Symptom
LLC/SNAP encapsulated packets cannot match on l2 acl Ether-Type correctly.
Conditions
LLC/snap ether encapped frames and filtering with l2 acl on etype.
Workaround
For most of the scenario's, simply filtering based on the L2MAC is enough. But if well known ma-addresses are same for 2 different type protocol packets (such as UDLD and CDP which has same dest-mac of 00:01:0c:CC:CC:CC) filtering also need to include ether-type.
Further Problem Description
RP/0/RSP0/CPU0:9010-1#sh access-lists ethernet-services L2-FRAMES hardware egress location 0/0/CPU0
Tue Nov 12 19:08:36.919 UTC
ethernet-services access-list L2-FRAMES
10 deny any host 0100.0ccc.cccc 0111 (2108 hw matches) == UDLD packets based on Ether-Type and dest-mac
20 permit any host 0100.0ccc.cccc 2000 (2821 hw matches) == CDP packets based on Ether-Type and dest-mac
