VLAN Filtering for Non-IP Traffic

The task is asking to allow only STP BPDUs, CDP, VTP, UDLD and ARP protocols using VLAN filter.

The solution provided for this task is:

mac access-list extended ALLOWED_L2_TRAFFIC
 permit any any lsap 0x4242 0x0
 permit any any 0x010B 0x0
 permit any any 0x806 0x0
vlan access-map VLAN10_FILTER 10
 match mac address ALLOWED_L2_TRAFFIC
 action forward

vlan filter VLAN10_FILTER vlan-list 10


Can someone please explain to me which part of this solution allows CDP, VTP and UDLD protocols?


Thank you.


  • JoeMJoeM ✭✭✭

    Question is how to find  those codes during lab from resources avaiable in the lab only.

    There are a couple of places to find the protocols-and-ISO-designators.  The wireless access-points is one of the places.  This the one that I confirmed quickly.  Note that not all of them are on the list.   A partial memorization is needed (for which I am due again).  ;-)


    products --> wireless --> access points -------> (I chose 3700 series)

                        -----configuration guide ---->  "Protocol Filters"


  • JoeMJoeM ✭✭✭

    The other couple of doc locations are/were firewalls and IBM.   But it is the same information.  Just choose one will make it less confusing.


  • permit any any 0x010B 0x0


    What does that ethertype stand for

  • permit any any 0x010B 0x0


    What does that ethertype stand for

    It's the SAP PID used to match PVST+ BPDUs

  • As ndmitri states, I'm unsure from the solution guide how CDP, VTP and UDLD are allowed given this configuration. The SG states.


    VTP: 0x2003    

    CDP: 0x2000    

    DTP: 0x2004    

    UDLD: 0x0111

    All SNAP-encapsulated packets can be matched using an LSAP value of 0xAAAA. The above-mentioned packet types have no VLAN tag header, so you can filter them on the native VLAN of a trunk, which is usually VLAN 1.

    The mac access-list doesn't permit LSAP 0xAAA so how are the protocols allowed?

  • Think I understand the solution now. So the question is asking for a filter on Vlan 10 but these protocols run on the native vlan (ie Vlan 1 by default) so the vlan 10 filter doesn't affect them.

  • I have been working on this lab. I too was puzzled why there was no mention of the VTP, CDP, DTP, and UDLD. jimmyt is 100% correct. Those particular protocols are running on the native VLAN which is is not VLAN 10. So even if you do configure it the filter will not do anything.
    I also wanted to also say thanks for the the location of the protocol filters document!

Sign In or Register to comment.