Cisco S45IPBK9-12231SG= Manuale Utente
© 2006 Cisco Systems, Inc. All rights reserved.
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Page 2 of 9
Control Plane Policing
Control plane policing provides a unified solution to rate limit the CPU-bound control plane traffic in hardware. It enables users to install
systemwide control plane access-control lists (ACLs) to protect the CPU by rate limiting or filtering out malicious denial-of-service (DoS) attacks.
Control plane policing helps ensure network stability, availability, and packet forwarding. It prevents network outages such as loss of protocol
updates, despite an attack or heavy load on the switch. Hardware-based control plane policing is available for all shipping Cisco Catalyst 4500
supervisor engines. It supports various Layer 2 and Layer 3 control protocols, such as Cisco Discovery Protocol (CDP), Extensible Authentication
Protocol over LAN (EAPOL), Spanning Tree Protocol, Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP), Internet Control
Message Protocol (ICMP), Cisco Group Management Protocol (CGMP), Internet Group Management Protocol (IGMP), Dynamic Host
Configuration Protocol (DHCP), Routing Information Protocol Version 2 (RIPv2), OSPF, Protocol Independent Multicast (PIM), Telnet, Simple
Network Management Protocol (SNMP), HTTP, and packets destined to 224.0.0.* multicast link local addresses. Predefined system policies or user-
configurable policies can be applied to those control protocols. A staged approach is recommended for implementing the control plane policing by
first understanding the traffic profile in the networks.
Web Content Communication Protocol Version 2 Layer 2 Redirection
Web Content Communication Protocol (WCCP) Version 2 Layer 2 redirection enables a Cisco Catalyst 4500 to transparently redirect content
requests to the directly connected content engines using a Layer 2/MAC address rewrite. The WCCPv2 Layer 2 redirection is accelerated in the
switching hardware and thus is more efficient than Layer 3 redirection using Generic Routing Encapsulation (GRE). The content engines in a cache
cluster transparently store frequently accessed content and then fulfill successive requests for the same content, eliminating repetitive transmissions
of identical content from the original content servers. It supports the transparent redirection of HTTP and non-HTTP traffic with well-known ports
or dynamic services, such as Web caching, HTTPS caching, File Transfer Protocol (FTP) caching, proxy caching, media caching, and streaming
services. WCCPv2 Layer 2 redirection is typically deployed for transparent caching at the network edge, such as regional or branch sites. WCCPv2
Layer 2 redirection cannot be enabled on the same input interface with Policy-Based Routing (PBR) or Virtual Route Forwarding (VRF)-lite. ACL-
based classification for Layer 2 redirection is not supported.
MAC Authentication Bypass
MAC authentication bypass is an enhancement to Cisco Network Admission Control (NAC 2.0) Layer 2 802.1x. It provides network access to
agentless devices without 802.1x supplicant capabilities, such as printers. Upon detecting a new MAC address on a switch port, the switch will
proxy an 802.1x authentication request based on the device’s MAC address. A database of MAC addresses is maintained by the RADIUS server for
such devices. The device’s network access is either granted or denied by the RADIUS server and is enforced by the switch. Per-port reauthentication
of MAC addresses is also supported. MAC authentication bypass is typically deployed on switch ports connected to managed agentless devices
without the 802.1x supplicant functionality.
802.1x Inaccessible Authentication Bypass
802.1x inaccessible authentication bypass is an enhancement to Cisco NAC 2.0 Layer 2 802.1x. In the event that the authentication, authorization,
and accounting (AAA) servers are unreachable or nonresponsive, 802.1x user authentication typically fails with the port closed, and the user is
denied access. 802.1x inaccessible authentication bypass provides a configurable alternative on the switch to grant a critical port network access in
a locally specified VLAN. After the AAA servers become reachable again, those ports will either remain critically authorized or be reinitialized.
802.1x inaccessible authentication bypass can be enabled on a per-port basis for access ports, private VLAN host ports, or routed ports. 802.1x
inaccessible authentication bypass is typically enabled on ports connected to critical devices, minimizing business impact for the duration of the
AAA server outage.