control plane policing

Unanswered Question
Oct 17th, 2008
User Badges:

Hi,

I want to do control plane policing on lldp pkts. I created the following config on dut. But it is not working. Can anybody suggest me on how to do this?


macro global description system-cpp

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

lldp run

!

!

class-map match-all system-cpp-cdp

match access-group name system-cpp-cdp

class-map match-all system-cpp-pim

match access-group name system-cpp-pim

class-map match-all system-cpp-bpdu-range

match access-group name system-cpp-bpdu-range

class-map match-all system-cpp-dhcp-cs

match access-group name system-cpp-dhcp-cs

class-map match-all system-cpp-dhcp-sc

match access-group name system-cpp-dhcp-sc

class-map match-all system-cpp-all-systems-on-subnet

match access-group name system-cpp-all-systems-on-subnet

class-map match-all system-cpp-all-routers-on-subnet

match access-group name system-cpp-all-routers-on-subnet

class-map match-all system-cpp-ripv2

match access-group name system-cpp-ripv2

class-map match-all system-cpp-dot1x

match access-group name system-cpp-dot1x

class-map match-all system-cpp-dhcp-ss

match access-group name system-cpp-dhcp-ss

class-map match-all system-cpp-sstp

match access-group name system-cpp-sstp

class-map match-all system-cpp-ospf

match access-group name system-cpp-ospf

class-map match-all system-cpp-lldp

match access-group name system-cpp-

match access-group name system-cpp-lldp

match any

class-map match-all system-cpp-igmp

match access-group name system-cpp-igmp

class-map match-all system-cpp-ip-mcast-linklocal

match access-group name system-cpp-ip-mcast-linklocal

!

!

policy-map system-cpp-policy

class system-cpp-dot1x

class system-cpp-bpdu-range

class system-cpp-cdp

class system-cpp-sstp

class system-cpp-ospf

class system-cpp-igmp

class system-cpp-pim

class system-cpp-all-systems-on-subnet

class system-cpp-all-routers-on-subnet

class system-cpp-ripv2

class system-cpp-ip-mcast-linklocal

class system-cpp-dhcp-cs

class system-cpp-dhcp-sc

class system-cpp-dhcp-ss

class system-cpp-lldp

police cir 32000 bc 1000

conform-action drop

exceed-action drop

class class-default

!



I applied the policy map in the control plane also. But is is not droping lldp pkts. Please let me know the soluting. I m new to control plane polcing.


Thanks in advance,

Balajee

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
mheusing Fri, 10/17/2008 - 03:36
User Badges:
  • Cisco Employee,

Hi,


Where are the access-lists?

You define a class to describe the traffic:


class-map match-all system-cpp-lldp

match access-group name system-cpp-

match access-group name system-cpp-lldp

match any


If this is your config, then only traffic matching the ACL system-cpp- and system-cpp-lldp at the same time ("match-all"). If any of the ACLs is not defined, it will deny all traffic, which means nothing is matched by this class and thus not policed.


You can remove the "match any" statement from the class s well, as it does not change anything.


Hope this helps! Please use the rating system.


Regards,

Martin


Giuseppe Larosa Fri, 10/17/2008 - 04:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Muggalla,


in the access-list match access-group name system-cpp-lldp you need to define filters that match the LLDP protocol to have a chance to control this type of traffic


Second note:

I think you are lucky that nothing matches a CIR of 32000 bps for all these signaling protocols is simply too low: discarding STP frames for example is not a good idea it can cause instability the same for RIP or OSPF if they are used.

conform-action drop execeed-action drop so actually it should drop everything but everything that matches.

Here everything is in class-default or the definition of the filter for LLDP is not correct.


Hope to help

Giuseppe




balajee Sat, 10/18/2008 - 02:10
User Badges:

Hi,

Thanks for the replies. How to define access-lists to match lldp traffic? Can you guys help me ?


Thanks,

Balajee

Giuseppe Larosa Sat, 10/18/2008 - 08:51
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Balajee,

LLDP is a standard protocol that works at OSI layer 2 and performs the neighbor discovery process as CDP (cisco proprietary) does


to be able to match LLDP frames you need to define:


a) first option a MAC-address access-list that matches destination MAC 01-80-C2-00-00-0E this multicast address is reserved to LLDP


OR

b) you can match the ethertype (but this is not supported on all switches platforms) used by LLDP


LLDP has a dedicated ethertype: 88-CC.


I got this info from


http://www.cisco.com/en/US/technologies/tk652/tk701/technologies_white_paper0900aecd804cd46d.html


What platform are using and with which IOS code ?


Hope to help

Giuseppe


Actions

This Discussion