Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

control plane policing


I want to do control plane policing on lldp pkts. I created the following config on dut. But it is not working. Can anybody suggest me on how to do this?

macro global description system-cpp

spanning-tree mode pvst

spanning-tree extend system-id


vlan internal allocation policy ascending

lldp run



class-map match-all system-cpp-cdp

match access-group name system-cpp-cdp

class-map match-all system-cpp-pim

match access-group name system-cpp-pim

class-map match-all system-cpp-bpdu-range

match access-group name system-cpp-bpdu-range

class-map match-all system-cpp-dhcp-cs

match access-group name system-cpp-dhcp-cs

class-map match-all system-cpp-dhcp-sc

match access-group name system-cpp-dhcp-sc

class-map match-all system-cpp-all-systems-on-subnet

match access-group name system-cpp-all-systems-on-subnet

class-map match-all system-cpp-all-routers-on-subnet

match access-group name system-cpp-all-routers-on-subnet

class-map match-all system-cpp-ripv2

match access-group name system-cpp-ripv2

class-map match-all system-cpp-dot1x

match access-group name system-cpp-dot1x

class-map match-all system-cpp-dhcp-ss

match access-group name system-cpp-dhcp-ss

class-map match-all system-cpp-sstp

match access-group name system-cpp-sstp

class-map match-all system-cpp-ospf

match access-group name system-cpp-ospf

class-map match-all system-cpp-lldp

match access-group name system-cpp-

match access-group name system-cpp-lldp

match any

class-map match-all system-cpp-igmp

match access-group name system-cpp-igmp

class-map match-all system-cpp-ip-mcast-linklocal

match access-group name system-cpp-ip-mcast-linklocal



policy-map system-cpp-policy

class system-cpp-dot1x

class system-cpp-bpdu-range

class system-cpp-cdp

class system-cpp-sstp

class system-cpp-ospf

class system-cpp-igmp

class system-cpp-pim

class system-cpp-all-systems-on-subnet

class system-cpp-all-routers-on-subnet

class system-cpp-ripv2

class system-cpp-ip-mcast-linklocal

class system-cpp-dhcp-cs

class system-cpp-dhcp-sc

class system-cpp-dhcp-ss

class system-cpp-lldp

police cir 32000 bc 1000

conform-action drop

exceed-action drop

class class-default


I applied the policy map in the control plane also. But is is not droping lldp pkts. Please let me know the soluting. I m new to control plane polcing.

Thanks in advance,


Cisco Employee

Re: control plane policing


Where are the access-lists?

You define a class to describe the traffic:

class-map match-all system-cpp-lldp

match access-group name system-cpp-

match access-group name system-cpp-lldp

match any

If this is your config, then only traffic matching the ACL system-cpp- and system-cpp-lldp at the same time ("match-all"). If any of the ACLs is not defined, it will deny all traffic, which means nothing is matched by this class and thus not policed.

You can remove the "match any" statement from the class s well, as it does not change anything.

Hope this helps! Please use the rating system.



Hall of Fame Super Silver

Re: control plane policing

Hello Muggalla,

in the access-list match access-group name system-cpp-lldp you need to define filters that match the LLDP protocol to have a chance to control this type of traffic

Second note:

I think you are lucky that nothing matches a CIR of 32000 bps for all these signaling protocols is simply too low: discarding STP frames for example is not a good idea it can cause instability the same for RIP or OSPF if they are used.

conform-action drop execeed-action drop so actually it should drop everything but everything that matches.

Here everything is in class-default or the definition of the filter for LLDP is not correct.

Hope to help


New Member

Re: control plane policing


Thanks for the replies. How to define access-lists to match lldp traffic? Can you guys help me ?



Hall of Fame Super Silver

Re: control plane policing

Hello Balajee,

LLDP is a standard protocol that works at OSI layer 2 and performs the neighbor discovery process as CDP (cisco proprietary) does

to be able to match LLDP frames you need to define:

a) first option a MAC-address access-list that matches destination MAC 01-80-C2-00-00-0E this multicast address is reserved to LLDP


b) you can match the ethertype (but this is not supported on all switches platforms) used by LLDP

LLDP has a dedicated ethertype: 88-CC.

I got this info from

What platform are using and with which IOS code ?

Hope to help


CreatePlease login to create content