By default, the switches will negotiate an ISL trunk and in this type of trunk you only have STP BPDUs. Change it to Dot1Q and you will see the difference.
The ACLs should be: permit any any lsap 0xAAAA 0x0 permit any any lsap 0x4242 0x0 Regards, Antonio Soares, CCIE #18473 (R&S/SP) <mailto:[email protected]> [email protected] <http://www.ccie18473.net> http://www.ccie18473.net From: Kingsley Charles [mailto:[email protected]] Sent: quarta-feira, 8 de Junho de 2011 11:02 To: Antonio Soares Cc: Bruno; [email protected] Subject: Re: [OSL | CCIE_Security] Permitting STP BPDUs Great, that's a good a debug command for this topic. Ok when would we see liinktype of linktype SSTP and inktype IEEE_SPANNING is my next question. On a trunk port of a Cisco switch that connects to another Cisco switch, I see only IEEE STP BPDUs. When I use mac ACL as an access-group on switch l2 ports or with vlan access-groups, is it safe to always add the following: permit any any 0xAAAA 0x0 permit any any lsap 0x4242 0x0 With regards Kings On Tue, Jun 7, 2011 at 11:48 PM, Antonio Soares <[email protected]> wrote: If you are in the lab and you dont remember these things, just enable debug spanning-tree bpdu receive and you will see (example with dot1q trunk, 3 vlans): *Mar 11 04:02:43.731: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from FastEthernet0/13 , linktype IEEE_SPANNING , enctype 2, encsize 17 *Mar 11 04:02:43.731: STP: enc 01 80 C2 00 00 00 00 09 E8 CB 62 8D 00 26 42 42 03 *Mar 11 04:02:43.731: STP: Data 000000000080010009E8CB62800000000080010009E8CB6280800D0000140002000F00 *Mar 11 04:02:43.735: STP: VLAN0001 Fa0/13:0000 00 00 00 80010009E8CB6280 00000000 80010009E8CB6280 800D 0000 1400 0200 0F00 *Mar 11 04:02:43.735: STP(1) port Fa0/13 supersedes 0 *Mar 11 04:02:45.435: STP: VLAN0010 rx BPDU: config protocol = ieee, packet from FastEthernet0/13 , linktype SSTP , enctype 3, encsize 22 *Mar 11 04:02:45.435: STP: enc 01 00 0C CC CC CD 00 09 E8 CB 62 8D 00 32 AA AA 03 00 00 0C 01 0B *Mar 11 04:02:45.435: STP: Data 0000000000800A0009E8CB628000000000800A0009E8CB6280800D0000140002000F00 *Mar 11 04:02:45.439: STP: VLAN0010 Fa0/13:0000 00 00 00 800A0009E8CB6280 00000000 800A0009E8CB6280 800D 0000 1400 0200 0F00 *Mar 11 04:02:45.439: STP(10) port Fa0/13 supersedes 0 *Mar 11 04:02:45.439: STP: VLAN0020 rx BPDU: config protocol = ieee, packet from FastEthernet0/13 , linktype SSTP , enctype 3, encsize 22 *Mar 11 04:02:45.439: STP: enc 01 00 0C CC CC CD 00 09 E8 CB 62 8D 00 32 AA AA 03 00 00 0C 01 0B *Mar 11 04:02:45.439: STP: Data 000000000080140009E8CB62800000000080140009E8CB6280800D0000140002000F00 *Mar 11 04:02:45.443: STP: VLAN0020 Fa0/13:0000 00 00 00 80140009E8CB6280 00000000 80140009E8CB6280 800D 0000 1400 0200 0F00 *Mar 11 04:02:45.443: STP(20) port Fa0/13 supersedes 0 STP-SNAP 0x4242 (lsap 0x4242 0x000) PVST+-SNAP 0xAAAA (lsap 0xAAAA 0x000) Regards, Antonio Soares, CCIE #18473 (R&S/SP) [email protected] http://www.ccie18473.net From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: terça-feira, 7 de Junho de 2011 17:22 To: Bruno Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Permitting STP BPDUs Does STP and PVST use EtherType? They use SNAP isn't it? With regards Kings On Tue, Jun 7, 2011 at 7:40 PM, Bruno <[email protected]> wrote: Hey King, STP and PVST should be matched on lsa type 0xaaaa I am not mistaken Ethertype should be 0x10b I think. On Tue, Jun 7, 2011 at 8:57 AM, Kingsley Charles <[email protected]> wrote: Hi all I am using VACLs to block ARP in vlan X using the following command. This is going to block all non-ip traffic including the STP BPDUs. What is needed to permit the STP BPDUs to prevent looping? mac access-list extended king permit any any 0x0806 vlan access-map king match mac address action drop vlan filter king vlan-list 123 With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
