11-28-2012 04:45 AM - edited 03-07-2019 10:17 AM
Hi,
I've to implement a VACL to filter PVST+ BPDUs sent on a 802.1q trunk port
For instance here http://ardenpackeer.com/tutorials/security/security-common-ethertypes-in-vlan-access-maps/ you can find a mac access-list example to match PVST+;
PVST+ BPDUs are sent on trunk port using 802.3 ethernet + LLC SNAP (SSAP=DSAP=0xAA and SNAP PID = 0x010B)
Now the suggested mac acl:
mac access-list extended PVST+
permit any any lsap 0xAAAA 0x0
implements the SSAP=DSAP=0xAA match but.....what about SNAP Protocol ID (PID) ? Is it also possibile include this match into an (extended) mac acl?
thanks.
12-01-2012 09:44 AM
Someone can help me ?
Thanks
12-01-2012 12:52 PM
Why not just use BPDUfilter? Why would you need to essentially disable STP on a trunk port though?
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide