Yes, I heard that too and I think it's resolved in the latest images. With regards Kings
On Thu, Jun 9, 2011 at 3:21 PM, Bruno <[email protected]> wrote: > Just 1 cent. > > "permit any any 0x10B 0x0" on 3550 does NOT work as expected. Maybe a bug > or so. > So, I will go always with 0xAAAA 0x0 > > > On Thu, Jun 9, 2011 at 1:38 AM, Kingsley Charles < > [email protected]> wrote: > >> SNAP identifies the upper protocol using a 2 byte "Ethertype?" field which >> is also referred as protocol identifier. Hence the following ACE will match >> PVST+ BPDUs. I have confirmed it in my lab. >> >> permit any any 0x010B 0x0 >> >> The above will allow only PVST+ BPDUs. The below will also allow VTP, CDP >> which uses SNAP. >> >> permit any any lsap 0xAAAA 0x0 >> >> >> With regards >> Kings >> >> >> On Wed, Jun 8, 2011 at 8:17 PM, Antonio Soares <[email protected]>wrote: >> >>> I agree with all you said except matching the PVST+ BPDUs with: >>> >>> >>> >>> "permit any any 0x010B 0x0" >>> >>> >>> >>> The value there is an Ethertype. >>> >>> >>> >>> Switch(config-ext-macl)#permit any any ? >>> >>> <0-65535> An arbitrary EtherType in decimal, hex, or octal >>> >>> aarp EtherType: AppleTalk ARP >>> >>> amber EtherType: DEC-Amber >>> >>> appletalk EtherType: AppleTalk/EtherTalk >>> >>> cos CoS value >>> >>> dec-spanning EtherType: DEC-Spanning-Tree >>> >>> decnet-iv EtherType: DECnet Phase IV >>> >>> diagnostic EtherType: DEC-Diagnostic >>> >>> dsm EtherType: DEC-DSM >>> >>> etype-6000 EtherType: 0x6000 >>> >>> etype-8042 EtherType: 0x8042 >>> >>> lat EtherType: DEC-LAT >>> >>> lavc-sca EtherType: DEC-LAVC-SCA >>> >>> lsap LSAP value >>> >>> mop-console EtherType: DEC-MOP Remote Console >>> >>> mop-dump EtherType: DEC-MOP Dump >>> >>> msdos EtherType: DEC-MSDOS >>> >>> mumps EtherType: DEC-MUMPS >>> >>> netbios EtherType: DEC-NETBIOS >>> >>> vines-echo EtherType: VINES Echo >>> >>> vines-ip EtherType: VINES IP >>> >>> xns-idp EtherType: XNS IDP >>> >>> <cr> >>> >>> >>> >>> Switch(config-ext-macl)# >>> >>> >>> >>> The 0x010B value is the LLC Protocol Identifier. >>> >>> >>> >>> So you need these two: >>> >>> >>> >>> PVST+ >>> >>> permit any any lsap 0xAAAA 0x0 >>> >>> >>> >>> STP >>> >>> permit any any lsap 0x4242 0x0 >>> >>> >>> >>> >>> >>> Regards, >>> >>> >>> >>> Antonio Soares, CCIE #18473 (R&S/SP) >>> [email protected] >>> >>> http://www.ccie18473.net >>> >>> >>> >>> >>> >>> *From:* Kingsley Charles [mailto:[email protected]] >>> *Sent:* quarta-feira, 8 de Junho de 2011 12:19 >>> >>> *To:* Antonio Soares >>> *Cc:* Bruno; [email protected] >>> *Subject:* Re: [OSL | CCIE_Security] Permitting STP BPDUs >>> >>> >>> >>> I do see PVST+ SSTP now :-) >>> >>> I will put my understanding. >>> >>> >>> >>> IEEE STP BPDUs (uses 803.2 with 802.2) are sent vlan 1 on trunk ports >>> (802.1q) irrespective of whether it is the native or non-native vlan. It can >>> be matched using "permit any any lsap 0x4242 0x0". >>> >>> >>> >>> PVST+ BPDUs (Uses 803.2 with SNAP) are sent on other vlans excluding vlan >>> 1 on trunk port (802.1q). It can be match using "permit any any lsap 0xAAAA >>> 0x0" or "permit any any 0x010B 0x0". >>> >>> >>> >>> On ISL IEEE STP BPDUs (uses 803.2 with 802.2) are tagged with ISL header >>> and it can be matched with "permit any any lsap 0x4242 0x0". >>> >>> >>> >>> >>> >>> Please let me know, your thoughts. >>> >>> >>> >>> With regards >>> >>> Kings >>> >>> >>> >>> On Wed, Jun 8, 2011 at 4:09 PM, Kingsley Charles < >>> [email protected]> wrote: >>> >>> I am using 802.1q not ISL. >>> >>> Can you let me know your thoughts on the following statements >>> >>> - IEEE STP BPDU should be seen on vlan 1 configured as the native >>> vlan and access port only. >>> - PVST+ BPDU should be seen on vlans of trunk other than vlan 1. >>> >>> >>> >>> >>> With regards >>> Kings >>> >>> >>> >>> On Wed, Jun 8, 2011 at 3:50 PM, Antonio Soares <[email protected]> >>> wrote: >>> >>> By default, the switches will negotiate an ISL trunk and in this type of >>> trunk you only have STP BPDUs. Change it to Dot1Q and you will see the >>> difference. >>> >>> >>> >>> The ACLs should be: >>> >>> >>> >>> permit any any lsap 0xAAAA 0x0 >>> >>> permit any any lsap 0x4242 0x0 >>> >>> >>> >>> >>> >>> Regards, >>> >>> >>> >>> Antonio Soares, CCIE #18473 (R&S/SP) >>> [email protected] >>> >>> http://www.ccie18473.net >>> >>> >>> >>> >>> >>> *From:* Kingsley Charles [mailto:[email protected]] >>> *Sent:* quarta-feira, 8 de Junho de 2011 11:02 >>> *To:* Antonio Soares >>> *Cc:* Bruno; [email protected] >>> >>> >>> *Subject:* Re: [OSL | CCIE_Security] Permitting STP BPDUs >>> >>> >>> >>> Great, that's a good a debug command for this topic. >>> >>> Ok when would we see liinktype of *linktype SSTP **and **inktype >>> IEEE_SPANNING* is my next question. >>> >>> >>> On a trunk port of a Cisco switch that connects to another Cisco switch, >>> I see only IEEE STP BPDUs. >>> >>> >>> When I use mac ACL as an access-group on switch l2 ports or with vlan >>> access-groups, is it safe to always add the following: >>> >>> permit any any 0xAAAA 0x0 >>> permit any any lsap 0x4242 0x0 >>> >>> >>> >>> >>> With regards >>> Kings >>> >>> On Tue, Jun 7, 2011 at 11:48 PM, Antonio Soares <[email protected]> >>> wrote: >>> >>> If you are in the lab and you don’t remember these things, just enable >>> “debug spanning-tree bpdu receive” and you will see (example with dot1q >>> trunk, 3 vlans): >>> >>> >>> >>> *Mar 11 04:02:43.731: STP: *VLAN0001* rx BPDU: config protocol = ieee, >>> packet from FastEthernet0/13 , *linktype IEEE_SPANNING* , enctype 2, >>> encsize 17 >>> >>> *Mar 11 04:02:43.731: STP: enc 01 80 C2 00 00 00 00 09 E8 CB 62 8D 00 26 >>> *42 42* 03 >>> >>> *Mar 11 04:02:43.731: STP: Data >>> 000000000080010009E8CB62800000000080010009E8CB6280800D0000140002000F00 >>> >>> *Mar 11 04:02:43.735: STP: VLAN0001 Fa0/13:0000 00 00 00 80010009E8CB6280 >>> 00000000 80010009E8CB6280 800D 0000 1400 0200 0F00 >>> >>> *Mar 11 04:02:43.735: STP(1) port Fa0/13 supersedes 0 >>> >>> >>> >>> *Mar 11 04:02:45.435: STP: *VLAN0010* rx BPDU: config protocol = ieee, >>> packet from FastEthernet0/13 , *linktype SSTP* , enctype 3, encsize 22 >>> >>> *Mar 11 04:02:45.435: STP: enc 01 00 0C CC CC CD 00 09 E8 CB 62 8D 00 32 >>> *AA AA* 03 00 00 0C 01 0B >>> >>> *Mar 11 04:02:45.435: STP: Data >>> 0000000000800A0009E8CB628000000000800A0009E8CB6280800D0000140002000F00 >>> >>> *Mar 11 04:02:45.439: STP: VLAN0010 Fa0/13:0000 00 00 00 800A0009E8CB6280 >>> 00000000 800A0009E8CB6280 800D 0000 1400 0200 0F00 >>> >>> *Mar 11 04:02:45.439: STP(10) port Fa0/13 supersedes 0 >>> >>> >>> >>> *Mar 11 04:02:45.439: STP: *VLAN0020* rx BPDU: config protocol = ieee, >>> packet from FastEthernet0/13 , *linktype SSTP* , enctype 3, encsize 22 >>> >>> *Mar 11 04:02:45.439: STP: enc 01 00 0C CC CC CD 00 09 E8 CB 62 8D 00 32 >>> *AA AA* 03 00 00 0C 01 0B >>> >>> *Mar 11 04:02:45.439: STP: Data >>> 000000000080140009E8CB62800000000080140009E8CB6280800D0000140002000F00 >>> >>> *Mar 11 04:02:45.443: STP: VLAN0020 Fa0/13:0000 00 00 00 80140009E8CB6280 >>> 00000000 80140009E8CB6280 800D 0000 1400 0200 0F00 >>> >>> *Mar 11 04:02:45.443: STP(20) port Fa0/13 supersedes 0 >>> >>> >>> >>> STP-SNAP 0x4242 (lsap 0x4242 0x000) >>> >>> PVST+-SNAP 0xAAAA (lsap 0xAAAA 0x000) >>> >>> >>> >>> >>> >>> Regards, >>> >>> >>> >>> Antonio Soares, CCIE #18473 (R&S/SP) >>> [email protected] >>> >>> http://www.ccie18473.net >>> >>> >>> >>> >>> >>> *From:* [email protected] [mailto: >>> [email protected]] *On Behalf Of *Kingsley >>> Charles >>> *Sent:* terça-feira, 7 de Junho de 2011 17:22 >>> *To:* Bruno >>> *Cc:* [email protected] >>> *Subject:* Re: [OSL | CCIE_Security] Permitting STP BPDUs >>> >>> >>> >>> Does STP and PVST use EtherType? They use SNAP isn't it? >>> >>> >>> With regards >>> Kings >>> >>> On Tue, Jun 7, 2011 at 7:40 PM, Bruno <[email protected]> wrote: >>> >>> Hey King, >>> >>> STP and PVST should be matched on lsa type 0xaaaa I am not mistaken >>> Ethertype should be 0x10b I think. >>> >>> On Tue, Jun 7, 2011 at 8:57 AM, Kingsley Charles < >>> [email protected]> wrote: >>> >>> Hi all >>> >>> I am using VACLs to block ARP in vlan X using the following command. This >>> is going to block all non-ip traffic including the STP BPDUs. What is needed >>> to permit the STP BPDUs to prevent looping? >>> >>> mac access-list extended king >>> permit any any 0x0806 >>> >>> vlan access-map king >>> match mac address >>> action drop >>> >>> vlan filter king vlan-list 123 >>> >>> >>> >>> >>> With regards >>> Kings >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >>> >>> >>> >>> -- >>> Bruno Fagioli (by Jaunty Jackalope) >>> Cisco Security Professional >>> >>> >>> >>> >>> >>> >>> >>> >>> >> >> > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
