It doesnt work. Ive just tested with 12.2.46SE6, the latest IOS release for the 3550s. I was really convinced that this was not possible to do. Always learning Oh yeah, it seems its time to upgrade my switches J
Regards, Antonio Soares, CCIE #18473 (R&S/SP) <mailto:[email protected]> [email protected] <http://www.ccie18473.net> http://www.ccie18473.net From: Kingsley Charles [mailto:[email protected]] Sent: quinta-feira, 9 de Junho de 2011 11:44 To: Bruno Cc: Antonio Soares; [email protected] Subject: Re: [OSL | CCIE_Security] Permitting STP BPDUs Yes, I heard that too and I think it's resolved in the latest images. With regards Kings On Thu, Jun 9, 2011 at 3:21 PM, Bruno <[email protected]> wrote: Just 1 cent. "permit any any 0x10B 0x0" on 3550 does NOT work as expected. Maybe a bug or so. So, I will go always with 0xAAAA 0x0 On Thu, Jun 9, 2011 at 1:38 AM, Kingsley Charles <[email protected]> wrote: SNAP identifies the upper protocol using a 2 byte "Ethertype?" field which is also referred as protocol identifier. Hence the following ACE will match PVST+ BPDUs. I have confirmed it in my lab. permit any any 0x010B 0x0 The above will allow only PVST+ BPDUs. The below will also allow VTP, CDP which uses SNAP. permit any any lsap 0xAAAA 0x0 With regards Kings On Wed, Jun 8, 2011 at 8:17 PM, Antonio Soares <[email protected]> wrote: I agree with all you said except matching the PVST+ BPDUs with: "permit any any 0x010B 0x0" The value there is an Ethertype. Switch(config-ext-macl)#permit any any ? <0-65535> An arbitrary EtherType in decimal, hex, or octal aarp EtherType: AppleTalk ARP amber EtherType: DEC-Amber appletalk EtherType: AppleTalk/EtherTalk cos CoS value dec-spanning EtherType: DEC-Spanning-Tree decnet-iv EtherType: DECnet Phase IV diagnostic EtherType: DEC-Diagnostic dsm EtherType: DEC-DSM etype-6000 EtherType: 0x6000 etype-8042 EtherType: 0x8042 lat EtherType: DEC-LAT lavc-sca EtherType: DEC-LAVC-SCA lsap LSAP value mop-console EtherType: DEC-MOP Remote Console mop-dump EtherType: DEC-MOP Dump msdos EtherType: DEC-MSDOS mumps EtherType: DEC-MUMPS netbios EtherType: DEC-NETBIOS vines-echo EtherType: VINES Echo vines-ip EtherType: VINES IP xns-idp EtherType: XNS IDP <cr> Switch(config-ext-macl)# The 0x010B value is the LLC Protocol Identifier. So you need these two: PVST+ permit any any lsap 0xAAAA 0x0 STP permit any any lsap 0x4242 0x0 Regards, Antonio Soares, CCIE #18473 (R&S/SP) [email protected] http://www.ccie18473.net From: Kingsley Charles [mailto:[email protected]] Sent: quarta-feira, 8 de Junho de 2011 12:19 To: Antonio Soares Cc: Bruno; [email protected] Subject: Re: [OSL | CCIE_Security] Permitting STP BPDUs I do see PVST+ SSTP now :-) I will put my understanding. IEEE STP BPDUs (uses 803.2 with 802.2) are sent vlan 1 on trunk ports (802.1q) irrespective of whether it is the native or non-native vlan. It can be matched using "permit any any lsap 0x4242 0x0". PVST+ BPDUs (Uses 803.2 with SNAP) are sent on other vlans excluding vlan 1 on trunk port (802.1q). It can be match using "permit any any lsap 0xAAAA 0x0" or "permit any any 0x010B 0x0". On ISL IEEE STP BPDUs (uses 803.2 with 802.2) are tagged with ISL header and it can be matched with "permit any any lsap 0x4242 0x0". Please let me know, your thoughts. With regards Kings On Wed, Jun 8, 2011 at 4:09 PM, Kingsley Charles <[email protected]> wrote: I am using 802.1q not ISL. Can you let me know your thoughts on the following statements * IEEE STP BPDU should be seen on vlan 1 configured as the native vlan and access port only. * PVST+ BPDU should be seen on vlans of trunk other than vlan 1. With regards Kings On Wed, Jun 8, 2011 at 3:50 PM, Antonio Soares <[email protected]> wrote: By default, the switches will negotiate an ISL trunk and in this type of trunk you only have STP BPDUs. Change it to Dot1Q and you will see the difference. The ACLs should be: permit any any lsap 0xAAAA 0x0 permit any any lsap 0x4242 0x0 Regards, Antonio Soares, CCIE #18473 (R&S/SP) [email protected] http://www.ccie18473.net From: Kingsley Charles [mailto:[email protected]] Sent: quarta-feira, 8 de Junho de 2011 11:02 To: Antonio Soares Cc: Bruno; [email protected] Subject: Re: [OSL | CCIE_Security] Permitting STP BPDUs Great, that's a good a debug command for this topic. Ok when would we see liinktype of linktype SSTP and inktype IEEE_SPANNING is my next question. On a trunk port of a Cisco switch that connects to another Cisco switch, I see only IEEE STP BPDUs. When I use mac ACL as an access-group on switch l2 ports or with vlan access-groups, is it safe to always add the following: permit any any 0xAAAA 0x0 permit any any lsap 0x4242 0x0 With regards Kings On Tue, Jun 7, 2011 at 11:48 PM, Antonio Soares <[email protected]> wrote: If you are in the lab and you dont remember these things, just enable debug spanning-tree bpdu receive and you will see (example with dot1q trunk, 3 vlans): *Mar 11 04:02:43.731: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from FastEthernet0/13 , linktype IEEE_SPANNING , enctype 2, encsize 17 *Mar 11 04:02:43.731: STP: enc 01 80 C2 00 00 00 00 09 E8 CB 62 8D 00 26 42 42 03 *Mar 11 04:02:43.731: STP: Data 000000000080010009E8CB62800000000080010009E8CB6280800D0000140002000F00 *Mar 11 04:02:43.735: STP: VLAN0001 Fa0/13:0000 00 00 00 80010009E8CB6280 00000000 80010009E8CB6280 800D 0000 1400 0200 0F00 *Mar 11 04:02:43.735: STP(1) port Fa0/13 supersedes 0 *Mar 11 04:02:45.435: STP: VLAN0010 rx BPDU: config protocol = ieee, packet from FastEthernet0/13 , linktype SSTP , enctype 3, encsize 22 *Mar 11 04:02:45.435: STP: enc 01 00 0C CC CC CD 00 09 E8 CB 62 8D 00 32 AA AA 03 00 00 0C 01 0B *Mar 11 04:02:45.435: STP: Data 0000000000800A0009E8CB628000000000800A0009E8CB6280800D0000140002000F00 *Mar 11 04:02:45.439: STP: VLAN0010 Fa0/13:0000 00 00 00 800A0009E8CB6280 00000000 800A0009E8CB6280 800D 0000 1400 0200 0F00 *Mar 11 04:02:45.439: STP(10) port Fa0/13 supersedes 0 *Mar 11 04:02:45.439: STP: VLAN0020 rx BPDU: config protocol = ieee, packet from FastEthernet0/13 , linktype SSTP , enctype 3, encsize 22 *Mar 11 04:02:45.439: STP: enc 01 00 0C CC CC CD 00 09 E8 CB 62 8D 00 32 AA AA 03 00 00 0C 01 0B *Mar 11 04:02:45.439: STP: Data 000000000080140009E8CB62800000000080140009E8CB6280800D0000140002000F00 *Mar 11 04:02:45.443: STP: VLAN0020 Fa0/13:0000 00 00 00 80140009E8CB6280 00000000 80140009E8CB6280 800D 0000 1400 0200 0F00 *Mar 11 04:02:45.443: STP(20) port Fa0/13 supersedes 0 STP-SNAP 0x4242 (lsap 0x4242 0x000) PVST+-SNAP 0xAAAA (lsap 0xAAAA 0x000) Regards, Antonio Soares, CCIE #18473 (R&S/SP) [email protected] http://www.ccie18473.net From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: terça-feira, 7 de Junho de 2011 17:22 To: Bruno Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Permitting STP BPDUs Does STP and PVST use EtherType? They use SNAP isn't it? With regards Kings On Tue, Jun 7, 2011 at 7:40 PM, Bruno <[email protected]> wrote: Hey King, STP and PVST should be matched on lsa type 0xaaaa I am not mistaken Ethertype should be 0x10b I think. On Tue, Jun 7, 2011 at 8:57 AM, Kingsley Charles <[email protected]> wrote: Hi all I am using VACLs to block ARP in vlan X using the following command. This is going to block all non-ip traffic including the STP BPDUs. What is needed to permit the STP BPDUs to prevent looping? mac access-list extended king permit any any 0x0806 vlan access-map king match mac address action drop vlan filter king vlan-list 123 With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
