10-17-2008 02:55 AM - edited 03-03-2019 11:58 PM
Hi,
I want to do control plane policing on lldp pkts. I created the following config on dut. But it is not working. Can anybody suggest me on how to do this?
macro global description system-cpp
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
lldp run
!
!
class-map match-all system-cpp-cdp
match access-group name system-cpp-cdp
class-map match-all system-cpp-pim
match access-group name system-cpp-pim
class-map match-all system-cpp-bpdu-range
match access-group name system-cpp-bpdu-range
class-map match-all system-cpp-dhcp-cs
match access-group name system-cpp-dhcp-cs
class-map match-all system-cpp-dhcp-sc
match access-group name system-cpp-dhcp-sc
class-map match-all system-cpp-all-systems-on-subnet
match access-group name system-cpp-all-systems-on-subnet
class-map match-all system-cpp-all-routers-on-subnet
match access-group name system-cpp-all-routers-on-subnet
class-map match-all system-cpp-ripv2
match access-group name system-cpp-ripv2
class-map match-all system-cpp-dot1x
match access-group name system-cpp-dot1x
class-map match-all system-cpp-dhcp-ss
match access-group name system-cpp-dhcp-ss
class-map match-all system-cpp-sstp
match access-group name system-cpp-sstp
class-map match-all system-cpp-ospf
match access-group name system-cpp-ospf
class-map match-all system-cpp-lldp
match access-group name system-cpp-
match access-group name system-cpp-lldp
match any
class-map match-all system-cpp-igmp
match access-group name system-cpp-igmp
class-map match-all system-cpp-ip-mcast-linklocal
match access-group name system-cpp-ip-mcast-linklocal
!
!
policy-map system-cpp-policy
class system-cpp-dot1x
class system-cpp-bpdu-range
class system-cpp-cdp
class system-cpp-sstp
class system-cpp-ospf
class system-cpp-igmp
class system-cpp-pim
class system-cpp-all-systems-on-subnet
class system-cpp-all-routers-on-subnet
class system-cpp-ripv2
class system-cpp-ip-mcast-linklocal
class system-cpp-dhcp-cs
class system-cpp-dhcp-sc
class system-cpp-dhcp-ss
class system-cpp-lldp
police cir 32000 bc 1000
conform-action drop
exceed-action drop
class class-default
!
I applied the policy map in the control plane also. But is is not droping lldp pkts. Please let me know the soluting. I m new to control plane polcing.
Thanks in advance,
Balajee
10-17-2008 03:36 AM
Hi,
Where are the access-lists?
You define a class to describe the traffic:
class-map match-all system-cpp-lldp
match access-group name system-cpp-
match access-group name system-cpp-lldp
match any
If this is your config, then only traffic matching the ACL system-cpp- and system-cpp-lldp at the same time ("match-all"). If any of the ACLs is not defined, it will deny all traffic, which means nothing is matched by this class and thus not policed.
You can remove the "match any" statement from the class s well, as it does not change anything.
Hope this helps! Please use the rating system.
Regards,
Martin
10-17-2008 04:01 AM
Hello Muggalla,
in the access-list match access-group name system-cpp-lldp you need to define filters that match the LLDP protocol to have a chance to control this type of traffic
Second note:
I think you are lucky that nothing matches a CIR of 32000 bps for all these signaling protocols is simply too low: discarding STP frames for example is not a good idea it can cause instability the same for RIP or OSPF if they are used.
conform-action drop execeed-action drop so actually it should drop everything but everything that matches.
Here everything is in class-default or the definition of the filter for LLDP is not correct.
Hope to help
Giuseppe
10-18-2008 02:10 AM
Hi,
Thanks for the replies. How to define access-lists to match lldp traffic? Can you guys help me ?
Thanks,
Balajee
10-18-2008 08:51 AM
Hello Balajee,
LLDP is a standard protocol that works at OSI layer 2 and performs the neighbor discovery process as CDP (cisco proprietary) does
to be able to match LLDP frames you need to define:
a) first option a MAC-address access-list that matches destination MAC 01-80-C2-00-00-0E this multicast address is reserved to LLDP
OR
b) you can match the ethertype (but this is not supported on all switches platforms) used by LLDP
LLDP has a dedicated ethertype: 88-CC.
I got this info from
http://www.cisco.com/en/US/technologies/tk652/tk701/technologies_white_paper0900aecd804cd46d.html
What platform are using and with which IOS code ?
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: