I do see PVST+ SSTP now :-) I will put my understanding.
IEEE STP BPDUs (uses 803.2 with 802.2) are sent vlan 1 on trunk ports (802.1q) irrespective of whether it is the native or non-native vlan. It can be matched using "permit any any lsap 0x4242 0x0". PVST+ BPDUs (Uses 803.2 with SNAP) are sent on other vlans excluding vlan 1 on trunk port (802.1q). It can be match using "permit any any lsap 0xAAAA 0x0" or "permit any any 0x010B 0x0". On ISL IEEE STP BPDUs (uses 803.2 with 802.2) are tagged with ISL header and it can be matched with "permit any any lsap 0x4242 0x0". Please let me know, your thoughts. With regards Kings On Wed, Jun 8, 2011 at 4:09 PM, Kingsley Charles <[email protected] > wrote: > I am using 802.1q not ISL. > > Can you let me know your thoughts on the following statements > > - IEEE STP BPDU should be seen on vlan 1 configured as the native vlan > and access port only. > - PVST+ BPDU should be seen on vlans of trunk other than vlan 1. > > > > > With regards > Kings > > > On Wed, Jun 8, 2011 at 3:50 PM, Antonio Soares <[email protected]>wrote: > >> By default, the switches will negotiate an ISL trunk and in this type of >> trunk you only have STP BPDUs. Change it to Dot1Q and you will see the >> difference. >> >> >> >> The ACLs should be: >> >> >> >> permit any any lsap 0xAAAA 0x0 >> >> permit any any lsap 0x4242 0x0 >> >> >> >> >> >> Regards, >> >> >> >> Antonio Soares, CCIE #18473 (R&S/SP) >> [email protected] >> >> http://www.ccie18473.net >> >> >> >> >> >> *From:* Kingsley Charles [mailto:[email protected]] >> *Sent:* quarta-feira, 8 de Junho de 2011 11:02 >> *To:* Antonio Soares >> *Cc:* Bruno; [email protected] >> >> *Subject:* Re: [OSL | CCIE_Security] Permitting STP BPDUs >> >> >> >> Great, that's a good a debug command for this topic. >> >> Ok when would we see liinktype of *linktype SSTP **and **inktype >> IEEE_SPANNING* is my next question. >> >> >> On a trunk port of a Cisco switch that connects to another Cisco switch, I >> see only IEEE STP BPDUs. >> >> >> When I use mac ACL as an access-group on switch l2 ports or with vlan >> access-groups, is it safe to always add the following: >> >> permit any any 0xAAAA 0x0 >> permit any any lsap 0x4242 0x0 >> >> >> >> >> With regards >> Kings >> >> On Tue, Jun 7, 2011 at 11:48 PM, Antonio Soares <[email protected]> >> wrote: >> >> If you are in the lab and you don’t remember these things, just enable >> “debug spanning-tree bpdu receive” and you will see (example with dot1q >> trunk, 3 vlans): >> >> >> >> *Mar 11 04:02:43.731: STP: *VLAN0001* rx BPDU: config protocol = ieee, >> packet from FastEthernet0/13 , *linktype IEEE_SPANNING* , enctype 2, >> encsize 17 >> >> *Mar 11 04:02:43.731: STP: enc 01 80 C2 00 00 00 00 09 E8 CB 62 8D 00 26 >> *42 42* 03 >> >> *Mar 11 04:02:43.731: STP: Data >> 000000000080010009E8CB62800000000080010009E8CB6280800D0000140002000F00 >> >> *Mar 11 04:02:43.735: STP: VLAN0001 Fa0/13:0000 00 00 00 80010009E8CB6280 >> 00000000 80010009E8CB6280 800D 0000 1400 0200 0F00 >> >> *Mar 11 04:02:43.735: STP(1) port Fa0/13 supersedes 0 >> >> >> >> *Mar 11 04:02:45.435: STP: *VLAN0010* rx BPDU: config protocol = ieee, >> packet from FastEthernet0/13 , *linktype SSTP* , enctype 3, encsize 22 >> >> *Mar 11 04:02:45.435: STP: enc 01 00 0C CC CC CD 00 09 E8 CB 62 8D 00 32 >> *AA AA* 03 00 00 0C 01 0B >> >> *Mar 11 04:02:45.435: STP: Data >> 0000000000800A0009E8CB628000000000800A0009E8CB6280800D0000140002000F00 >> >> *Mar 11 04:02:45.439: STP: VLAN0010 Fa0/13:0000 00 00 00 800A0009E8CB6280 >> 00000000 800A0009E8CB6280 800D 0000 1400 0200 0F00 >> >> *Mar 11 04:02:45.439: STP(10) port Fa0/13 supersedes 0 >> >> >> >> *Mar 11 04:02:45.439: STP: *VLAN0020* rx BPDU: config protocol = ieee, >> packet from FastEthernet0/13 , *linktype SSTP* , enctype 3, encsize 22 >> >> *Mar 11 04:02:45.439: STP: enc 01 00 0C CC CC CD 00 09 E8 CB 62 8D 00 32 >> *AA AA* 03 00 00 0C 01 0B >> >> *Mar 11 04:02:45.439: STP: Data >> 000000000080140009E8CB62800000000080140009E8CB6280800D0000140002000F00 >> >> *Mar 11 04:02:45.443: STP: VLAN0020 Fa0/13:0000 00 00 00 80140009E8CB6280 >> 00000000 80140009E8CB6280 800D 0000 1400 0200 0F00 >> >> *Mar 11 04:02:45.443: STP(20) port Fa0/13 supersedes 0 >> >> >> >> STP-SNAP 0x4242 (lsap 0x4242 0x000) >> >> PVST+-SNAP 0xAAAA (lsap 0xAAAA 0x000) >> >> >> >> >> >> Regards, >> >> >> >> Antonio Soares, CCIE #18473 (R&S/SP) >> [email protected] >> >> http://www.ccie18473.net >> >> >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Kingsley >> Charles >> *Sent:* terça-feira, 7 de Junho de 2011 17:22 >> *To:* Bruno >> *Cc:* [email protected] >> *Subject:* Re: [OSL | CCIE_Security] Permitting STP BPDUs >> >> >> >> Does STP and PVST use EtherType? They use SNAP isn't it? >> >> >> With regards >> Kings >> >> On Tue, Jun 7, 2011 at 7:40 PM, Bruno <[email protected]> wrote: >> >> Hey King, >> >> STP and PVST should be matched on lsa type 0xaaaa I am not mistaken >> Ethertype should be 0x10b I think. >> >> On Tue, Jun 7, 2011 at 8:57 AM, Kingsley Charles < >> [email protected]> wrote: >> >> Hi all >> >> I am using VACLs to block ARP in vlan X using the following command. This >> is going to block all non-ip traffic including the STP BPDUs. What is needed >> to permit the STP BPDUs to prevent looping? >> >> mac access-list extended king >> permit any any 0x0806 >> >> vlan access-map king >> match mac address >> action drop >> >> vlan filter king vlan-list 123 >> >> >> >> >> With regards >> Kings >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> >> >> >> -- >> Bruno Fagioli (by Jaunty Jackalope) >> Cisco Security Professional >> >> >> >> >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
