From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Wed Jul 16 2008 - 12:50:20 ART
Well,
if we are talking just about classic spanning tree here (no VTP, CDP etc)
consider the following:
Cisco switches run different typs of STP protocol, depending on whether the
connected port is access, ISL trunk, or 802.1q trunk.
1) On access ports, standard IEEE STP BPDUs are used. They are being sent to
IEEE multicast MAC address using 802.2 LLC SAP encapsulation with fields for
SSAP/DSAP=0x42 resulting in the following MAC ACL:
mac access-list ext IEEE_STP
permit any any lsap 0x4242 0x0
2) On ISL trunks, Cisco runs PVST. Now, the *same* IEEE STP BPDUs are being
sent on each VLAN, using additional ISL header. The fun part is that ISL
header has special flags to distinguish frames carrying STP BPDUs, so this
is why PVST can use the regular IEEE BPDU here! You can match IEEE STP BPDUs
on per-VLAN basis using the same SSAP/DSAP values of 0x42.
3) On 802.1q trunks, Cisco runs PVST+. Now this one is more complicated. At
the same time, IEEE STP BPDUs are being sent on native VLAN (though those
BPDUs correspond to VLAN1 always!), using SAP encapsulation and LSAP value
of 0x4242. On all other VLANs, SSTP BPDUs are being send to special Cisco
multicast MAC, using 802.2 LLC *SNAP* encapsulation and SNAP ethertype
0x010B. Therefore, you can match SSTP BPDUs using the following MAC ACL
mac access-list SSTP
permit any any 0x010B
This may look a little bit burdersome to remember. However, using the
following debug command you can quickly grab the ethertype/SAP values:
Rack1SW2#debug spanning-tree switch tx decode
E.g. for IEEE BPDUs:
11:25:35: STP SW: TX: 0180.c200.0000<-0019.55bb.8b8f type/len 0026
11:25:35: encap SAP linktype ieee-st vlan 1 len 60 on v1 Fa0/13
11:25:35: 42 42 03 SPAN
11:25:35: CFG P:0000 V:00 T:00 F:00 R:8001 0019.55bb.8b80 00000000
11:25:35: B:8001 0019.55bb.8b80 80.0F A:0000 M:1400 H:0200 F:0F00
and for SSTP BPDUs:
11:25:36: STP SW: TX: 0100.0ccc.cccd<-0019.55bb.8b8f type/len 0032
11:25:36: encap SNAP linktype sstp vlan 5 len 64 on v5 Fa0/13
11:25:36: AA AA 03 00000C 010B SSTP
11:25:36: CFG P:0000 V:00 T:00 F:00 R:8005 0019.55bb.8b80 00000000
11:25:36: B:8005 0019.55bb.8b80 80.0F A:0000 M:1400 H:0200 F:0F00
Note that this command must be executed at the root switch. Also, it's gives
you really noise output, if you have many spanning-tree instances running
and tons of interfaces up. So make sure you disabled all ports with
exception for maybe just one 802.1 trunk, and left only a couple of VLANs
active on the trunk.
Also, this topic is on my writeup queue for our blog :) Stay tuned for more
detailed information!
HTH
-- Petr Lapukhov, CCIE #16379 (R&S/Security/SP/Voice) petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344 Online Community: http://www.IEOC.com CCIE Blog: http://blog.internetworkexpert.com
2008/7/16 GAURAV MADAN <gauravmadan1177@gmail.com>:
> Hi Group > > If a question says that we need to permit only required L2 protocols > on say vlan XYZ and may bare minimum L2 protocol include STP/PVST ; > then in that case how do I define the mac access-list ? > > This wrong creation of vlan map is causing STP loop in my topology . > Can some one please lemme know how to match these in a mac access-list > ? > > > Thnx in advance > Gaurav Madan. > > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:55 ART