cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
853
Views
4
Helpful
4
Replies

control plane policing

balajee
Level 1
Level 1

Hi,

I want to do control plane policing on lldp pkts. I created the following config on dut. But it is not working. Can anybody suggest me on how to do this?

macro global description system-cpp

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

lldp run

!

!

class-map match-all system-cpp-cdp

match access-group name system-cpp-cdp

class-map match-all system-cpp-pim

match access-group name system-cpp-pim

class-map match-all system-cpp-bpdu-range

match access-group name system-cpp-bpdu-range

class-map match-all system-cpp-dhcp-cs

match access-group name system-cpp-dhcp-cs

class-map match-all system-cpp-dhcp-sc

match access-group name system-cpp-dhcp-sc

class-map match-all system-cpp-all-systems-on-subnet

match access-group name system-cpp-all-systems-on-subnet

class-map match-all system-cpp-all-routers-on-subnet

match access-group name system-cpp-all-routers-on-subnet

class-map match-all system-cpp-ripv2

match access-group name system-cpp-ripv2

class-map match-all system-cpp-dot1x

match access-group name system-cpp-dot1x

class-map match-all system-cpp-dhcp-ss

match access-group name system-cpp-dhcp-ss

class-map match-all system-cpp-sstp

match access-group name system-cpp-sstp

class-map match-all system-cpp-ospf

match access-group name system-cpp-ospf

class-map match-all system-cpp-lldp

match access-group name system-cpp-

match access-group name system-cpp-lldp

match any

class-map match-all system-cpp-igmp

match access-group name system-cpp-igmp

class-map match-all system-cpp-ip-mcast-linklocal

match access-group name system-cpp-ip-mcast-linklocal

!

!

policy-map system-cpp-policy

class system-cpp-dot1x

class system-cpp-bpdu-range

class system-cpp-cdp

class system-cpp-sstp

class system-cpp-ospf

class system-cpp-igmp

class system-cpp-pim

class system-cpp-all-systems-on-subnet

class system-cpp-all-routers-on-subnet

class system-cpp-ripv2

class system-cpp-ip-mcast-linklocal

class system-cpp-dhcp-cs

class system-cpp-dhcp-sc

class system-cpp-dhcp-ss

class system-cpp-lldp

police cir 32000 bc 1000

conform-action drop

exceed-action drop

class class-default

!

I applied the policy map in the control plane also. But is is not droping lldp pkts. Please let me know the soluting. I m new to control plane polcing.

Thanks in advance,

Balajee

4 Replies 4

mheusing
Cisco Employee
Cisco Employee

Hi,

Where are the access-lists?

You define a class to describe the traffic:

class-map match-all system-cpp-lldp

match access-group name system-cpp-

match access-group name system-cpp-lldp

match any

If this is your config, then only traffic matching the ACL system-cpp- and system-cpp-lldp at the same time ("match-all"). If any of the ACLs is not defined, it will deny all traffic, which means nothing is matched by this class and thus not policed.

You can remove the "match any" statement from the class s well, as it does not change anything.

Hope this helps! Please use the rating system.

Regards,

Martin

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Muggalla,

in the access-list match access-group name system-cpp-lldp you need to define filters that match the LLDP protocol to have a chance to control this type of traffic

Second note:

I think you are lucky that nothing matches a CIR of 32000 bps for all these signaling protocols is simply too low: discarding STP frames for example is not a good idea it can cause instability the same for RIP or OSPF if they are used.

conform-action drop execeed-action drop so actually it should drop everything but everything that matches.

Here everything is in class-default or the definition of the filter for LLDP is not correct.

Hope to help

Giuseppe

Hi,

Thanks for the replies. How to define access-lists to match lldp traffic? Can you guys help me ?

Thanks,

Balajee

Hello Balajee,

LLDP is a standard protocol that works at OSI layer 2 and performs the neighbor discovery process as CDP (cisco proprietary) does

to be able to match LLDP frames you need to define:

a) first option a MAC-address access-list that matches destination MAC 01-80-C2-00-00-0E this multicast address is reserved to LLDP

OR

b) you can match the ethertype (but this is not supported on all switches platforms) used by LLDP

LLDP has a dedicated ethertype: 88-CC.

I got this info from

http://www.cisco.com/en/US/technologies/tk652/tk701/technologies_white_paper0900aecd804cd46d.html

What platform are using and with which IOS code ?

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco