Ok, here is the reason. The switch sending the BPDU belongs to another administrative area. They are kind of our client in some aspects.
There is some difficult involved but we are in the way to migrate from layer 2 connection to layer 3 connection. In the mean time, they start to generate lots of TCNs BPDUs. As they have their own policies, I could request some action on their network (activate PortFast), but just request. We have LANE, and lots of TCNs increase the load of LES. We thought about using BPDU Guard and configure PortFast in both site; but as I mentioned before, I could just request them to configure it. It would help if I could block the TCNs BPDU coming from their network. Thanks, Alaerte "Priscilla Oppenheimer" @groupstudy.com em 13/09/2002 15:05:17 Favor responder a "Priscilla Oppenheimer" Enviado Por: [EMAIL PROTECTED] Para: [EMAIL PROTECTED] cc: Assunto: RE: VACL and BPDU - Is there some issue ? [7:53261] [EMAIL PROTECTED] wrote: > > Hi, > > I configured a VACL in a 6509 switch to block BPDUs from a > specific source. Why?? There must be a better way. Couldn't you use Portfast or Uplinkfast or a better network design instead? Perhaps this part of the network should use Layer 3 instead of Layer 2?? Or you might be able to use "set spantree disable" for the VLAN in question on the switch sending the BPDUs, though this might not work depending on your design, and is somewhat risky for a variety of reasons. As an analogy, on a router, you wouldn't generally use access lists to block routing protocol traffic. You would probaby use a distribute list. On the switching side, I don't think VACLs were intended for switch-to-switch traffic in the management plane. I think they are intended for traffic being forwarded by the switches in the user plane. > > I used the command: > > set security acl mac BPDU deny host 00-e0-1e-b6-01-af any > > set security acl mac BPDU permit any any > > commit security acl BPDU > > set security acl map BPDU 110 > > For some reason the BPDUs are not blocked. I checked out using > Sniffer. You are blocking the BPDUs at the ingress on the recipient switch. How can you check this with a sniffer? You aren't stopping the sending. You're stopping the receiving, if I'm understand this correctly. > > The switch I am trying to block the BPDUs is the root for Vlan > 110. If you don't want it to be the root, there are many better options to accomplish this besides VACLs. Maybe some switching gurs will jump in and help here. Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53709&t=53261 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
