Table of Contents
Advertisement
Configuring Control-Plane Security
This chapter describes the control-plane security feature in the Cisco ME 3400 Ethernet Access switch.
In any network, Layer 2 and Layer 3 switches exchange control packets with other switches in the
network. The Cisco ME switch, which acts as a transition between the customer network and the
service-provider network, uses control-plane security to ensure that the topology information between
the two networks is isolated. This mechanism protects against a possible denial-of-service attack from
another customer network.
This chapter includes these sections;
•
•
•
Understanding Control-Plane Security
The Cisco ME switch can have no more than four ports configured as network node interfaces (NNIs)
that connect to the service-provider network. The switch communicates with the rest of the network
through these ports, exchanging protocol control packets as well as regular traffic. The remainder of the
ports on the Cisco ME switch are user network interfaces (UNIs) that are used as customer-facing ports.
Each port is connected to a single customer, and exchanging network protocol control packets between
the switch and the customer is not usually required. To protect against accidental or intentional CPU
overload, the Cisco ME switch provides control-plane security automatically by dropping or
rate-limiting a predefined set of Layer 2 control packets and some Layer 3 control packets for UNIs.
Control-plane security is supported on a port for Layer 2 control packets and non-IP packets with router
MAC addresses regardless of whether the port is in routing or nonrouting mode. (A port is in routing
mode when global IP routing is enabled and it is configured with the no switchport interface
configuration command or associated with a VLAN that has a switch virtual interface [SVI] created and
active.) These packets are either dropped or rate-limited, depending upon the Layer 2 protocol
configuration. For Layer 3 control packets, on a port in routing mode (whether or not a Layer 3 service
policy is attached), control-plane security supports rate-limiting only Internet Group Management
Protocol (IGMP) control packets. For Layer 3 packets, on a port in non-routing mode (whether or not a
Layer 2 service policy is attached), only IP packets with router MAC addresses are dropped.
78-17058-01
Understanding Control-Plane Security, page 29-1
Configuring Control-Plane Security, page 29-4
Monitoring Control-Plane Security, page 29-5
C H A P T E R
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
29
29-1
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
