From: Pavel Markov (pmarkov@paraflow.bg)
Date: Sun Sep 10 2006 - 12:11:52 ART
Problem with STP in IEWB lab 11 - the task is to configure a VACL
allowing only IP trafic with a named access list and the necessary layer
2 traffic should be also allowed. The problem is with ARP and STP
traffic, which are mached by MAC extended ACL. For ARP i am matching
ethernet type 0x806
mac access-list extended arp-mac-acl
permit any any 0x806 0x0
For STP i was unable to find the right acl statement. In the solution
guide i found they used ethernet type LSAP 0x4242
permit any any lsap 0x4242 0x0
Using this statement in another mac ACL i constructed the final VACL:
mac access-list extended arp-mac-acl
permit any any 0x806 0x0
mac access-list extended stp-mac-acl
permit any any lsap 0x4242 0x0
ip access-list extended IPONLY
permit ip any any
vlan access-map iponly-vacl 5
action forward
match mac address arp-mac-acl
vlan access-map iponly-vacl 6
action forward
match mac address stp-mac-acl
vlan access-map iponly-vacl 10
action forward
match ip address IPONLY
The problem is that STP still does not work and the BPDUs are being
filtered by the VACL. To prevent the first advice - I didn't forget to
remove and reapply the VACL after the changes.
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART