Security
Security: Common Ethertypes in Vlan Access Maps
Email this post
⋅ 
Print this post
⋅ Post a commentSite Search Tags: arp, BPDU, ethertypes, ISL, mac access-list, PVST, SNAP, vlan, vlan access-map
I was putting together my study notes on Vlan Access Maps and all the common ethertypes that I was asked to match in all the labs that I have done. I was trying to figure out how to match spanning tree BPDU’s when they are transported in Ethernet frames, and was having real difficulty locating this on the Cisco DOC CD.
I eventually found this by Petr Lapukhov CCIE#16379 on the Internetwork Expert CCIE Forums:
1) Cisco runs IEEE STP over non-trunking links, i.e. access-ports.
IEEE STP utilizes 802.3 LLC ethernet frame format and multicast
address 0180.c200.0000 BPDU frames have LSAP values of 0×42 for
SSAP/DSAP
2) Cisco runs PVST over ISL trunks. Basically, this is just a
classic IEEE STP BPDU, send with VLAN tag, and LSAP value 0×42
Nothing to worry about here
3) Cisco runs PVST+ over 802.1q trunks. Now it sends IEEE STP
over VLAN 1, and dublicates it to PVST+ multicast address, with
PVST+ (SSTP) encapsulation. At the same time, it sends PVST+ BPDUs,
over every non-native VLAN, tagged with 802.1q VLAN tag. PVST+
encapsulation is 802.3 SNAP frame (OUI/Type “0×00 0×00 0×0c / 0×01 0×0b”).
This procedure is essentially a tunneling of PVST over 802.1q IEEE cloud.
If 802.1q VLAN1 is not native, procedure is a bit different, but still
Cisco sends a mix of IEEE and PVST+ BPDUs, with IEEE sent untagged.
Now the lesson is that you should watch for 802.1q with Cisco With
ISL things run smoothly, you have IEEE STP frames on every VLAN. With
802.1q you got that horrible mix
So, putting all that together I came up with this:
mac access-list extended IP
permit any any 0x800 0x0
mac access-list extended IPV6
permit any any 0x86DD 0x0
mac access-list extended IP_ARP
permit any any 0x806 0x0
mac access-list extended PVST+
permit any any lsap 0xAAAA 0x0
!
! PVST+ uses LLC SNAP encapsulation LSAP equal 0xAAAA.
! In this case need to we see more deeply OUI/Type part SNAP header.
! But i don't know how it can be matched in Cisco IOS.
mac access-list extended IEEE_STP
permit any any lsap 0x4242 0x0
mac access-list extended ISL_PVST
permit any any lsap 0x4242 0x0
!
! ie. sames as IEEE_STP!
You can use this vlan access-maps in conjunction with these mac access-lists to allow or deny only certain traffic through a vlan.
For example to allow IP and ARP only in vlan 10:
!
! Be careful we are technically blocking Spanning-tree BPDU's, so this might cause loops!
!
ip access-list extended IP
permit ip any any
!
mac access-list extended IP_ARP
permit any any 0x806 0x0
!
vlan access-map IP_AND_ARP_ONLY 10
action forward
match ip address IP
!
vlan access-map IP_AND_ARP_ONLY 20
action forward
match mac address IP_ARP
!
vlan access-map IP_AND_ARP_ONLY 30
action drop
!
vlan filter IP_AND_ARP_ONLY vlan-list 10
In the example above we are using an ip access-list to match ip traffic. I originally thought that we could have also used a mac access-list to do this, but an astute reader (See comments below…thanks Sharath!) pointed out this is not possible. I hope this helps. Now back to labs! :)
Resources:
- The Ethertypes can be found here on Cisco Doc CD (Cisco IOS Bridging and IBM Networking Command Reference -> Appendix).
- Sniffing For Cisco Specific Protocols
- How to permit ARP traffic between only two hosts – CCIE-IN-3-MONTHS
Discussion
3 comments for “Security: Common Ethertypes in Vlan Access Maps”
Post a comment
Categories
Twitter Feed...
- How many SEO experts does it take to change a light bulb, lightbulb, light, bulb, lamp, lighting, switch, sex, xxx, hardcore
- Java Forver. Lol. http://bit.ly/d5DNmg
- Working on keeping my beginners mind when learning.. http://bit.ly/k5xvp
- The same wind blows on all of us, the set of your sail determines your destination
Follow me...
Recent Comments
- Matt on Tutorial: IPv6 Tunnels Part 2 – Automatic 6to4 Tunnels
- Marcel Lammerse on QOS: Applying CBWFQ to a sub-interface
- Aaron on Tutorial: What is the difference between bandwidth percent and bandwidth remaining percent?
- Ebiet on Tutorial: OSPF Network Types and Frame Relay Part 5
- Meeran on Tutorial: BGP Route Aggregation Part 1 – Using an Advertise-Map to control aggregation
Most Emailed
- Tutorial: How to use Cisco MQC & NBAR to filter websites like Youtube - 20 emails
- Tutorial: OSPF Network Types and Frame Relay Part 1 - 20 emails
- Tutorial: What is the difference between bandwidth percent and bandwidth remaining percent? - 18 emails
- Tutorial: How to set up a basic Dynamips Lab using Dynagen, Part 1 - 10 emails
- Tutorial: OSPF Network Types and Frame Relay Part 2 - 5 emails
Hi Arden,
This was a really helpful guide on Ether Types. But I am really facing some strange issues.
Objective:
I am trying to make vlan 1 an IP only VLAN.
Configuration:
I have configured the following MAC ACLs.
mac access-list extended IEEE_STP
permit any any lsap 0×4242 0×0
mac access-list extended IPARP
permit any any 0×806 0×0
mac access-list extended IPV4
permit any any 0×800 0×0
The following is the VLAN Access Map
vlan access-map P2F 10
action forward
match mac address IEEE_STP
vlan access-map P2F 11
action forward
match mac address IPV4
vlan access-map P2F 12
action forward
match mac address IPARP
vlan access-map P2F 20
action drop
!
vlan filter P2F vlan-list 1
The VLAN1 SVI is also configured with an IPV4 and IPV6 address.
interface Vlan1
ip address 192.168.1.7 255.255.255.0
no ip route-cache
ipv6 address 2001:210:10:1::3/64
ipv6 enable
end
Problem:
Unable to ping IPV4 hosts connected to the Switch.
3560#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
3560#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
The ARP Cache in the Switch is populated with correct MAC addresses.
3560#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.9 8 0016.d3e5.d3cb ARPA Vlan1
Internet 192.168.1.1 1 cc00.1da0.0000 ARPA Vlan1
Internet 192.168.1.2 1 cc01.1da0.0000 ARPA Vlan1
Internet 192.168.1.7 – 001a.e3b5.0140 ARPA Vlan1
What is surprising me is I can ping the IPV6 address without any issues.
3560#ping ipv6 2001:210:10:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:210:10:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/6/17 ms
3560#ping ipv6 2001:210:10:1::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:210:10:1::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/13/33 ms
Why is the sequence #20 in the VLAN access-map not droping the IPV6 frames.
I also configured an explicit drop sequence matching the 0×86DD but nothing changes.
The Software image of the 3560 switch is:
System image file is “flash:c3560-advipservicesk9-mz.122-44.SE2.bin”
Please let me know what am I missing in the configuration?
Thanks in Advance
Sharath
Hello Arden,
The CAT 3550 and 3560 switches process IP Packets in a different way than the non-IP Packets. So it is Mandatory to use IP access-list.
“In the example above we are using an ip access-list to match ip traffic, but we could have also used a mac access-list to do this”
We cannot use a MAC access-list to allow IP Packets.
Sharath
Hi Sharath,
Thanks for the correction. I have updated the article.