Cisco Systems ME 3400

32-2

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

OL-9639-06

Chapter 32 Configuring Control-Plane Security

Understanding Control-Plane Security

Layer 3 control packets, on a port in routing mode (whether or not a Layer 3 service policy is attached),

control-plane security supports rate-limiting only Internet Group Management Protocol (IGMP) control

packets. For Layer 3 packets, on a port in nonrouting mode (whether or not a Layer 2 service policy is

attached), only IP packets with router MAC addresses are dropped.

These types of control packets are dropped or rate-limited:

• Layer 2 protocol control packets:

–

Control packets that are always dropped on UNIs and ENIs, such as Dynamic Trunking Protocol

(DTP) packets and some bridge protocol data units (BPDUs).

–

Control packets that are dropped by default but can be enabled or tunneled, such as CDP, STP,

LLDP, VLAN Trunking Protocol (VTP), UniDirectional Link Detection (UDLD) Protocol,

LACP, and PAgP packets. When enabled, these protocol packets are rate-limited and tunneled

through the switch.

–

Control or management packets that are required by the switch, such as keepalive packets.

These control packets are processed by the CPU but are rate-limited to normal and safe limits

to prevent CPU overload.

• Non-IP packets with router MAC addresses

• IP packets with router MAC addresses

• IGMP control packets that are enabled by default and need to be rate-limited. However, when IGMP

snooping and IP multicast routing are disabled, the packets are treated like data packets, and no

policers are assigned to them.

The switch uses policing to accomplish control-plane security by either dropping or rate-limiting

Layer 2 control packets. If a Layer 2 protocol is enabled on a UNI or ENI port or tunneled on the switch,

those protocol packets are rate-limited; otherwise control packets are dropped.

By default, some protocol traffic is dropped by the CPU, and some is rate-limited. Table 32-1 shows the

default action and the action taken for Layer 2 protocol packets when the feature is enabled or when

Layer 2 protocol tunneling is enabled for the protocol. Note that some features cannot be enabled on

UNIs, and not all protocols can be tunneled (shown by dashes). If Layer 2 protocol tunneling is enabled

for any of the supported protocols (CDP, STP, VTP, LLDP, LACP, PAgP, or UDLD), the switch Layer 2

protocol tunneling protocol uses the rate-limiting policer on every port. If UDLD is enabled on a port or

UDLD tunneling is enabled, UDLD packets are rate-limited.

Tab le 32-1 Control-Plane Security Actions on Layer 2 Protocol Packets Received on a UNI or ENI

Protocol Default When Feature Is Enabled

When Layer 2

Protocol Tunneling

Is Enabled 1

STP Dropped Rate limited

Note STP can be enabled only on ENIs.

Rate-limited

RSVD_STP (reserved IEEE

802.1D addresses) Dropped When the Ethernet Link Management Interface

(ELMI) is enabled, globally or on a per-port basis

whichever is configured last, a throttle policer is

assigned to a port. When ELMI is disabled (globally or

on a port, whichever is configured last), a drop policer

is assigned to a port.

PVST+ Dropped –Rate limited