabled 1
STP Dropped – Rate-limited
RSVD_STP (reserved IEEE 802.1D addresses) Dropped
PVST+ Dropped – Rate-limited
LACP Dropped – Rate-limited
PAgP Dropped – Rate-limited
802.1x Dropped Rate-limited –
CDP Dropped – Rate-limited
DTP Dropped –
UDLD Dropped Rate-limited Rate-limited
VTP Dropped – Rate-limited