Hi,
when replacing EOS based access switches (e.g. S-Series) with EXOS based switches with OnePolicy support (e.g. X460-G2 or X440-G2), there is a difference in behavior if a
deny all policy is used. On EOS, STP BPDUs are not blocked, but on EXOS they are blocked by the OnePolicy.
I have encountered this with a customer using a
deny all default OnePolicy to drop traffic from unauthenticated devices. After authentication, legitimate devices are assigned a OnePolicy to allow desired communication (and a VLAN is assigned using the RFC 3580 method as well).
While it is documented that
deny all EXOS ACLs drop all Layer 2 protocols, I was not aware that this was carried over to OnePolicy (and I did
not check the documentation).
Another problem is how to allow STP BPDUs in the default policy. I see two obvious methods to recognize them:
- By the destination MAC address of 01:80:C2:00:00:00
- By the LLC DSAP of 0x42 and SSAP of 0x42
The first method should be supported on X460-G2 switches (according to
show policy capabilities), but not on e.g. X440-G2. The second method is not supported by either X440-G2 nor X460-G2. Since we had X440-G2 in the lab, we could not test the first method when I was on-site (for a different task that had priority).
Has anybody encountered this problem before? How was it solved?
[Note:
OnePolicy was just called
Policy on EOS, but EXOS knew
policy (.pol) files (also known as
ACLs) as well. EXOS ACLs are more powerful than EXOS OnePolicies.]
Thanks,
Erik