32-4
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-06
Chapter 32 Configuring Control-Plane Security
Understanding Control-Plane Security
Because UNIs do not support STP, CDP, LLDP, LACP, and PAgP, these packets are dropped (physical policer of 26). These protocols are disabled by default on ENIs as well, but you can enable them. When enabled on ENIs, the control packets are rate limited and a rate-limiting policer is assigned to the port for these protocols (physical policer of 22).
Switch# show platform policer cpu interface fastethernet 0/3
Policers assigned for CPU protection
===================================================================
Feature Policer Physical Asic
Index Policer Num
===================================================================
Fa0/1
STP 1 26 0
LACP 2 26 0
8021X 3 26 0
RSVD_STP 4 26 0
PVST_PLUS 5 26 0
CDP 6 26 0
LLDP 7 26 0
DTP 8 26 0
UDLD 9 26 0
PAGP 10 26 0
VTP 11 26 0
CISCO_L2 12 26 0
KEEPALIVE 13 0 0
CFM 14 255 0
SWITCH_MAC 15 26 0
SWITCH_ROUTER_MAC 16 26 0
SWITCH_IGMP 17 0 0
SWITCH_L2PT 18 26 0
This example shows the policers assigned to a ENI when control protocols are enabled on the interface. A value of 22 shows that protocol packets are rate limited for that protocol. When the protocol is not enabled, the defaults are the same as for a UNI.
Switch# show platform policer cpu interface fastethernet0/23
Policers assigned for CPU protection
===================================================================
Feature Policer Physical Asic
Index Policer Num
===================================================================
Fa0/23
STP 1 26 0
LACP 2 22 0
8021X 3 26 0
RSVD_STP 4 26 0
PVST_PLUS 5 26 0
CDP 6 22 0
LLDP 7 26 0
DTP 8 26 0
UDLD 9 26 0
PAGP 10 26 0
VTP 11 26 0
CISCO_L2 12 22 0
KEEPALIVE 13 22 0
CFM 14 255 0
SWITCH_MAC 15 26 0
SWITCH_ROUTER_MAC 16 26 0
SWITCH_IGMP 17 22 0
SWITCH_L2PT 18 22 0