- Preface
- Overview
- Using the Command-Line Interface
- Assigning the Switch IP Address and Default Gateway
- Configuring Cisco IOS Configuration Engine
- Administering the Switch
- Configuring Switch Alarms
- Configuring SDM Templates
- Configuring Switch-Based Authentication
- Configuring IEEE 802.1x Port-Based Authentication
- Configuring the PPPoE Intermediate Agent
- Configuring Interface Characteristics
- Configuring Command Macros
- Configuring VLANs
- Configuring Private VLANs
- Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling
- Configuring STP
- Configuring Optional Spanning-Tree Features
- Configuring Resilient Ethernet Protocol
- Configuring Flex Links and the MAC Address-Table Move Update Feature
- Configuring DHCP Features and IP Source Guard
- Configuring Dynamic ARP Inspection
- Configuring IGMP Snooping and MVR
- Configuring Port-Based Traffic Control
- Configuring CDP
- Configuring LLDP and LLDP-MED
- Configuring UDLD
- Configuring SPAN and RSPAN
- Configuring RMON
- Configuring System Message Logging
- Configuring SNMP
- Configuring Embedded Event Manager
- Configuring Network Security wit
- Configuring Control-Plane Security
- Configuring QoS
- Configuring EtherChannels and Link State Tracking
- Configuring IP Unicast Routing
- Configuring IPv6 Unicast Routing
- Configuring IPv6 MLD Snooping
- Configuring IPv6 ACLs
- Configuring HSRP, VRRP, and GLBP
- Configuring Cisco IOS IP SLAs Operations
- Configuring Enhanced Object Tracking
- Configuring Ethernet OAM, CFM, and E-LMI
- Configuring Y.1731 Performance Monitoring
- Configuring IP Multicast Routing
- Configuring MSDP
- Troubleshooting
- Configuring Online Diagnostics
- Working with the Cisco IOS File System, Configuration Files, and Software Images
- Unsupported Commands in Cisco IOS Release 12.2(58)EZ
- Index
Configuring Control-Plane Security
This chapter describes the control-plane security feature in the Cisco ME 3400E Ethernet Access switch. In any network, Layer 2 and Layer 3 switches exchange control packets with other switches in the network. The Cisco ME switch, which acts as a transition between the customer network and the service-provider network, uses control-plane security to ensure that the topology information between the two networks is isolated. This mechanism protects against a possible denial-of-service attack from another customer network.
•Understanding Control-Plane Security
•Configuring Control-Plane Security
•Monitoring Control-Plane Security
Understanding Control-Plane Security
In the Cisco ME switch, ports configured as network node interfaces (NNIs) connect to the service-provider network. The switch communicates with the rest of the network through these ports, exchanging protocol control packets as well as regular traffic. Other ports on the Cisco ME switch are user network interfaces (UNIs) that are used as customer-facing ports. Each port is connected to a single customer, and exchanging network protocol control packets between the switch and the customer is not usually required. Most Layer 2 protocols are not supported on UNIs. To protect against accidental or intentional CPU overload, the Cisco ME switch provides control-plane security automatically by dropping or rate-limiting a predefined set of Layer 2 control packets and some Layer 3 control packets for UNIs.
You can also configure a third port type, an enhanced network interface (ENI). An ENI, like a UNI, is a customer-facing interface. By default on an ENI, Layer 2 control protocols, such as Cisco Discovery Protocol (CDP), Spanning-Tree Protocol (STP), Link Layer Discovery Protocol (LLDP) are disabled. On ENIs, unlike UNIs, you can enable these protocols. When configuring ENIs in port channels, you can also enable Link Aggregation Control Protocol (LACP), and Port Aggregation Protocol (PAgP). ENIs drop or rate-limit the protocol packets, depending on whether the protocol is enabled or disabled on the interface. For all other control protocols on ENIs, the switch drops or rate-limits packets the same way as it does for UNIs.
CPU protection, which is enabled by default, uses 19 policers per port. When it is enabled, you can configure a maximum of 45 policers per port. If you need to configure more policers per port, you can disable CPU protection by entering the no policer cpu uni all global configuration command and reloading the switch. When CPU protection is disabled, you can configure a maximum of 63 policers per port (62 on every 4th port) for user-defined classes and one for class-default.
Note When CPU is turned off, protocol packets can reach the CPU, which could cause CPU processing overload and storm control through software.
Control-plane security is supported on a port for Layer 2 control packets and non-IP packets with router MAC addresses, regardless of whether the port is in routing or nonrouting mode. (A port is in routing mode when global IP routing is enabled and the port is configured with the no switchport interface configuration command or is associated with a VLAN that has an active switch virtual interface [SVI].) These packets are either dropped or rate-limited, depending upon the Layer 2 protocol configuration. For Layer 3 control packets, on a port in routing mode (whether or not a Layer 3 service policy is attached), control-plane security supports rate-limiting only Internet Group Management Protocol (IGMP) control packets. For Layer 3 packets, on a port in nonrouting mode (whether or not a Layer 2 service policy is attached), only IP packets with router MAC addresses are dropped.
These types of control packets are dropped or rate-limited:
•Layer 2 protocol control packets:
–Control packets that are always dropped on UNIs and ENIs, such as Dynamic Trunking Protocol (DTP) packets and some bridge protocol data units (BPDUs).
–Control packets that are dropped by default but can be enabled or tunneled, such as CDP, STP, LLDP, VLAN Trunking Protocol (VTP), UniDirectional Link Detection (UDLD) Protocol, LACP, and PAgP packets. When enabled, these protocol packets are rate-limited and tunneled through the switch.
–Control or management packets that are required by the switch, such as keepalive packets. These control packets are processed by the CPU but are rate-limited to normal and safe limits to prevent CPU overload.
•Non-IP packets with router MAC addresses
•IP packets with router MAC addresses
•IGMP control packets that are enabled by default and need to be rate-limited. However, when IGMP snooping and IP multicast routing are disabled, the packets are treated like data packets, and no policers are assigned to them.
The switch uses policing to accomplish control-plane security by either dropping or rate-limiting Layer 2 control packets. If a Layer 2 protocol is enabled on a UNI or ENI port or tunneled on the switch, those protocol packets are rate-limited; otherwise control packets are dropped.
By default, some protocol traffic is dropped by the CPU, and some is rate-limited. Table 35-1 shows the default action and the action taken for Layer 2 protocol packets when the feature is enabled or when Layer 2 protocol tunneling is enabled for the protocol. Note that some features cannot be enabled on UNIs, and not all protocols can be tunneled (shown by dashes). If Layer 2 protocol tunneling is enabled for any of the supported protocols (CDP, STP, VTP, LLDP, LACP, PAgP, or UDLD), the switch Layer 2 protocol tunneling protocol uses the rate-limiting policer on every port. If UDLD is enabled on a port or UDLD tunneling is enabled, UDLD packets are rate-limited.
|
|
|
|
---|---|---|---|
STP |
Dropped |
Rate limited Note STP can be enabled only on ENIs. |
Rate-limited |
RSVD_STP (reserved IEEE 802.1D addresses) |
Dropped |
When the Ethernet Link Management Interface (ELMI) is enabled, globally or on a per-port basis whichever is configured last, a throttle policer is assigned to a port. When ELMI is disabled (globally or on a port, whichever is configured last), a drop policer is assigned to a port. |
|
PVST+ |
Dropped |
- |
Rate limited |
LACP |
Dropped |
Rate limited Note LACP can be enabled only on ENIs. |
Rate limited |
PAgP |
Dropped |
Rate limited Note PAgP can be enabled only on ENIs. |
Rate limited |
IEEE 802.1x |
Dropped |
Rate limited |
- |
CDP |
Dropped |
Rate limited Note CDP can be enabled only on ENIs. |
Rate limited |
LLDP |
Dropped |
Rate limited Note LLDP can be enabled only on ENIs. |
Rate limited |
DTP |
Dropped |
- |
- |
UDLD |
Dropped |
Rate limited |
Rate limited |
VTP |
Dropped |
- |
Rate limited |
CISCO_L2 (any other Cisco Layer 2 protocols with the MAC address 01:00:0c:cc:cc:cc) |
Dropped |
- |
Rate limited if CDP, DTP, UDLD, PAGP, or VTP are Layer 2 tunneled |
KEEPALIVE (MAC address, SNAP encapsulation, LLC, Org ID, or HDLC packets) |
Rate-limited |
- |
- |
Ethernet Connectivity Fault Management (CFM) |
No policer assigned |
When CFM is enabled globally, a throttle policer is assigned to all ports. When CFM is disabled globally, a NULL policer is assigned to all ports. |
- |
1 Layer 2 protocol traffic is rate-limited when Layer 2 protocol tunneling is enabled for any protocol on any port. |
The switch automatically allocates 27 control-plane security policers for CPU protection. At system bootup, it assigns a policer to each port numbered 0 to 26. The policer assigned to a port determines if the protocol packets arriving on the port are rate-limited or dropped. On the ME 3400E-24TS switch, a policer of 26 means a drop policer and is a global policer; any traffic type shown as 26 on any port is dropped. A policer of a value of 0 to 25 means that a rate-limiting policer is assigned to the port for the protocol. The policers 0 to 23 are logical identifiers for Fast Ethernet ports 1 to 24; policers 24 and 25 refer to Gigabit Ethernet ports 1 and 2, respectively. A policer value of 255 means that no policer is assigned to a protocol.
For the ME 3400EG-12CS and ME 34000EG-2CS switches, a policer of 4 means a drop policer. A traffic type shown as 4 on a port is dropped. A policer value of 0 to 3 means that a rate-limiting policer is assigned to the port for the protocol.
To see what policer actions are assigned to the protocols on an interface, enter the show platform policer cpu interface interface-id privileged EXEC command.
Note Unless otherwise indicated, the examples are for an ME 3400E-24TS switch.
This example shows the default policer configuration for a UNI. Because the port is Fast Ethernet 1, the identifier for rate-limited protocols is 0; a display for Fast Ethernet port 5 would display an identifier of 4. The Policer Index refers to the specific protocol. The ASIC number shows when the policer is on a different ASIC.
Because UNIs do not support STP, CDP, LLDP, LACP, and PAgP, these packets are dropped (physical policer of 26). These protocols are disabled by default on ENIs as well, but you can enable them. When enabled on ENIs, the control packets are rate limited and a rate-limiting policer is assigned to the port for these protocols (physical policer of 22).
Switch# show platform policer cpu interface fastethernet 0/3
Policers assigned for CPU protection
===================================================================
Feature Policer Physical Asic
Index Policer Num
===================================================================
Fa0/1
STP 1 26 0
LACP 2 26 0
8021X 3 26 0
RSVD_STP 4 26 0
PVST_PLUS 5 26 0
CDP 6 26 0
LLDP 7 26 0
DTP 8 26 0
UDLD 9 26 0
PAGP 10 26 0
VTP 11 26 0
CISCO_L2 12 26 0
KEEPALIVE 13 0 0
CFM 14 255 0
SWITCH_MAC 15 26 0
SWITCH_ROUTER_MAC 16 26 0
SWITCH_IGMP 17 0 0
SWITCH_L2PT 18 26 0
This example shows the policers assigned to a ENI when control protocols are enabled on the interface. A value of 22 shows that protocol packets are rate limited for that protocol. When the protocol is not enabled, the defaults are the same as for a UNI.
Switch# show platform policer cpu interface fastethernet0/23
Policers assigned for CPU protection ===================================================================
Feature Policer Physical Asic
Index Policer Num
===================================================================
Fa0/23
STP 1 26 0
LACP 2 22 0
8021X 3 26 0
RSVD_STP 4 26 0
PVST_PLUS 5 26 0
CDP 6 22 0
LLDP 7 26 0
DTP 8 26 0
UDLD 9 26 0
PAGP 10 26 0
VTP 11 26 0
CISCO_L2 12 22 0
KEEPALIVE 13 22 0
CFM 14 255 0
SWITCH_MAC 15 26 0
SWITCH_ROUTER_MAC 16 26 0
SWITCH_IGMP 17 22 0
SWITCH_L2PT 18 22 0
This example shows rate limiting on a ME 3400EG-12CS or ME 34000EG-2CS switch. A value of 1 shows that protocol packets are rate limited for that protocol.
Switch #show platform policer cpu interface gigabitethernet 0/2
Policers assigned for CPU protection
===================================================================
Feature Policer Physical Asic
Index Policer Num
===================================================================
Gi0/2
STP 1 4 0
LACP 2 4 0
8021X 3 4 0
RSVD_STP 4 1 0
PVST_PLUS 5 4 0
CDP 6 4 0
LLDP 7 4 0
DTP 8 4 0
UDLD 9 4 0
PAGP 10 4 0
VTP 11 4 0
CISCO_L2 12 4 0
KEEPALIVE 13 1 0
CFM 14 255 0
SWITCH_MAC 15 4 0
SWITCH_ROUTER_MAC 16 4 0
SWITCH_IGMP 17 1 0
SWITCH_L2PT 18 4 0
This example shows the default policers assigned to NNIs. Most protocols have no policers assigned to NNIs. A value of 255 means that no policer is assigned to the port for the protocol.
Switch #show platform policer cpu interface gigabitethernet 0/1
Policers assigned for CPU protection
===================================================================
Feature Policer Physical Asic
Index Policer Num
===================================================================
Gi0/1
STP 1 255 0
LACP 2 255 0
8021X 3 255 0
RSVD_STP 4 255 0
PVST_PLUS 5 255 0
CDP 6 255 0
LLDP 7 255 0
DTP 8 255 0
UDLD 9 255 0
PAGP 10 255 0
VTP 11 255 0
CISCO_L2 12 255 0
KEEPALIVE 13 255 0
CFM 14 255 0
SWITCH_MAC 15 255 0
SWITCH_ROUTER_MAC 16 255 0
SWITCH_IGMP 17 255 0
SWITCH_L2PT 18 255 0
Configuring Control-Plane Security
CPU protection is enabled by default and CPU policers are pre-allocated. You can disable CPU protection by entering the no policer cpu uni all global configuration command or reenable it by entering the policer cpu uni all global configuration command. When you disable or enable CPU protection, you must reload the switch by entering the reload privileged EXEC command before the configuration takes effect.
When CPU protection is enabled, you can configure only 45 policers per port. Disabling CPU protection allows you to configure up to 64 policers per port. Note these limitations when you disable CPU protection:
•When CPU protection is disabled, you can configure a maximum of 63 policers per port (62 on every 4th port) for user-defined classes and one for class-default.
•On Cisco ME 3400EG-12CS switches, due to hardware limitations, you can attach 64 per-port, per-VLAN policers to a maximum of 6 ports. If you attempt to attach more than 6 per-port per VLAN 64-policer policy maps, the attachment fails with a VLAN labels exceeded error message.
•If you disable CPU protection and attach a policy map with more than 45 policers, and then enable CPU protection again, and reload, 19 policers per port are again required for CPU protection. During reload, the policers 46 and above will reach the policer resources exceeded error condition and no policers are attached to those classes.
You can configure only the rate-limiting threshold. The configured threshold applies to all supported control protocols on all UNIs and ENIs. It also applies to STP, CDP, LLDP, LACP, and PAgP when the protocol is enabled on an ENI.
Note During normal Layer 2 operation, you cannot ping the switch through a UNI or ENI. This restriction does not apply to NNIs. See the "Using Ping" section for ways to enable ping in a test situation.
Beginning in privileged EXEC mode, follow these steps to set the threshold rate for CPU protection:
To return to the default threshold rate, use the no policer cpu uni global configuration command. To disable CPU protection, enter the no policer cpu uni all global configuration command, and reload the switch.
This example shows how to set the CPU protection threshold to 10000 b/s and to verify the configuration.
Switch# config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# policer cpu uni 10000
Switch(config)# end
Switch# show policer cpu uni-eni rate
CPU UNI/ENI port police rate = 10000 bps
This is an example of the show command output when CPU protection is disabled.
Switch# show policer cpu uni-eni rate
CPU Protection feature is not enabled
Monitoring Control-Plane Security
You can monitor control-plane security settings and statistics on the switch or on an interface, and you can clear these statistics at any time by using the privileged EXEC commands in Table 35-2. For more information about the commands, see the command reference for this release.