Also port numbers for protocols based on TCP/UDP.

But most important for me are L2 protocols like: IPX, CDP, VTP, IPV6.

They don't use port numbers.

Suppose that you have mac ACL and want to permit IPX and CDP but block VTP. How would you create such ACL ?

Thanx

Hi,

have you tried NBAR for the same ??

NBAR supports most of the protocol you mentioned.

Regards,

Smitesh

According to:

http://www.cisco.com/en/US/docs/ios/ios_xe/qos/configuration/guide/clsfy_traffic_nbar_xe.html#wp1433675

NBAR does not support non-IP traffic.

So it does not support any of: IPX, CDP, VTP, IPV6.

Am i wrong ?

Thanx

Hi,

Not sure about VTP, but can see CDP in the list below. Although have never tried that

R1(config-cmap)#match protocol ?

  aarp              AppleTalk ARP

  appletalk         AppleTalk

  arp               IP ARP

  bgp               Border Gateway Protocol

  bittorrent        bittorrent

  bridge            Bridging

  bstun             Block Serial Tunnel

  cdp               Cisco Discovery Protocol

  citrix            Citrix Systems Metaframe 3.0

  clns              ISO CLNS

  clns_es           ISO CLNS End System

  clns_is           ISO CLNS Intermediate System

  cmns              ISO CMNS

  compressedtcp     Compressed TCP (VJ)

  cuseeme           CU-SeeMe desktop video conference

  decnet            DECnet

  decnet_node       DECnet Node

  decnet_router-l1  DECnet Router L1

  decnet_router-l2  DECnet Router L2

  dhcp              Dynamic Host Configuration

  directconnect     Direct Connect Version 2.0

  dlsw              Data Link Switching (Direct encapsulation only)

  dns               Domain Name Server lookup

  edonkey           eDonkey

  egp               Exterior Gateway Protocol

  eigrp             Enhanced Interior Gateway Routing Protocol

  exchange          MS-RPC for Exchange

  fasttrack         FastTrack Traffic - KaZaA, Morpheus, Grokster...

  finger            Finger

  ftp               File Transfer Protocol

  gnutella          Gnutella Version2 Traffic - BearShare, Shareeza, Morpheus

                    ...

  gopher            Gopher

  gre               Generic Routing Encapsulation

  h323              H323 Protocol

  http              World Wide Web traffic

  icmp              Internet Control Message

  imap              Internet Message Access Protocol

  ip                IP

  ipinip            IP in IP (encapsulation)

  ipsec             IP Security Protocol (ESP/AH)

  ipv6              IPV6

  ipx               Novell IPX

  irc               Internet Relay Chat

  kazaa2            Kazaa Version 2

  kerberos          Kerberos

  l2tp              L2F/L2TP tunnel

  ldap              Lightweight Directory Access Protocol

  llc2              llc2

  mgcp              Media Gateway Control Protocol

  netbios           NetBIOS

  netshow           Microsoft Netshow

  nfs               Network File System

  nntp              Network News Transfer Protocol

  notes             Lotus Notes(R)

  novadigm          Novadigm EDM

  ntp               Network Time Protocol

  ospf              Open Shortest Path First

  pad               PAD links

  pcanywhere        Symantec pcANYWHERE

  pop3              Post Office Protocol

  pppoe             PPP over Ethernet

  pptp              Point-to-Point Tunneling Protocol

  printer           print spooler/lpd

  qllc              qllc protocol

  rcmd              BSD r-commands (rsh, rlogin, rexec)

  rip               Routing Information Protocol

  rsrb              Remote Source-Route Bridging

  rsvp              Resource Reservation Protocol

  rtcp              Real Time Control Protocol

  rtp               Real Time Protocol

  rtsp              Real Time Streaming Protocol

  secure-ftp        FTP over TLS/SSL

  secure-http       Secured HTTP

  secure-imap       Internet Message Access Protocol over TLS/SSL

  secure-irc        Internet Relay Chat over TLS/SSL

  secure-ldap       Lightweight Directory Access Protocol over TLS/SSL

  secure-nntp       Network News Transfer Protocol over TLS/SSL

  secure-pop3       Post Office Protocol over TLS/SSL

  secure-telnet     Telnet over TLS/SSL

  sip               Session Initiation Protocol

  skinny            Skinny Protocol

  skype             Skype Peer-to-Peer Internet Telephony Protocol

  smtp              Simple Mail Transfer Protocol

  snapshot          Snapshot routing support

  snmp              Simple Network Management Protocol

  socks             SOCKS

  sqlnet            SQL*NET for Oracle

  sqlserver         MS SQL Server

  ssh               Secured Shell

  streamwork        Xing Technology StreamWorks player

  stun              Serial Tunnel

  sunrpc            Sun RPC

  syslog            System Logging Utility

  telnet            Telnet

  tftp              Trivial File Transfer Protocol

  vdolive           VDOLive streaming video

  vofr              voice over Frame Relay packets

  winmx             WinMx file-sharing application

  xwindows          X-Windows remote access

R1(config-cmap)#match protocol

Regards,

Smitesh

I do not think it will work (can't check right now). Moreover there are many situations in which i can't use class-map and can't use NBAR. The list you show is short and does not cover a whole bunch of protocols like VTP,STP,DTP,LLDP...

That's why i need L2 protocol numbers list somewhere is cisco docs....

I do not belive they force CCIE candidate to remember all possible numbers...

Hi,

Aren't we looking for more complicated ways to stop VTP, STP, CDP and DTP; when we can simply disable them.

Though I understand your concern. I also don't believe Cisco will want any candidate to cram all the values. However, since it is CCIE exams, it is best said that expect the unexpected if you want to succeed.

As far as docs on them is concerns, let me assured you that you will definately find on cisco, however all the infomation will be distributed and not centrallised. You may have to do lots of browsing to come to the correct page.

PS: I guess the doing lot of broswing on UniverCD will always benifit you as during LAB only help at your disposal will be univerCD. So better practise it now, even though you don't find what you need.

HTH,

Smiteshh

Yes - for CCIE i have to expect unexpected

I've already done a lot of browsing and know docs quite well. For layers 3,4 and up there are valuable informations in ACE modules docs. But for layer2 protocols could not find any table with numbers for each protocol