OnePolicy "deny all" blocks STP on EXOS, but not on EOS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-16-2017 01:33 PM
Hi,
when replacing EOS based access switches (e.g. S-Series) with EXOS based switches with OnePolicy support (e.g. X460-G2 or X440-G2), there is a difference in behavior if a deny all policy is used. On EOS, STP BPDUs are not blocked, but on EXOS they are blocked by the OnePolicy.
I have encountered this with a customer using a deny all default OnePolicy to drop traffic from unauthenticated devices. After authentication, legitimate devices are assigned a OnePolicy to allow desired communication (and a VLAN is assigned using the RFC 3580 method as well).
While it is documented that deny all EXOS ACLs drop all Layer 2 protocols, I was not aware that this was carried over to OnePolicy (and I did not check the documentation).
Another problem is how to allow STP BPDUs in the default policy. I see two obvious methods to recognize them:
Has anybody encountered this problem before? How was it solved?
[Note: OnePolicy was just called Policy on EOS, but EXOS knew policy (.pol) files (also known as ACLs) as well. EXOS ACLs are more powerful than EXOS OnePolicies.]
Thanks,
Erik
when replacing EOS based access switches (e.g. S-Series) with EXOS based switches with OnePolicy support (e.g. X460-G2 or X440-G2), there is a difference in behavior if a deny all policy is used. On EOS, STP BPDUs are not blocked, but on EXOS they are blocked by the OnePolicy.
I have encountered this with a customer using a deny all default OnePolicy to drop traffic from unauthenticated devices. After authentication, legitimate devices are assigned a OnePolicy to allow desired communication (and a VLAN is assigned using the RFC 3580 method as well).
While it is documented that deny all EXOS ACLs drop all Layer 2 protocols, I was not aware that this was carried over to OnePolicy (and I did not check the documentation).
Another problem is how to allow STP BPDUs in the default policy. I see two obvious methods to recognize them:
- By the destination MAC address of 01:80:C2:00:00:00
- By the LLC DSAP of 0x42 and SSAP of 0x42
Has anybody encountered this problem before? How was it solved?
[Note: OnePolicy was just called Policy on EOS, but EXOS knew policy (.pol) files (also known as ACLs) as well. EXOS ACLs are more powerful than EXOS OnePolicies.]
Thanks,
Erik
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-16-2017 07:24 PM
Hi Matthias,
the macdest OnePolicy rule was not accepted on the X440-G2 in the lab. I tried it with the 48 bit mask only, because that is what needs to be matched. After this I checked with "show policy capabilit" what is supported, and destination MAC had no check mark.
Regards,
Erik
the macdest OnePolicy rule was not accepted on the X440-G2 in the lab. I tried it with the 48 bit mask only, because that is what needs to be matched. After this I checked with "show policy capabilit" what is supported, and destination MAC had no check mark.
Regards,
Erik
