[c-nsp] Blocking VTP

Paul Cosgrove paul.cosgrove at heanet.ie
Thu Apr 24 12:30:21 EDT 2008 

Or maybe the OUI is used for VTP...
http://www.cisco.com/warp/public/473/21.html

Paul Cosgrove wrote:
> Thanks for testing that Tassos,
>  
> The protocol identifier field is five bytes long, and is divided into a 
> three byte OUI (which isn't used) and the two byte ethertype.
>
> Paul.
>
> Tassos Chatzithomaoglou wrote:
>   
>> Paul,
>>
>> To be honest, i didn't think the mac acl would work using 0x2003 as an 
>> ethertype, because the value 0x2003 refers to the Local Code field (or 
>> Protocol Identifier (PID)) of the LLC/SNAP header.
>>
>> But i tried it and it worked. It also worked for UDLD (0x0111).
>>
>> I then found out that IEEE made it for backwards compatibility reasons 
>> with the Ethernet Version II format which used first the ethertype field.
>>
>>
>> -- 
>> Tassos
>>
>>
>> Paul Cosgrove wrote on 24/4/2008 4:20 μμ:
>>     
>>> As you probably know, while VTP is not particularly chatty, you will 
>>> find the debugs easier to read if you also specify the interface you 
>>> want
>>> i.e.  debug interface fa0/13
>>>
>>> Paul.
>>>
>>> Paul Cosgrove wrote:
>>>       
>>>> Hi Skeeve,
>>>>
>>>> Here are a couple of alternative ways you should be able to block 
>>>> VTP.  You can test the following on a trunk link by setting up two 
>>>> vtp servers (with same domain etc.)  and watching the vtp traffic 
>>>> using "debug sw-vlan vtp xmit" and "debug sw-vlan vtp packet".  Add 
>>>> a filter to one switch and create additional new vlans on each device.
>>>> The vlan map here will filter VTP from transiting on any vlan, not 
>>>> just stopping VTP being received by your device.  You probably do 
>>>> not want to do this but it is useful for comparison purposes.  Note 
>>>> that the acl required to do that is matching the traffic with a 
>>>> permit, not denying it.
>>>>
>>>> #==== MAC ACL ====
>>>> mac access-list extended DENY-VTP
>>>>  deny   any host 0100.0ccc.cccc 0x2003 0x0
>>>>  permit any any
>>>>
>>>> interface FastEthernet0/13
>>>>  mac access-group DENY-VTP in
>>>>
>>>> #==== VLAN MAP =====
>>>> mac access-list extended MATCH-VTP
>>>>   permit  any host 0100.0ccc.cccc 0x2003 0x0
>>>>  
>>>> vlan access-map DENY-VTP 10
>>>>  action drop
>>>>  match mac address MATCH-VTP
>>>> vlan access-map DENY-VTP 20
>>>>  action forward
>>>> !
>>>> vlan filter DENY-VTP vlan-list 1-4094
>>>>
>>>> Paul.
>>>>
>>>> Skeeve Stevens wrote:
>>>>  
>>>>         
>>>>> Hey Paul,
>>>>>
>>>>> You got an examples on how you would block this on the port with the
>>>>> protocol type and the MAC?
>>>>>
>>>>> I've never done MAC blocking, or protocol type.... probably easy 
>>>>> though.
>>>>>
>>>>> ...Skeeve
>>>>>
>>>>> -----Original Message-----
>>>>> From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] Sent: 
>>>>> Thursday, 24 April 2008 8:13 PM
>>>>> To: Phil Mayers
>>>>> Cc: skeeve at skeeve.org; 'Gert Doering'; cisco-nsp at puck.nether.net;
>>>>> achatz at forthnet.gr
>>>>> Subject: Re: [c-nsp] Blocking VTP
>>>>>
>>>>> Phil Mayers wrote:
>>>>>      
>>>>>           
>>>>>> I'm sorry to say whether you believe it or not has little to do 
>>>>>> with the reality of the situation. To the best of my (by no means 
>>>>>> encyclopaedic) knowledge, there is no such thing.
>>>>>>
>>>>>> In any event, Tassos has already suggested:
>>>>>>
>>>>>> 1) make the port an access port
>>>>>> 2) block 01-00-0C-CC-CC-CC (used by CDP too)
>>>>>> 3) use transparent vtp v1 & different domain
>>>>>> 4) block vlan 1 (although actually that's not possible)
>>>>>>
>>>>>> Have you tried those? It seems like number 2 in a MAC ACL ought to 
>>>>>> be pretty bulletproof.
>>>>>> ______________________________________________
>>>>>>           
>>>>>>             
>>>>> 01-00-0C-CC-CC-CC is also used by a number of other protocols 
>>>>> including PAgP, UDLD, DTP as well as CDP.  You can differentiate 
>>>>> VTP from these by specifying it's protocol type (0x2003).
>>>>>
>>>>> Regards,
>>>>>
>>>>> Paul.
>>>>>
>>>>>
>>>>>       
>>>>>           
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>>   
>>>>         
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>       
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list