Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1301
Views
0
Helpful
3
Replies

ASA and ISIS

ahmede1
Level 1
Level 1

‎11-16-2017 09:58 AM - edited ‎02-21-2020 06:46 AM

We are running CLNS ISIS, between two routers, we are inserting ASA in between to act as L2 FW.

 

I know starting version 9.5, ASA supports ISIS.

 

We had to add "ethertype permit any" rule at the end of the ACL to make ISIS works. But we are trying to limit the Ethertype by specifying the Ethertype #.  Anyone knows what is the Ethertype# used by ISIS? Is there any other way to allow ISIS packets through the L2 FW? 

Labels:
0 Helpful
3 Replies 3

Flavio Miranda
VIP
VIP

‎11-16-2017 03:56 PM

Hi @ahmede1

 

According to this doc, there´s an ACL specific for ISIS:

 

access-list access_list_name ethertype
{deny | permit} {ipx | bpdu | mpls-unicast
| mpls-multicast | is-is | any |
hex_number}

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/acl-ethertype.pdf

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

ahmede1
Level 1
Level 1
In response to Flavio Miranda

‎11-20-2017 10:29 AM

Thank you.. We did try that, but it doesn't work.. Once we add ISIS only, ISIS stops working, we also see no hits on the access list

 

 

access-list ISIS_ACL ethertype permit isis (hitcount=0)

access-list ISIS_ACL ethertype permit any (hitcount=275201669)

0 Helpful

Flavio Miranda
VIP
VIP
In response to ahmede1

‎11-20-2017 05:58 PM

That's weird. Should work and we can't suppose that some necessary  traffic is being blocked, wouldn't make sense as the documentation is clear to use isis as ethertype and nothing more.

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card