Guest

Preview Tool

Cisco Bug: CSCuq33409 - VACL dont drop frames matching outer vlan ethtype on ME3400

Last Modified

Sep 16, 2014

Products (1)

  • Cisco ME 3400 Series Ethernet Access Switches

Known Affected Releases

n/a

Description (partial)

Symptom:
QinQ double tag packet is not dropping  outer vlan tag with the ethertype 0x8100 by using VACL

Conditions:
Customer wants to drop the arp packet with only double tag by using 0x8100.
They don't want to drop the single tag Arp packet

VACL is not dropping Ethertype 8100/9100/88A8.

we could drop the packet by using 0x806.

if we use 0x806 as ethertype, it would drop all single tag Arp packet.

Please find the config below.


ARP Generator(double tagged ARP packets)----(g0/8)ME3400(g0/9)---Laptop in vlan30 to sniff the traffic

vlan 30
  name test
!
mac access-list extended MACACL_MATCH_1Q
  permit any any 0x8100 0x0
  permit any any 0x9100 0x0
  permit any any 0x88A8 0x0
!
vlan access-map VAP_DROP_DOUBLE_TAGGING 10
  match mac address MACACL_MATCH_1Q
  action drop
vlan access-map VAP_DROP_DOUBLE_TAGGING 20
  action forward
!
vlan filter VAP_DROP_DOUBLE_TAGGING vlan-list 30
!
interface GigabitEthernet0/8      
  port-type nni
  switchport trunk allowed vlan 30
  switchport mode trunk
!
interface GigabitEthernet0/9
  port-type nni
  switchport trunk allowed vlan 30
  switchport mode trunk
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.