From: GAURAV MADAN (gauravmadan1177@gmail.com)
Date: Fri Jul 18 2008 - 15:37:40 ART
Hi Petr and all
Thnx for the help provided .
What i get from mails is :
To match for ARP : 0x0806 is to be mapped
For access ports : LSAP 0x4242
ISL Trunk : LSAP 0x42
dot1Q trunk : still not clear but LSAP 0xAAAA worked for me .
Please lemme know if I am correct or not
Gaurav Madan.
On Wed, Jul 16, 2008 at 9:20 PM, Petr Lapukhov
<petr@internetworkexpert.com> wrote:
> Well,
> if we are talking just about classic spanning tree here (no VTP, CDP etc)
> consider the following:
> Cisco switches run different typs of STP protocol, depending on whether the
> connected port is access, ISL trunk, or 802.1q trunk.
>
> 1) On access ports, standard IEEE STP BPDUs are used. They are being sent to
> IEEE multicast MAC address using 802.2 LLC SAP encapsulation with fields for
> SSAP/DSAP=0x42 resulting in the following MAC ACL:
> mac access-list ext IEEE_STP
> permit any any lsap 0x4242 0x0
> 2) On ISL trunks, Cisco runs PVST. Now, the *same* IEEE STP BPDUs are being
> sent on each VLAN, using additional ISL header. The fun part is that ISL
> header has special flags to distinguish frames carrying STP BPDUs, so this
> is why PVST can use the regular IEEE BPDU here! You can match IEEE STP BPDUs
> on per-VLAN basis using the same SSAP/DSAP values of 0x42.
> 3) On 802.1q trunks, Cisco runs PVST+. Now this one is more complicated. At
> the same time, IEEE STP BPDUs are being sent on native VLAN (though those
> BPDUs correspond to VLAN1 always!), using SAP encapsulation and LSAP value
> of 0x4242. On all other VLANs, SSTP BPDUs are being send to special Cisco
> multicast MAC, using 802.2 LLC *SNAP* encapsulation and SNAP ethertype
> 0x010B. Therefore, you can match SSTP BPDUs using the following MAC ACL
> mac access-list SSTP
> permit any any 0x010B
> This may look a little bit burdersome to remember. However, using the
> following debug command you can quickly grab the ethertype/SAP values:
> Rack1SW2#debug spanning-tree switch tx decode
>
> E.g. for IEEE BPDUs:
> 11:25:35: STP SW: TX: 0180.c200.0000<-0019.55bb.8b8f type/len 0026
> 11:25:35: encap SAP linktype ieee-st vlan 1 len 60 on v1 Fa0/13
> 11:25:35: 42 42 03 SPAN
> 11:25:35: CFG P:0000 V:00 T:00 F:00 R:8001 0019.55bb.8b80 00000000
> 11:25:35: B:8001 0019.55bb.8b80 80.0F A:0000 M:1400 H:0200 F:0F00
> and for SSTP BPDUs:
> 11:25:36: STP SW: TX: 0100.0ccc.cccd<-0019.55bb.8b8f type/len 0032
> 11:25:36: encap SNAP linktype sstp vlan 5 len 64 on v5 Fa0/13
> 11:25:36: AA AA 03 00000C 010B SSTP
> 11:25:36: CFG P:0000 V:00 T:00 F:00 R:8005 0019.55bb.8b80 00000000
> 11:25:36: B:8005 0019.55bb.8b80 80.0F A:0000 M:1400 H:0200 F:0F00
> Note that this command must be executed at the root switch. Also, it's gives
> you really noise output, if you have many spanning-tree instances running
> and tons of interfaces up. So make sure you disabled all ports with
> exception for maybe just one 802.1 trunk, and left only a couple of VLANs
> active on the trunk.
> Also, this topic is on my writeup queue for our blog :) Stay tuned for more
> detailed information!
> HTH
> --
> Petr Lapukhov, CCIE #16379 (R&S/Security/SP/Voice)
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
> Online Community: http://www.IEOC.com
> CCIE Blog: http://blog.internetworkexpert.com
>
> 2008/7/16 GAURAV MADAN <gauravmadan1177@gmail.com>:
>>
>> Hi Group
>>
>> If a question says that we need to permit only required L2 protocols
>> on say vlan XYZ and may bare minimum L2 protocol include STP/PVST ;
>> then in that case how do I define the mac access-list ?
>>
>> This wrong creation of vlan map is causing STP loop in my topology .
>> Can some one please lemme know how to match these in a mac access-list
>> ?
>>
>>
>> Thnx in advance
>> Gaurav Madan.
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:55 ART