when replacing EOS based access switches (e.g. S-Series) with EXOS based switches with OnePolicy support (e.g. X460-G2 or X440-G2), there is a difference in behavior if a deny all policy is used. On EOS, STP BPDUs are not blocked, but on EXOS they are blocked by the OnePolicy.
I have encountered this with a customer using a deny all default OnePolicy to drop traffic from unauthenticated devices. After authentication, legitimate devices are assigned a OnePolicy to allow desired communication (and a VLAN is assigned using the RFC 3580 method as well).
While it is documented that deny all EXOS ACLs drop all Layer 2 protocols, I was not aware that this was carried over to OnePolicy (and I did not check the documentation).
Another problem is how to allow STP BPDUs in the default policy. I see two obvious methods to recognize them:
- By the destination MAC address of 01:80:C2:00:00:00
- By the LLC DSAP of 0x42 and SSAP of 0x42
Has anybody encountered this problem before? How was it solved?
[Note: OnePolicy was just called Policy on EOS, but EXOS knew policy (.pol) files (also known as ACLs) as well. EXOS ACLs are more powerful than EXOS OnePolicies.]