[c-nsp] Blocking VTP

Skeeve Stevens skeeve at skeeve.org
Thu Apr 24 07:58:27 EDT 2008


Hey Paul,

You got an examples on how you would block this on the port with the
protocol type and the MAC?

I've never done MAC blocking, or protocol type.... probably easy though.

...Skeeve

-----Original Message-----
From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] 
Sent: Thursday, 24 April 2008 8:13 PM
To: Phil Mayers
Cc: skeeve at skeeve.org; 'Gert Doering'; cisco-nsp at puck.nether.net;
achatz at forthnet.gr
Subject: Re: [c-nsp] Blocking VTP

Phil Mayers wrote:
> I'm sorry to say whether you believe it or not has little to do with the 
> reality of the situation. To the best of my (by no means encyclopaedic) 
> knowledge, there is no such thing.
>
> In any event, Tassos has already suggested:
>
> 1) make the port an access port
> 2) block 01-00-0C-CC-CC-CC (used by CDP too)
> 3) use transparent vtp v1 & different domain
> 4) block vlan 1 (although actually that's not possible)
>
> Have you tried those? It seems like number 2 in a MAC ACL ought to be 
> pretty bulletproof.
> ______________________________________________
01-00-0C-CC-CC-CC is also used by a number of other protocols including 
PAgP, UDLD, DTP as well as CDP.  You can differentiate VTP from these by 
specifying it's protocol type (0x2003).

Regards,

Paul.



More information about the cisco-nsp mailing list