[c-nsp] Blocking VTP
Skeeve Stevens
skeeve at skeeve.org
Thu Apr 24 07:58:27 EDT 2008
Hey Paul,
You got an examples on how you would block this on the port with the
protocol type and the MAC?
I've never done MAC blocking, or protocol type.... probably easy though.
...Skeeve
-----Original Message-----
From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie]
Sent: Thursday, 24 April 2008 8:13 PM
To: Phil Mayers
Cc: skeeve at skeeve.org; 'Gert Doering'; cisco-nsp at puck.nether.net;
achatz at forthnet.gr
Subject: Re: [c-nsp] Blocking VTP
Phil Mayers wrote:
> I'm sorry to say whether you believe it or not has little to do with the
> reality of the situation. To the best of my (by no means encyclopaedic)
> knowledge, there is no such thing.
>
> In any event, Tassos has already suggested:
>
> 1) make the port an access port
> 2) block 01-00-0C-CC-CC-CC (used by CDP too)
> 3) use transparent vtp v1 & different domain
> 4) block vlan 1 (although actually that's not possible)
>
> Have you tried those? It seems like number 2 in a MAC ACL ought to be
> pretty bulletproof.
> ______________________________________________
01-00-0C-CC-CC-CC is also used by a number of other protocols including
PAgP, UDLD, DTP as well as CDP. You can differentiate VTP from these by
specifying it's protocol type (0x2003).
Regards,
Paul.
More information about the cisco-nsp
mailing list