I think that there's a little gap there.... ARP is definitely necessary, but with your lsap 0xaaaa you are permitting ANY Ethernet_SNAP frames to go across. The fact that Cisco use SNAP for PVST+ is just one piece of the puzzle there. (normal STP is 0x4242)
You need to look for a destination MAC address of 01-00-0c-cc-cc-cd in addition to the SNAP frame. Where are those things? Good luck with that. :) AFAIK it's not a well-documented feature. You can find the 0x4242 in the IBM Bridging documentation someplace, but the PVST+ information MIGHT be in the switch's spanning tree section, but I don't recall seeing it. I don't recall looking either though! HTH, Scott -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Louis S Sent: Tuesday, June 03, 2008 9:07 PM To: osl Subject: [OSL | CCIE_RS] VACL question / remembering hex codes necessary? So something as simple as only allowing IOP traffic to transit a vlan... Now if we have spanning-tree and arp running on here we would have to remmber to permit those in the VACL as well. If their a doccd ref or something may help out with this configuration or are we just supposed to memorize it ? maybe we could just apply what we know and then debug the vacl? ie) ip access-list extended IPONLY PERMIT IP ANY ANY mac access-list extended IP_ARP permit any any 0x806 0x0 mac access-list extended PVSTPLUS_STP permit any any lsap 0xaaaa 0x0 vlan access-map IPONLY 10 action forward match ip address IPONLY vlan access-map IPONLY 20 action forward match mac address IP_ARP vlan access-map IPONLY 30 action forward match mac address PVSTPLUS_STP vlan access=-map IPONLY 40 action drop vlan filter IPONLY vlan-list 100
