VLAN Filtering on Ethertype

There a security lab for R&S that states that you should be able to filter CDP / DTP etc using the SNAP PID value.  The LSAP value for these are 0xAAAA, and you have the SNAP values of 0x0c for CISCO and then the PID 0x2000 for CDP.  The solutions guide says that you should be able to use the PID for filtering on the vlan filter for these values (Quote:   "You can match this Protocol ID value as the Ethertype number in MAC ACLs in the Catalyst Switches") .  

I cant get this to work with the following config:

mac access-list extended VLAN10

 permit any any 0x2000 0x0


vlan access-map VLAN10 10

 action drop


vlan filter VLAN10 vlan-list 1-4094


I still end up learning all the CDP neighbors (0x2000 is the PID for CDP).  I have also used a PID 0x2004 for DTP and the port still negotiates trunk.

Has anyone else had trouble with this?  What did you do to resolve?


Sign In or Register to comment.