CCIE Pursuit Blog

April 5, 2008

Internetwork Expert Volume II: Lab 6 – Section 8

Security – 6 Points

8.1 BPDU Filtering

Configure sw1 and sw2 to filter all DECnet spanning-tree BPDUs in VLAN 363

I figured that I would find this under the spanning-tree commands, but I was way off.  You need to use a VACL to filter this traffic:

mac access-list extended NO_DEC_BPDU
 permit any any dec-spanning
vlan access-map NO_DEC_BPDU 10
 action drop
 match mac address NO_DEC_BPDU
vlan access-map NO_DEC_BPDU 20
 action forward
vlan filter NO_DEC_BPDU vlan-list 363

sw1#sh vlan filter vlan 363
Vlan 363 has filter NO_DEC_BPDU.

sw1#sh vlan access-map
Vlan access-map “NO_DEC_BPDU”  10
  Match clauses:
    mac address: NO_DEC_BPDU
Vlan access-map “NO_DEC_BPDU”  20
  Match clauses:

sw1#sh vlan filter access-map NO_DEC_BPDU
VLAN Map NO_DEC_BPDU is filtering VLANs:

VLAN 363 is not present on sw1 and sw2  🙂

sw1#sh vlan id 363
VLAN id 363 not found in current VLAN database

sw2#sh vlan id 363
VLAN id 363 not found in current VLAN database

Task 8.1 BPDU Filtering

8.2 Traffic Filtering

Hosts must authenticate to r2 before they are allowed to telnet to sw1.  Use one user/password combination to allow access to sw1 and another to grant access to r2’s CLI.

This is a task that IE is fond of.  We just used a VACL, so why not use a DACL.  🙂

r2(config)#ip access-list extended DYNAMIC
% Invalid access list name.

IOS would not let me use the word, “dynamic” as the name of my extended access-list.

Invalid access list name.

I think that Cisco IOS block creating access-list with the name “dynamic” , this is due to introducing new dynamic access-list starting from the release 12.3(7)T.  Also new show command was entered “Show ip access-list dynamic” starting from the above release , so for not making any confilicts the IOS blocks access lists with the name “dynamic”

Dynamic access is used for more security purpose, if you are interested in it , you can go to the following link:

Oh well, IOS likes BOOBIES though….who doesn’t?  🙂

r2(config)#ip access-list extended BOOBIES
r2(config-ext-nacl)#dynamic PERMIT_TELNET perm tcp any any eq telnet



  1. Ok you got me, I laughed out loud at Boobies. But yeah, who doesn’t like Boobies!?! Can you imagine logging into a router and seeing an ACL named Boobies at 8am on a Monday while drinking coffee? I’d spit it all over the screen.

    On a rather more on topic note I’m getting ready to take my CCNP BCMSN exam on Monday and was just practicing Vlan ACLs. I’ll admit, filtering DEC BPDU’s wasn’t even on the radar. 🙂

    Comment by Mike — April 5, 2008 @ 9:32 pm | Reply

  2. i tried this cmd, but it was blocking entire desktop ip in our network. plz suggest full configuration, how to block particular desktop from our network with the help of mac.

    Comment by hariharan — May 19, 2008 @ 10:39 pm | Reply

  3. LOL BOOBIES!!!!!!!!!!

    Comment by M Khan — June 10, 2009 @ 5:35 pm | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at

%d bloggers like this: