Understanding Control-Plane Security
These types of control packets are dropped or rate-limited:
•
•
•
•
The switch uses policing to accomplish control-plane security by either dropping or rate-limiting
Layer 2 control packets. If a Layer 2 protocol is enabled on a UNI port or tunneled on the switch, those
protocol packets are rate-limited; otherwise control packets are dropped.
By default, some protocol traffic is dropped by the CPU, and some is rate-limited.
default action and the action taken for Layer 2 protocol packets when the feature is enabled or when
Layer 2 protocol tunneling is enabled for the protocol. Note that some features cannot be enabled on
UNIs, and not all protocols can be tunneled (shown by dashes). If Layer 2 protocol tunneling is enabled
for any of the supported protocols (CDP, STP, VTP, LACP, PAgP, or UDLD), the switch Layer 2 protocol
tunneling protocol uses the rate-limiting policer on every port. If UDLD is enabled on a port or UDLD
tunneling is enabled, UDLD packets are rate-limited.
Table 29-1
CPU Protection Actions When Layer 2 Protocol Packets Are Received on a UNI
Protocol
STP
RSVD_STP (reserved IEEE 802.1D addresses)
PVST+
LACP
PAgP
802.1x
CDP
DTP
UDLD
VTP
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
29-2
Layer 2 protocol control packets:
–
Control packets that are always dropped on UNIs, such as Dynamic Trunking Protocol (DTP)
packets and some bridge protocol data units (BPDUs).
–
Control packets that are dropped by default but can be enabled or tunneled, such as Cisco
Discovery Protocol (CDP), Spanning-Tree Protocol (STP), VLAN Trunking Protocol (VTP),
UniDirectional Link Detection (UDLD) protocol, Link Aggregation Control Protocol (LACP),
and Port Aggregation Protocol (PAgP) packets. When enabled, these protocol packets are
rate-limited and tunneled through the switch.
Control or management packets that are required by the switch, such as keepalive packets.
–
These control packets are processed by the CPU but rate-limited to normal and safe limits to
prevent CPU overload.
Non-IP packets with router MAC addresses
IP packets with router MAC addresses
IGMP control packets that are enabled by default and need to be rate-limited. However, when IGMP
snooping and IP multicast routing are disabled, the packets are treated like data packets, and no
policers are assigned to them.
Default
Dropped
Dropped
Dropped
Dropped
Dropped
Dropped
Dropped
Dropped
Dropped
Dropped
Chapter 29
Configuring Control-Plane Security
When Feature Is Enabled
–
–
–
–
–
Rate-limited
–
–
Rate-limited
–
Table 29-1
shows the
When Layer 2
Protocol Tunneling
1
Is Enabled
Rate-limited
Rate-limited
Rate-limited
Rate-limited
–
Rate-limited
–
Rate-limited
Rate-limited
78-17058-01