Configuring Ascendancy Even Aegis on the Cisco ME3400
The Cisco ME3400 acts as an admission about-face for the Metro Ethernet ambiance where
users are affiliated to the accustomed about-face ports, and the uplink ports affix the about-face to
the Metro Ethernet courage infrastructure. In this blazon of environment, users cannot be
trusted, and absolute cartage amid user about-face ports should not be accustomed in best cases.
To defended the about-face in this blazon of environment, it’s important to accept the concepts
of User-Network Interface (UNI) and Arrangement Node Interface (NNI):
• UNI port. Affiliated to a distinct customer. By default, arrangement agreement cartage (CDP,
STP, VTP, and so on) and cartage destined to the about-face MAC abode are usually not
needed and are dropped. Depending on the configuration, added ascendancy traffic
(802.1X, IGMP, and others) are automatically rate-limited or dropped.
• NNI port. Has no restrictions; all arrangement cartage is allowed.
Example 13-2 Displaying MLS QoS Status (IOS 12.2(18)SXF)
C6500#sh mls qos
QoS is enabled globally
QoS ip packet dscp carbon enabled globally
Input approach for GRE Tunnel is Pipe mode
Input approach for MPLS is Pipe mode
Vlan or Portchannel(Multi-Earl) behavior supported: Yes
Egress behavior supported: Yes
----- Module [5] -----
QoS all-around counters:
Total packets: 743500
IP adjustment packets: 0
Packets alone by policing: 740409
IP packets with TOS afflicted by policing: 24
IP packets with COS afflicted by policing: 0
Non-IP packets with COS afflicted by policing: 0
MPLS packets with EXP afflicted by policing: 0
204 Chapter 13: Ascendancy Even Policing
Figure 13-4 shows how ascendancy even aegis is implemented for a UNI port.
Figure 13-4 ME3400 Ascendancy Even Aegis for a UNI Port
The absence agreement of the about-face assigns the uplink ports the role of NNI ports. All
other ports are advised as UNI ports.
By default, a UNI anchorage rate-limits keepalive and IGMP packets from the user against the
switch and blocks all added ascendancy even packets.
To see the policers assigned to an UNI port, use the command apparent in Archetype 13-3.
Example 13-3 Showing the Policers Assigned to Anchorage fastEthernet 0/1 (IOS 12.2(25)SEG1)
c3400#sh belvedere policer cpu interface fastEthernet 0/1
Policers assigned for CPU protection
===================================================================
Feature Policer Physical Asic
Index Policer Num
===================================================================
Fa0/1
STP 1 26 0
LACP 2 26 0
8021X 3 26 0
RSVD_STP 4 26 0
PVST_PLUS 5 26 0
CDP 6 26 0
DTP 7 26 0
UDLD 8 26 0
PAGP 9 26 0
VTP 10 26 0
CISCO_L2 11 26 0
KEEPALIVE 12 0 0
CFM 13 255 0
SWITCH_MAC 14 26 0
SWITCH_ROUTER_MAC 15 26 0
SWITCH_IGMP 16 0 0
SWITCH_L2PT 17 26 0
Control cartage that is adapted at the input
of UNI ports is rate-limited to accustomed or typical
rates for ascendancy traffic.
Specific ascendancy cartage can be
“tunneled” through the switch.
Egress
Queues
Drop
Control cartage that is not adapted at the
input of UNI ports is dropped.
UNI
Port
CPU and
Control Plane
Implementing Hardware-Based CoPP 205
Policer cardinal 26 is a all-around policer that drops all traffic. Policer cardinal 0 is assigned to
this specific anchorage and rate-limits all keepalives, IGMP traffic, and added cartage destined
directly to the switch. The amount 255 (used for a policer) specifies that no policer has been
assigned for the specific protocol.
To see the rate-limit amount assigned to the policer, use this command:
c3400#show policer cpu uni rate
CPU UNI anchorage badge amount = 8000 bps
All policers use the aforementioned rate-limit amount and are configured calm as follows:
c3400#conf t
c3400(config)#policer cpu uni 8000
When a specific affection is activated, amount limiters are assigned to a protocol. For example,
if 802.1X is activated on a port, a about-face automatically assigns a amount limiter to all 802.1X
traffic accustomed on the port, as Archetype 13-4 shows.
By attractive at the achievement from the appearance belvedere policer command, you see that policer 0
now rate-limits all 802.1X cartage on the port.
Example 13-4 Activating 802.1x on Anchorage fastEthernet 0/1
c3400#conf t
c3400(config)#int fastEthernet 0/1
c3400(config-if)#dot1x port-control auto
c3400#sh belvedere policer cpu interface fastEthernet 0/1
Policers assigned for CPU protection
===================================================================
Feature Policer Physical Asic
Index Policer Num
===================================================================
Fa0/1
STP 1 26 0
LACP 2 26 0
8021X 3 0 0
RSVD_STP 4 26 0
PVST_PLUS 5 26 0
CDP 6 26 0
DTP 7 26 0
UDLD 8 26 0
PAGP 9 26 0
VTP 10 26 0
CISCO_L2 11 26 0
KEEPALIVE 12 0 0
CFM 13 255 0
SWITCH_MAC 14 26 0
SWITCH_ROUTER_MAC 15 26 0
SWITCH_IGMP 16 0 0
SWITCH_L2PT 17 26 0
206 Chapter 13: Ascendancy Even Policing
To adviser cartage alone by the policers, use the appearance policer cpu uni bead command,
as Archetype 13-5 shows.
Displaying the Cardinal of Frames Alone by a Policer
c3400#sh policer cpu uni drop
=========================================
Port In Dropped
Name Frames Frames
Fa0/1 484 183857
Example 13-5 shows that the amount limiter on anchorage fastEthernet 0/1 has been bottomward a large
number of packets. To attending carefully at what was dropped, use the command apparent in
Example 13-6.
Displaying Cartage Alone by the Policers on Anchorage fastEthernet 0/1
c3400#sh policer cpu uni bead interface fastEthernet 0/1
============================
Policer assigned for Fa0/1
============================
Protocols application this policer:
“CDP” “CISCO_L2” “KEEPALIVE” “SWITCH_ROUTER_MAC” “SWITCH_IGMP”
“SWITCH_L2PT”
Policer rate: 8000 bps
In frames: 484
Dropped frames: 183857
Configuring ascendancy even aegis on the ME3400 is, therefore, mostly covered by the
default configuration.