SNAP identifies the upper protocol using a 2 byte "Ethertype?" field which is also referred as protocol identifier. Hence the following ACE will match PVST+ BPDUs. I have confirmed it in my lab.
permit any any 0x010B 0x0 The above will allow only PVST+ BPDUs. The below will also allow VTP, CDP which uses SNAP. permit any any lsap 0xAAAA 0x0 With regards Kings On Wed, Jun 8, 2011 at 8:17 PM, Antonio Soares <[email protected]> wrote: > I agree with all you said except matching the PVST+ BPDUs with: > > > > "permit any any 0x010B 0x0" > > > > The value there is an Ethertype. > > > > Switch(config-ext-macl)#permit any any ? > > <0-65535> An arbitrary EtherType in decimal, hex, or octal > > aarp EtherType: AppleTalk ARP > > amber EtherType: DEC-Amber > > appletalk EtherType: AppleTalk/EtherTalk > > cos CoS value > > dec-spanning EtherType: DEC-Spanning-Tree > > decnet-iv EtherType: DECnet Phase IV > > diagnostic EtherType: DEC-Diagnostic > > dsm EtherType: DEC-DSM > > etype-6000 EtherType: 0x6000 > > etype-8042 EtherType: 0x8042 > > lat EtherType: DEC-LAT > > lavc-sca EtherType: DEC-LAVC-SCA > > lsap LSAP value > > mop-console EtherType: DEC-MOP Remote Console > > mop-dump EtherType: DEC-MOP Dump > > msdos EtherType: DEC-MSDOS > > mumps EtherType: DEC-MUMPS > > netbios EtherType: DEC-NETBIOS > > vines-echo EtherType: VINES Echo > > vines-ip EtherType: VINES IP > > xns-idp EtherType: XNS IDP > > <cr> > > > > Switch(config-ext-macl)# > > > > The 0x010B value is the LLC Protocol Identifier. > > > > So you need these two: > > > > PVST+ > > permit any any lsap 0xAAAA 0x0 > > > > STP > > permit any any lsap 0x4242 0x0 > > > > > > Regards, > > > > Antonio Soares, CCIE #18473 (R&S/SP) > [email protected] > > http://www.ccie18473.net > > > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* quarta-feira, 8 de Junho de 2011 12:19 > > *To:* Antonio Soares > *Cc:* Bruno; [email protected] > *Subject:* Re: [OSL | CCIE_Security] Permitting STP BPDUs > > > > I do see PVST+ SSTP now :-) > > I will put my understanding. > > > > IEEE STP BPDUs (uses 803.2 with 802.2) are sent vlan 1 on trunk ports > (802.1q) irrespective of whether it is the native or non-native vlan. It can > be matched using "permit any any lsap 0x4242 0x0". > > > > PVST+ BPDUs (Uses 803.2 with SNAP) are sent on other vlans excluding vlan 1 > on trunk port (802.1q). It can be match using "permit any any lsap 0xAAAA > 0x0" or "permit any any 0x010B 0x0". > > > > On ISL IEEE STP BPDUs (uses 803.2 with 802.2) are tagged with ISL header > and it can be matched with "permit any any lsap 0x4242 0x0". > > > > > > Please let me know, your thoughts. > > > > With regards > > Kings > > > > On Wed, Jun 8, 2011 at 4:09 PM, Kingsley Charles < > [email protected]> wrote: > > I am using 802.1q not ISL. > > Can you let me know your thoughts on the following statements > > - IEEE STP BPDU should be seen on vlan 1 configured as the native vlan > and access port only. > - PVST+ BPDU should be seen on vlans of trunk other than vlan 1. > > > > > With regards > Kings > > > > On Wed, Jun 8, 2011 at 3:50 PM, Antonio Soares <[email protected]> > wrote: > > By default, the switches will negotiate an ISL trunk and in this type of > trunk you only have STP BPDUs. Change it to Dot1Q and you will see the > difference. > > > > The ACLs should be: > > > > permit any any lsap 0xAAAA 0x0 > > permit any any lsap 0x4242 0x0 > > > > > > Regards, > > > > Antonio Soares, CCIE #18473 (R&S/SP) > [email protected] > > http://www.ccie18473.net > > > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* quarta-feira, 8 de Junho de 2011 11:02 > *To:* Antonio Soares > *Cc:* Bruno; [email protected] > > > *Subject:* Re: [OSL | CCIE_Security] Permitting STP BPDUs > > > > Great, that's a good a debug command for this topic. > > Ok when would we see liinktype of *linktype SSTP **and **inktype > IEEE_SPANNING* is my next question. > > > On a trunk port of a Cisco switch that connects to another Cisco switch, I > see only IEEE STP BPDUs. > > > When I use mac ACL as an access-group on switch l2 ports or with vlan > access-groups, is it safe to always add the following: > > permit any any 0xAAAA 0x0 > permit any any lsap 0x4242 0x0 > > > > > With regards > Kings > > On Tue, Jun 7, 2011 at 11:48 PM, Antonio Soares <[email protected]> > wrote: > > If you are in the lab and you don’t remember these things, just enable > “debug spanning-tree bpdu receive” and you will see (example with dot1q > trunk, 3 vlans): > > > > *Mar 11 04:02:43.731: STP: *VLAN0001* rx BPDU: config protocol = ieee, > packet from FastEthernet0/13 , *linktype IEEE_SPANNING* , enctype 2, > encsize 17 > > *Mar 11 04:02:43.731: STP: enc 01 80 C2 00 00 00 00 09 E8 CB 62 8D 00 26 *42 > 42* 03 > > *Mar 11 04:02:43.731: STP: Data > 000000000080010009E8CB62800000000080010009E8CB6280800D0000140002000F00 > > *Mar 11 04:02:43.735: STP: VLAN0001 Fa0/13:0000 00 00 00 80010009E8CB6280 > 00000000 80010009E8CB6280 800D 0000 1400 0200 0F00 > > *Mar 11 04:02:43.735: STP(1) port Fa0/13 supersedes 0 > > > > *Mar 11 04:02:45.435: STP: *VLAN0010* rx BPDU: config protocol = ieee, > packet from FastEthernet0/13 , *linktype SSTP* , enctype 3, encsize 22 > > *Mar 11 04:02:45.435: STP: enc 01 00 0C CC CC CD 00 09 E8 CB 62 8D 00 32 *AA > AA* 03 00 00 0C 01 0B > > *Mar 11 04:02:45.435: STP: Data > 0000000000800A0009E8CB628000000000800A0009E8CB6280800D0000140002000F00 > > *Mar 11 04:02:45.439: STP: VLAN0010 Fa0/13:0000 00 00 00 800A0009E8CB6280 > 00000000 800A0009E8CB6280 800D 0000 1400 0200 0F00 > > *Mar 11 04:02:45.439: STP(10) port Fa0/13 supersedes 0 > > > > *Mar 11 04:02:45.439: STP: *VLAN0020* rx BPDU: config protocol = ieee, > packet from FastEthernet0/13 , *linktype SSTP* , enctype 3, encsize 22 > > *Mar 11 04:02:45.439: STP: enc 01 00 0C CC CC CD 00 09 E8 CB 62 8D 00 32 *AA > AA* 03 00 00 0C 01 0B > > *Mar 11 04:02:45.439: STP: Data > 000000000080140009E8CB62800000000080140009E8CB6280800D0000140002000F00 > > *Mar 11 04:02:45.443: STP: VLAN0020 Fa0/13:0000 00 00 00 80140009E8CB6280 > 00000000 80140009E8CB6280 800D 0000 1400 0200 0F00 > > *Mar 11 04:02:45.443: STP(20) port Fa0/13 supersedes 0 > > > > STP-SNAP 0x4242 (lsap 0x4242 0x000) > > PVST+-SNAP 0xAAAA (lsap 0xAAAA 0x000) > > > > > > Regards, > > > > Antonio Soares, CCIE #18473 (R&S/SP) > [email protected] > > http://www.ccie18473.net > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* terça-feira, 7 de Junho de 2011 17:22 > *To:* Bruno > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] Permitting STP BPDUs > > > > Does STP and PVST use EtherType? They use SNAP isn't it? > > > With regards > Kings > > On Tue, Jun 7, 2011 at 7:40 PM, Bruno <[email protected]> wrote: > > Hey King, > > STP and PVST should be matched on lsa type 0xaaaa I am not mistaken > Ethertype should be 0x10b I think. > > On Tue, Jun 7, 2011 at 8:57 AM, Kingsley Charles < > [email protected]> wrote: > > Hi all > > I am using VACLs to block ARP in vlan X using the following command. This > is going to block all non-ip traffic including the STP BPDUs. What is needed > to permit the STP BPDUs to prevent looping? > > mac access-list extended king > permit any any 0x0806 > > vlan access-map king > match mac address > action drop > > vlan filter king vlan-list 123 > > > > > With regards > Kings > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > > > > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
