- Overview
- Configuring Switch-Based Authentication
- Configuring IEEE 802.1x Port-Based Authentication
- Configuring Web-Based Authentication
- Configuring DHCP Features and IP Source Guard
- Configuring Dynamic ARP Inspection
- Configuring Network Security with ACLs
- Configuring IPv6 ACLs
- Configuring Control-Plane Security
Cisco Connected Grid Switches Security Software Configuration Guide
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- February 18, 2018
Chapter: Configuring Control-Plane Security
Configuring Control-Plane Security
This chapter provides details about configuring Control-Plane Security on the Cisco Industrial Ethernet 2000U Series (IE 2000U) and Connected Grid Switches and includes the following sections:
Information About Control-Plane Security
In any network, Layer 2 and Layer 3 switches exchange control packets with other switches in the network.
The switch, which acts as a transition between the customer network and the service-provider network, uses control-plane security to isolate the topology information between the two networks. This mechanism protects against a possible denial-of-service (DoS) attack from another customer network.
NNIs, UNIs, and ENIs
In the switch, ports configured as network node interfaces (NNIs) connect to the service-provider network. The switch communicates with the rest of the network through these ports, exchanging protocol control packets as well as regular traffic. Other ports on the switch are user network interfaces (UNIs) that are used as customer-facing ports. Each port is connected to a single customer, and exchanging network protocol control packets between the switch and the customer is not usually required. Most Layer 2 protocols are not supported on UNIs. To protect against accidental or intentional CPU overload, the switch provides control-plane security automatically by dropping or rate-limiting a predefined set of Layer 2 control packets and some Layer 3 control packets for UNIs.
You can also configure a third port type, an enhanced network interface (ENI). An ENI, like a UNI, is a customer-facing interface. By default on an ENI, Layer 2 control protocols, such as Cisco Discovery Protocol (CDP), Spanning-Tree Protocol (STP), and Link Layer Discovery Protocol (LLDP), are disabled. On ENIs, unlike UNIs, you can enable these protocols. When configuring ENIs in port channels, you can also enable Link Aggregation Control Protocol (LACP) and Port Aggregation Protocol (PAgP). ENIs drop or rate-limit the protocol packets, depending on whether the protocol is enabled or disabled on the interface. For all other control protocols on ENIs, the switch drops or rate-limits packets the same way as it does for UNIs.
CPU protection, enabled by default, uses 19 policers per port. When enabled, you can configure a maximum of 45 policers per port. If you need to configure more policers per port, you can disable CPU protection by entering the no policer cpu uni all global configuration command and reloading the switch. When CPU protection is disabled, you can configure a maximum of 63 policers per port for user-defined classes and one for class-default.
Note
When you disable CPU protection on the switch, protocol packets can reach the CPU, which could cause CPU processing overload and storm control through software.
Control-plane security is supported on a port for Layer 2 control packets and non-IP packets with router MAC addresses, regardless of whether the port is in routing or nonrouting mode. (A port is in routing mode when global IP routing is enabled and the port is configured with the no switchport interface configuration command or is associated with a VLAN that has an active switch virtual interface [SVI].) These packets are either dropped or rate-limited, depending upon the Layer 2 protocol configuration.
For Layer 3 control packets, on a port in routing mode (whether or not a Layer 3 service policy is attached), control-plane security supports rate-limiting only for Internet Group Management Protocol (IGMP) control packets. For Layer 3 packets, on a port in nonrouting mode (whether or not a Layer 2 service policy is attached), only IP packets with router MAC addresses are dropped.
These types of control packets are dropped or rate-limited:
– Control packets that are always dropped on UNIs and ENIs, such as Dynamic Trunking Protocol (DTP) packets and some bridge protocol data units (BPDUs).
– Control packets that are dropped by default but can be enabled or tunneled, such as CDP, STP, LLDP, VLAN Trunking Protocol (VTP), UniDirectional Link Detection (UDLD) Protocol, LACP, and PAgP packets. When enabled, these protocol packets are rate-limited and tunneled through the switch.
– Control or management packets that are required by the switch, such as keepalive packets. These control packets are processed by the CPU but are rate-limited to normal and safe limits to prevent CPU overload.
- Non-IP packets with router MAC addresses
- IP packets with router MAC addresses
- IGMP control packets that are enabled by default and need to be rate-limited. However, when IGMP snooping and IP multicast routing are disabled, the packets are treated like data packets, and no policers are assigned to them.
The switch uses policing to accomplish control-plane security by either dropping or rate-limiting Layer 2 control packets. If a Layer 2 protocol is enabled on a UNI or ENI port or tunneled on the switch, those protocol packets are rate-limited; otherwise control packets are dropped.
By default, some protocol traffic is dropped by the CPU, and some is rate-limited. Table 9-1 shows the default action and the action taken for Layer 2 protocol packets when the feature is enabled or when Layer 2 protocol tunneling is enabled for the protocol. Note that some features cannot be enabled on UNIs, and not all protocols can be tunneled (shown by dashes). If Layer 2 protocol tunneling is enabled for any of the supported protocols (CDP, STP, VTP, LLDP, LACP, PAgP, or UDLD), the switch Layer 2 protocol tunneling protocol uses the rate-limiting policer on every port. If UDLD is enabled on a port or UDLD tunneling is enabled, UDLD packets are rate-limited.
|
|
|
|
|
|---|---|---|---|
When the Ethernet Link Management Interface (ELMI) is enabled, globally or on a per-port basis whichever is configured last, a throttle policer is assigned to a port. When ELMI is disabled (globally or on a port, whichever is configured last), a drop policer is assigned to a port. |
|||
CISCO_L2 (any other Cisco Layer 2 protocols with the MAC address 01:00:0c:cc:cc:cc) |
Rate limited if CDP, DTP, UDLD, PAGP, or VTP are Layer 2 tunneled |
||
KEEPALIVE (MAC address, SNAP encapsulation, LLC, Org ID, or HDLC packets) |
|
1.Layer 2 protocol traffic is rate-limited when Layer 2 protocol tunneling is enabled for any protocol on any port. |
The switch automatically allocates 27 control-plane security policers for CPU protection. At system bootup, it assigns a policer to each port numbered 0 to 26. The policer assigned to a port determines if the protocol packets arriving on the port are rate-limited or dropped. On the switch, a policer of 26 means a drop policer and is a global policer; any traffic type shown as 26 on any port is dropped. A policer of a value of 0 to 25 means that a rate-limiting policer is assigned to the port for the protocol. The policers 0 to 23 are logical identifiers for Fast Ethernet ports 1 to 24; policers 24 and 25 refer to Gigabit Ethernet ports 1 and 2, respectively. A policer value of 255 means that no policer is assigned to a protocol.
To see what policer actions are assigned to the protocols on an interface, enter the show platform policer cpu interface interface-id privileged EXEC command.
This example shows the default policer configuration for a UNI. Because the port is Fast Ethernet 1, the identifier for rate-limited protocols is 0; a display for Fast Ethernet port 5 would display an identifier of 4. The Policer Index refers to the specific protocol. The ASIC number shows when the policer is on a different ASIC.
Because UNIs do not support STP, CDP, LLDP, LACP, or PAgP, these packets are dropped (physical policer of 26). These protocols are disabled by default on ENIs as well, but you can enable them. When enabled on ENIs, the control packets are rate limited and a rate-limiting policer is assigned to the port for these protocols (physical policer of 22).
This example shows the policers assigned to a ENI when control protocols are enabled on the interface. A value of 22 shows that protocol packets are rate limited for that protocol. When the protocol is not enabled, the defaults are the same as for a UNI.
This example shows the default policers assigned to NNIs. Most protocols have no policers assigned to NNIs. A value of 255 means that no policer is assigned to the port for the protocol.
Prerequisites
Be sure to review the Guidelines and Limitations section and the Before You Begin section for each configuration.
Guidelines and Limitations
Reload Required When You Disable or Reenable CPU Protection
When you disable or enable CPU protection ([ no] policer cpu uni all) , you must reload the switch by entering the reload privileged EXEC command before the configuration takes effect.
Policer Support Per Port for CPU Protection
- When you enable (system default) CPU protection on the switch, you can configure a maximum of 45 policers per port.
- When you disable CPU protection allows, you to configure a maximum of 63 policers per port for user-defined classes and one for class-default.
– Due to hardware limitations, you can attach 64 per-port, per-VLAN policers to a maximum of 6 ports. If you attempt to attach more than 6 per-port per VLAN 64-policer policy maps, the attachment fails with a VLAN labels exceeded error message.
– When you disable CPU protection and attach a policy map with more than 45 policers, and then enable CPU protection again and reload, 19 policers per port are again required for CPU protection. During reload, the policers 46 and above will reach the policer resources exceeded error condition and no policers are attached to those classes.
The rate-limiting threshold applies to all supported control protocols on all UNIs and ENIs. It also applies to STP, CDP, LLDP, LACP, and PAgP when the protocol is enabled on an ENI.
You can configure only the rate-limiting threshold.
During normal Layer 2 operation, you cannot ping ( ping [ host ] | address ] the switch through a UNI or ENI.
Default Settings
|
|
|
|---|---|
Configuring Control-Plane Security
You can set the threshold rate for CPU protection.
BEFORE YOU BEGIN
Review the Guidelines and Limitations for this feature.
DETAILED STEPS
EXAMPLE
This example shows how to set the CPU protection threshold to 10000 b/s and verify the configuration:
This is an example of the show command output when you disable CPU protection on the switch:
Verifying Configuration
You can verify control-plane security settings on the switch or on an interface.
For details on clear and debug commands, see Clear and Debug Commands.
Clear and Debug Commands
Configuration Example
See example in the “Configuring Control-Plane Security” section.
Related Documents
- Layer 2 Switching Software Configuration Guide for Cisco IE 2000U and Connected Grid Switches
- System Management Software Configuration Guide for Cisco IE 2000U and Connected Grid Switches
You can find all of the related documents at www.cisco.com/go/ie2000u-docs.
Feature History
|
|
|
|---|---|
Feedback