Re: Matching L2 protocols : MAC access-list

From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Fri Jul 18 2008 - 16:29:27 ART

Please, remeber that by filtering LSAP 0xAAAA you will also filter all SNAP
traffic (e.g. CDP, VTP). The same thing with permitting LSAP 0xAAAA - it
permit all SNAP encapsulated traffic.
As for PVST+, you need to match *both* ethertype (SNAP PID) 0x010B as well
as LSAP 0x4242, for PVST+ sends both IEEE BPDUs and SSTP BPDUs if you want
to filter/permit PVST+ BPDUs exclusively.

For more information on PVST+ internal detials you may look at

http://blog.internetworkexpert.com/2008/07/17/pvst-explained/

HTH 

-- 
Petr Lapukhov, CCIE #16379 (R&S/Security/SP/Voice)
petr@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Outside US: 775-826-4344
Online Community: http://www.IEOC.com
CCIE Blog: http://blog.internetworkexpert.com

2008/7/18 GAURAV MADAN <gauravmadan1177@gmail.com>:

> Hi Petr and all
>
> Thnx for the help provided .
> What i get from mails is :
>
> To match for ARP : 0x0806 is to be mapped
> For access ports  : LSAP 0x4242
> ISL Trunk             : LSAP 0x42
> dot1Q trunk          : still not clear but LSAP 0xAAAA worked for me .
>
> Please lemme know if I am correct or not
>
> Gaurav Madan.
>
>
> On Wed, Jul 16, 2008 at 9:20 PM, Petr Lapukhov
> <petr@internetworkexpert.com> wrote:
> > Well,
> > if we are talking just about classic spanning tree here (no VTP, CDP etc)
> > consider the following:
> > Cisco switches run different typs of STP protocol, depending on whether
> the
> > connected port is access, ISL trunk, or 802.1q trunk.
> >
> > 1) On access ports, standard IEEE STP BPDUs are used. They are being sent
> to
> > IEEE multicast MAC address using 802.2 LLC SAP encapsulation with fields
> for
> > SSAP/DSAP=0x42 resulting in the following MAC ACL:
> > mac access-list ext IEEE_STP
> > permit any any lsap 0x4242 0x0
> > 2) On ISL trunks, Cisco runs PVST. Now, the *same* IEEE STP BPDUs are
> being
> > sent on each VLAN, using additional ISL header. The fun part is that ISL
> > header has special flags to distinguish frames carrying STP BPDUs, so
> this
> > is why PVST can use the regular IEEE BPDU here! You can match IEEE STP
> BPDUs
> > on per-VLAN basis using the same SSAP/DSAP values of 0x42.
> > 3) On 802.1q trunks, Cisco runs PVST+. Now this one is more complicated.
> At
> > the same time, IEEE STP BPDUs are being sent on native VLAN (though those
> > BPDUs correspond to VLAN1 always!), using SAP encapsulation and LSAP
> value
> > of 0x4242. On all other VLANs, SSTP BPDUs are being send to special Cisco
> > multicast MAC, using 802.2 LLC *SNAP* encapsulation and SNAP ethertype
> > 0x010B. Therefore, you can match SSTP BPDUs using the following MAC ACL
> > mac access-list SSTP
> > permit any any 0x010B
> > This may look a little bit burdersome to remember. However, using the
> > following debug command you can quickly grab the ethertype/SAP values:
> > Rack1SW2#debug spanning-tree switch tx decode
> >
> > E.g. for IEEE BPDUs:
> > 11:25:35: STP SW: TX: 0180.c200.0000<-0019.55bb.8b8f type/len 0026
> > 11:25:35:     encap SAP linktype ieee-st vlan 1 len 60 on v1 Fa0/13
> > 11:25:35:     42 42 03 SPAN
> > 11:25:35:     CFG P:0000 V:00 T:00 F:00 R:8001 0019.55bb.8b80 00000000
> > 11:25:35:     B:8001 0019.55bb.8b80 80.0F A:0000 M:1400 H:0200 F:0F00
> > and for SSTP BPDUs:
> > 11:25:36: STP SW: TX: 0100.0ccc.cccd<-0019.55bb.8b8f type/len 0032
> > 11:25:36:     encap SNAP linktype sstp vlan 5 len 64 on v5 Fa0/13
> > 11:25:36:     AA AA 03 00000C 010B SSTP
> > 11:25:36:     CFG P:0000 V:00 T:00 F:00 R:8005 0019.55bb.8b80 00000000
> > 11:25:36:     B:8005 0019.55bb.8b80 80.0F A:0000 M:1400 H:0200 F:0F00
> > Note that this command must be executed at the root switch. Also, it's
> gives
> > you really noise output, if you have many spanning-tree instances running
> > and tons of interfaces up. So make sure you disabled all ports with
> > exception for maybe just one 802.1 trunk, and left only a couple of VLANs
> > active on the trunk.
> > Also, this topic is on my writeup queue for our blog :) Stay tuned for
> more
> > detailed information!
> > HTH
> > --
> > Petr Lapukhov, CCIE #16379 (R&S/Security/SP/Voice)
> > petr@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Outside US: 775-826-4344
> > Online Community: http://www.IEOC.com
> > CCIE Blog: http://blog.internetworkexpert.com
> >
> > 2008/7/16 GAURAV MADAN <gauravmadan1177@gmail.com>:
> >>
> >> Hi Group
> >>
> >> If a question says that we need to permit only required L2 protocols
> >> on say vlan XYZ and may bare minimum L2 protocol include STP/PVST ;
> >> then in that case how do  I define the mac access-list ?
> >>
> >> This wrong creation of vlan map is causing STP loop in my topology .
> >> Can some one please lemme know how to match these in a mac access-list
> >> ?
> >>
> >>
> >> Thnx in advance
> >> Gaurav Madan.
> >>
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:55 ART