Cisco Systems ME 3400 Switch User Manual

Open as PDF

of 1086

32-3

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

OL-9639-06

Chapter 32 Configuring Control-Plane Security

Understanding Control-Plane Security

The switch automatically allocates 27 control-plane security policers for CPU protection. At system

bootup, it assigns a policer to each port numbered 0 to 26. The policer assigned to a port determines if

the protocol packets arriving on the port are rate-limited or dropped. A policer of 26 means a drop policer

and is a global policer; any traffic type shown as 26 on any port is dropped. A policer of a value of 0 to

25 means that a rate-limiting policer is assigned to the port for the protocol. The policers 0 to 23 are

logical identifiers for Fast Ethernet ports 1 to 24; policers 24 and 25 refer to Gigabit Ethernet ports 1 and

2, respectively. A policer value of 255 means that no policer is assigned to a protocol.

To see what policer actions are assigned to the protocols on an interface, enter the show platform

policer cpu interface interface-id privileged EXEC command. This example shows the default policer

configuration for a UNI. Because the port is Fast Ethernet 1, the identifier for rate-limited protocols is

0; a display for Fast Ethernet port 5 would display an identifier of 4. The Policer Index refers to the

specific protocol. The ASIC number shows when the policer is on a different ASIC.

LACP Dropped Rate limited

Note LACP can be enabled only on ENIs.

Rate limited

PAgP Dropped Rate limited

Note PAgP can be enabled only on ENIs.

Rate limited

IEEE 802.1x Dropped Rate limited –

CDP Dropped Rate limited

Note CDP can be enabled only on ENIs.

Rate limited

LLDP Dropped Rate limited

Note LLDP can be enabled only on ENIs.

Rate limited

DTP Dropped – –

UDLD Dropped Rate limited Rate limited

VTP Dropped – Rate limited

CISCO_L2 (any other Cisco

Layer 2 protocols with the MAC

address 01:00:0c:cc:cc:cc)

Dropped – Rate limited if

CDP, DTP, UDLD,

PAGP, or VTP are

Layer 2 tunneled

KEEPALIVE (MAC address,

SNAP encapsulation, LLC, Org

ID, or HDLC packets)

Rate-limited – –

Ethernet Connectivity Fault

Management (CFM)

No policer

assigned

When CFM is enabled globally, a throttle policer is

assigned to all ports. When CFM is disabled globally,

a NULL policer is assigned to all ports.

–

1. Layer 2 protocol traffic is rate-limited when Layer 2 protocol tunneling is enabled for any protocol on any port.

Table 32-1 Control-Plane Security Actions on Layer 2 Protocol Packets Received on a UNI or ENI (continued)

Protocol Default When Feature Is Enabled

When Layer 2

Protocol Tunneling

Is Enabled

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems ME 3400 Switch User Manual