Vol 2 Lab 11 Task 1.3 - SG VACL not working

I tried the following VACL mostly per SG on SW1-3 but MAC Addresses continue to flip and flap like a burger:

conf t
!
no vlan access-map IPONLY
no ip access-list extended ipv4
ip access-list extended ipv4
permit ip any any
permit eigrp any any
!
mac access-list extended iparp
permit any any 0X806 0X0
!
mac access-list extended pvstplus
permit any any 0X010B 0X0
!
mac access-list extended pvst
permit any any lsap 0X4242 0X0
!
vlan access-map IPONLY 10
match ip address ipv4
action forward
!
vlan access-map IPONLY 20
match mac address iparp
action forward
!
vlan access-map IPONLY 30
match mac address pvstplus
action forward
!
vlan access-map IPONLY 40
match mac address pvst
action forward
!
vlan access-map IPONLY 50
action drop
!
vlan filter IPONLY vlan-list 56
do wr
end
!

After observing the logs and consistently seeing this:

*Mar  1 04:02:01.846:     encap SNAP linktype sstp vlan 56 len 64 on v56 Fa0/16
*Mar  1 04:02:01.846:     AA AA 03 00000C 010B SSTP

I figured SG method of permit any any 0X010B was simply not working so I explicitly allowed SNAP SAP to test:

conf t
mac access-list extended snap
permit any any lsap 0XAAAA 0X0
!
vlan access-map IPONLY 15
match mac address snap
action forward
do wr
end
!

 

Only then did it work. Is this an evolution of IOS complared to what they tested on the SG or is something else going on with the 3550s  here?? Some input from INE too would be useful.

 

Note: The misbehaving switch was SW3(a 3550). SW1 and SW2(3560s) interpreted spanning-tree fine per their acceptance of spanning tree roots but SW3(3550) considered itself spanning tree root for vlans where only SW1 and SW2 were supposed to be roots.

 

Sign In or Register to comment.