Filter
Top Products
CHAPTER
32-1
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-06
32
Configuring Control-Plane Security
This chapter describes the control-plane security feature in the Cisco ME 3400 Ethernet Access switch.
In any network, Layer 2 and Layer 3 switches exchange control packets with other switches in the
network. The Cisco ME switch, which acts as a transition between the customer network and the
service-provider network, uses control-plane security to ensure that the topology information between
the two networks is isolated. This mechanism protects against a possible denial-of-service attack from
another customer network.
This chapter includes these sections;
• Understanding Control-Plane Security, page 32-1
• Configuring Control-Plane Security, page 32-5
• Monitoring Control-Plane Security, page 32-6
Understanding Control-Plane Security
In the Cisco ME switch, ports configured as network node interfaces (NNIs) connect to the
service-provider network. The switch communicates with the rest of the network through these ports,
exchanging protocol control packets as well as regular traffic. Other ports on the Cisco ME switch are
user network interfaces (UNIs) that are used as customer-facing ports. Each port is connected to a single
customer, and exchanging network protocol control packets between the switch and the customer is not
usually required. Most Layer 2 protocols are not supported on UNIs. To protect against accidental or
intentional CPU overload, the Cisco ME switch provides control-plane security automatically by
dropping or rate-limiting a predefined set of Layer 2 control packets and some Layer 3 control packets
for UNIs.
Cisco IOS Release 122.(44)SE introduces a new port type, an enhanced network interface (ENI). An
ENI, like a UNI, is a customer-facing interface. By default on an ENI, Layer 2 control protocols, such
as Cisco Discovery Protocol (CDP), Spanning-Tree Protocol (STP), Link Layer Discovery Protocol
(LLDP) are disabled. On ENIs, unlike UNIs, you can enable these protocols. When configuring ENIs in
port channels, you can also enable Link Aggregation Control Protocol (LACP), and Port Aggregation
Protocol (PAgP). ENIs drop or rate-limit the protocol packets, depending on whether the protocol is
enabled or disabled on the interface. For all other control protocols on ENIs, the switch drops or
rate-limits packets the same way as it does for UNIs.
Control-plane security is supported on a port for Layer 2 control packets and non-IP packets with router
MAC addresses, regardless of whether the port is in routing or nonrouting mode. (A port is in routing
mode when global IP routing is enabled and the port is configured with the no switchport interface
configuration command or is associated with a VLAN that has an active switch virtual interface [SVI].)
These packets are either dropped or rate-limited, depending upon the Layer 2 protocol configuration. For