[c-nsp] Blocking VTP

Phil Mayers p.mayers at imperial.ac.uk
Wed Apr 23 05:56:31 EDT 2008


Skeeve Stevens wrote:
> I can't believe there isn't:

I'm sorry to say whether you believe it or not has little to do with the 
reality of the situation. To the best of my (by no means encyclopaedic) 
knowledge, there is no such thing.

In any event, Tassos has already suggested:

1) make the port an access port
2) block 01-00-0C-CC-CC-CC (used by CDP too)
3) use transparent vtp v1 & different domain
4) block vlan 1 (although actually that's not possible)

Have you tried those? It seems like number 2 in a MAC ACL ought to be 
pretty bulletproof.


More information about the cisco-nsp mailing list