29-2
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
78-17058-01
Chapter 29 Configuring Control-Plane Security
Understanding Control-Plane Security
These types of control packets are dropped or rate-limited:
• Layer 2 protocol control packets:
–
Control packets that are always dropped on UNIs, such as Dynamic Trunking Protocol (DTP)
packets and some bridge protocol data units (BPDUs).
–
Control packets that are dropped by default but can be enabled or tunneled, such as Cisco
Discovery Protocol (CDP), Spanning-Tree Protocol (STP), VLAN Trunking Protocol (VTP),
UniDirectional Link Detection (UDLD) protocol, Link Aggregation Control Protocol (LACP),
and Port Aggregation Protocol (PAgP) packets. When enabled, these protocol packets are
rate-limited and tunneled through the switch.
–
Control or management packets that are required by the switch, such as keepalive packets.
These control packets are processed by the CPU but rate-limited to normal and safe limits to
prevent CPU overload.
• Non-IP packets with router MAC addresses
• IP packets with router MAC addresses
• IGMP control packets that are enabled by default and need to be rate-limited. However, when IGMP
snooping and IP multicast routing are disabled, the packets are treated like data packets, and no
policers are assigned to them.
The switch uses policing to accomplish control-plane security by either dropping or rate-limiting
Layer 2 control packets. If a Layer 2 protocol is enabled on a UNI port or tunneled on the switch, those
protocol packets are rate-limited; otherwise control packets are dropped.
By default, some protocol traffic is dropped by the CPU, and some is rate-limited. Table 29-1 shows the
default action and the action taken for Layer 2 protocol packets when the feature is enabled or when
Layer 2 protocol tunneling is enabled for the protocol. Note that some features cannot be enabled on
UNIs, and not all protocols can be tunneled (shown by dashes). If Layer 2 protocol tunneling is enabled
for any of the supported protocols (CDP, STP, VTP, LACP, PAgP, or UDLD), the switch Layer 2 protocol
tunneling protocol uses the rate-limiting policer on every port. If UDLD is enabled on a port or UDLD
tunneling is enabled, UDLD packets are rate-limited.
Table 29-1 CPU Protection Actions When Layer 2 Protocol Packets Are Received on a UNI
Protocol Default When Feature Is Enabled
When Layer 2
Protocol Tunneling
Is Enabled
1
STP Dropped – Rate-limited
RSVD_STP (reserved IEEE 802.1D addresses) Dropped –
PVST+ Dropped – Rate-limited
LACP Dropped – Rate-limited
PAgP Dropped – Rate-limited
802.1x Dropped Rate-limited –
CDP Dropped – Rate-limited
DTP Dropped – –
UDLD Dropped Rate-limited Rate-limited
VTP Dropped – Rate-limited
