[c-nsp] Blocking VTP

Skeeve Stevens skeeve at skeeve.org
Mon Apr 21 05:57:26 EDT 2008 

I've actually had it asked on me on a number of times 'why would I want to
block VTP?'

Our company is one which manages the infrastructure of many ISP's for them -
mainly small to medium ISPs, often local, regional, or can't afford a f/t
engineer or don't know the ISP industry.

The specific situation regarding switches fit some or other of the following
scenarios:

- ISP interconnects - trunks between ISP's and having one network 'infect'
another over VTP.
- Even if VTP transparent is on, while the ISP is ok (unless it installs one
and forgets, or during the initial install), but any end customers switches
or other ISP's interconnecting - if anyone has an unprotected or transparent
switch, they can be blown away.

There is a variety of reasons why switches controlled by different parties
would be interconnected with each other.  An IX for example; private
peering; transit trading; and so on.

I have several scenario's where a vlan transits across 4 different ISP's in
2 different datacentres to get from end to end.

So basically, VTP can, and in the past has, caused me great pain... mainly
from the inability to turn it off.

Yes, there is a procedure we follow when wiping a switch- wipe config, wipe
vlan, load latest IOS, set to transparent, set a realm and password on all
new switches before they are even plugged into a network, but that is us.

We've had customers purchase a switch off somewhere like eBay, or a
remarketer, and while they have write erase'd the switch, the VLAN data
isn't wiped and it has trashed their entire network (which is when you find
out they haven't backed their configs up).  Yes, bad protocol I know, they
should have deleted the vlan database as well... but it's not something
people think of all the time.

If I am talking complete crap and you guys in the US just don't see these
kinds of scenarios, or there is other ways to deal with it that is simple
and doesn't require people to remember a variety of steps before they even
plug something in that might be hostile, please let me know.

...Skeeve


--
Skeeve Stevens, Managing Director
eintellego Pty Ltd - The ISP Specialists
skeeve at eintellego.net / www.eintellego.net
Phone: (+612) 8197 2760, Fax: (+612) 8572 9954
Cell +61 (0)414 753 383 / skype://skeeve
--
NOC, NOC, who's there?



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ziv Leyes
Sent: Monday, 21 April 2008 5:49 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Blocking VTP

I don't know what's your main purpose, but in some cases, when you work on
an environment that doesn't use VTP at all and want to be sure that if by
mistake someone connects a device that works with VTP won't cause any
problems, you can always use the general config command "vtp mode
transparent" on all your switches which won't block the VTP packets but will
totally ignore them.


Ziv


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Skeeve Stevens
Sent: Sunday, April 20, 2008 10:53 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Blocking VTP


Hey All,

Is there a way on a 2950, 3550, 3560(G), 3750(G) to block VTP from coming in
a port - at all.

.Skeeve

--
Skeeve Stevens, RHCE
skeeve at skeeve.org / www.skeeve.org
Cell +61 (0)414 753 383 / skype://skeeve

eintellego - skeeve at eintellego.net - www.eintellego.net
--
I'm a groove licked love child king of the verse
Si vis pacem, para bellum


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/





****************************************************************************
********
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer
viruses.
****************************************************************************
********





 
 
****************************************************************************
********
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer
viruses.
****************************************************************************
********


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list