Typo, the ACEs are permit any any lsap 0xAAAA (PVSTP+ BDPU)
permit any any lsap 0x4242 (IEEE BPDU) or permit any any 0x0x010B (PVSTP+ BDPU) permit any any lsap 0x4242 0x0 (IEEE BPDU) On Wed, Jun 8, 2011 at 3:32 PM, Kingsley Charles <[email protected] > wrote: > Great, that's a good a debug command for this topic. > > Ok when would we see liinktype of *linktype SSTP and **inktype > IEEE_SPANNING* is my next question. > > > On a trunk port of a Cisco switch that connects to another Cisco switch, I > see only IEEE STP BPDUs. > > > When I use mac ACL as an access-group on switch l2 ports or with vlan > access-groups, is it safe to always add the following: > > permit any any 0xAAAA 0x0 > permit any any lsap 0x4242 0x0 > > > > > With regards > Kings > > > On Tue, Jun 7, 2011 at 11:48 PM, Antonio Soares <[email protected]>wrote: > >> If you are in the lab and you don’t remember these things, just enable >> “debug spanning-tree bpdu receive” and you will see (example with dot1q >> trunk, 3 vlans): >> >> >> >> *Mar 11 04:02:43.731: STP: *VLAN0001* rx BPDU: config protocol = ieee, >> packet from FastEthernet0/13 , *linktype IEEE_SPANNING* , enctype 2, >> encsize 17 >> >> *Mar 11 04:02:43.731: STP: enc 01 80 C2 00 00 00 00 09 E8 CB 62 8D 00 26 >> *42 42* 03 >> >> *Mar 11 04:02:43.731: STP: Data >> 000000000080010009E8CB62800000000080010009E8CB6280800D0000140002000F00 >> >> *Mar 11 04:02:43.735: STP: VLAN0001 Fa0/13:0000 00 00 00 80010009E8CB6280 >> 00000000 80010009E8CB6280 800D 0000 1400 0200 0F00 >> >> *Mar 11 04:02:43.735: STP(1) port Fa0/13 supersedes 0 >> >> >> >> *Mar 11 04:02:45.435: STP: *VLAN0010* rx BPDU: config protocol = ieee, >> packet from FastEthernet0/13 , *linktype SSTP* , enctype 3, encsize 22 >> >> *Mar 11 04:02:45.435: STP: enc 01 00 0C CC CC CD 00 09 E8 CB 62 8D 00 32 >> *AA AA* 03 00 00 0C 01 0B >> >> *Mar 11 04:02:45.435: STP: Data >> 0000000000800A0009E8CB628000000000800A0009E8CB6280800D0000140002000F00 >> >> *Mar 11 04:02:45.439: STP: VLAN0010 Fa0/13:0000 00 00 00 800A0009E8CB6280 >> 00000000 800A0009E8CB6280 800D 0000 1400 0200 0F00 >> >> *Mar 11 04:02:45.439: STP(10) port Fa0/13 supersedes 0 >> >> >> >> *Mar 11 04:02:45.439: STP: *VLAN0020* rx BPDU: config protocol = ieee, >> packet from FastEthernet0/13 , *linktype SSTP* , enctype 3, encsize 22 >> >> *Mar 11 04:02:45.439: STP: enc 01 00 0C CC CC CD 00 09 E8 CB 62 8D 00 32 >> *AA AA* 03 00 00 0C 01 0B >> >> *Mar 11 04:02:45.439: STP: Data >> 000000000080140009E8CB62800000000080140009E8CB6280800D0000140002000F00 >> >> *Mar 11 04:02:45.443: STP: VLAN0020 Fa0/13:0000 00 00 00 80140009E8CB6280 >> 00000000 80140009E8CB6280 800D 0000 1400 0200 0F00 >> >> *Mar 11 04:02:45.443: STP(20) port Fa0/13 supersedes 0 >> >> >> >> STP-SNAP 0x4242 (lsap 0x4242 0x000) >> >> PVST+-SNAP 0xAAAA (lsap 0xAAAA 0x000) >> >> >> >> >> >> Regards, >> >> >> >> Antonio Soares, CCIE #18473 (R&S/SP) >> [email protected] >> >> http://www.ccie18473.net >> >> >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Kingsley >> Charles >> *Sent:* terça-feira, 7 de Junho de 2011 17:22 >> *To:* Bruno >> *Cc:* [email protected] >> *Subject:* Re: [OSL | CCIE_Security] Permitting STP BPDUs >> >> >> >> Does STP and PVST use EtherType? They use SNAP isn't it? >> >> >> With regards >> Kings >> >> On Tue, Jun 7, 2011 at 7:40 PM, Bruno <[email protected]> wrote: >> >> Hey King, >> >> STP and PVST should be matched on lsa type 0xaaaa I am not mistaken >> Ethertype should be 0x10b I think. >> >> On Tue, Jun 7, 2011 at 8:57 AM, Kingsley Charles < >> [email protected]> wrote: >> >> Hi all >> >> I am using VACLs to block ARP in vlan X using the following command. This >> is going to block all non-ip traffic including the STP BPDUs. What is needed >> to permit the STP BPDUs to prevent looping? >> >> mac access-list extended king >> permit any any 0x0806 >> >> vlan access-map king >> match mac address >> action drop >> >> vlan filter king vlan-list 123 >> >> >> >> >> With regards >> Kings >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> >> >> >> -- >> Bruno Fagioli (by Jaunty Jackalope) >> Cisco Security Professional >> >> >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
