Re: Matching L2 protocols : MAC access-list

From: Sadiq Yakasai (sadiqtanko@gmail.com)
Date: Wed Jul 16 2008 - 12:27:44 ART

• Next message: raul raul: "RE: rack number in IPv6"
• Previous message: mohammed shoeb ahmed: "Re: Yes...done my CCIE(R&S)"
• Maybe in reply to: GAURAV MADAN: "Matching L2 protocols : MAC access-list"
• Next in thread: Petr Lapukhov: "Re: Matching L2 protocols : MAC access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Gaurav,

Have an excerps from my notes when I was studying for the exam:

> mac access-list extended arp-mac-acl
> permit any any 0x806 0x0
> mac access-list extended stp-mac-acl
> permit any any lsap 0x4242 0x0
> ip access-list extended IPONLY
> permit ip any any
>
> vlan access-map iponly-vacl 5
> action forward
> match mac address arp-mac-acl
> vlan access-map iponly-vacl 6
> action forward
> match mac address stp-mac-acl
> vlan access-map iponly-vacl 10
> action forward
> match ip address IPONLY

STP don't use Ethernet II frames. It uses 802.3 SNAP Frames.

IEEE STP uses Ethernet SNAP Frames with DSAP=SSAP=0x42 which means
LSAP=0x4242.
Cisco's PVST+ uses Ethernet SNAP Frames with DSAP=SSAP=0xAA which means
LSAP=0xAAAA.
ARP uses 0x0806

HTH a little

Sadiq

• Next message: raul raul: "RE: rack number in IPv6"
• Previous message: mohammed shoeb ahmed: "Re: Yes...done my CCIE(R&S)"
• Maybe in reply to: GAURAV MADAN: "Matching L2 protocols : MAC access-list"
• Next in thread: Petr Lapukhov: "Re: Matching L2 protocols : MAC access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:55 ART