11-28-2012 04:45 AM - edited 03-07-2019 10:17 AM
Hi,
I've to implement a VACL to filter PVST+ BPDUs sent on a 802.1q trunk port
For instance here http://ardenpackeer.com/tutorials/security/security-common-ethertypes-in-vlan-access-maps/ you can find a mac access-list example to match PVST+;
PVST+ BPDUs are sent on trunk port using 802.3 ethernet + LLC SNAP (SSAP=DSAP=0xAA and SNAP PID = 0x010B)
Now the suggested mac acl:
mac access-list extended PVST+
permit any any lsap 0xAAAA 0x0
implements the SSAP=DSAP=0xAA match but.....what about SNAP Protocol ID (PID) ? Is it also possibile include this match into an (extended) mac acl?
thanks.
12-01-2012 09:44 AM
Someone can help me ?
Thanks
12-01-2012 12:52 PM
Why not just use BPDUfilter? Why would you need to essentially disable STP on a trunk port though?
Sent from Cisco Technical Support iPad App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: