[c-nsp] Blocking VTP

Paul Cosgrove paul.cosgrove at heanet.ie
Thu Apr 24 09:00:38 EDT 2008 

Hi Skeeve,

Here are a couple of alternative ways you should be able to block VTP.  
You can the following on a trunk link by setting up two vtp servers 
(with same domain etc.)  and watching the vtp traffic using "debug 
sw-vlan vtp xmit" and "debug sw-vlan vtp packet".  Add a filter to one 
switch and create additional new vlans on each device. 

The vlan map here will filter VTP from transiting on any vlan, not just 
stopping VTP being received by your device.  You probably do not want to 
do this but it is useful for comparison purposes.  Note that the acl 
required to do that is matching the traffic with a permit, not denying it.

#==== MAC ACL ====
mac access-list extended DENY-VTP
 deny   any host 0100.0ccc.cccc 0x2003 0x0
 permit any any

interface FastEthernet0/13
 mac access-group DENY-VTP in

#==== VLAN MAP =====
mac access-list extended MATCH-VTP
  permit  any host 0100.0ccc.cccc 0x2003 0x0
 
vlan access-map DENY-VTP 10
 action drop
 match mac address MATCH-VTP
vlan access-map DENY-VTP 20
 action forward
!
vlan filter DENY-VTP vlan-list 1-4094

Paul.

Skeeve Stevens wrote:
> Hey Paul,
>
> You got an examples on how you would block this on the port with the
> protocol type and the MAC?
>
> I've never done MAC blocking, or protocol type.... probably easy though.
>
> ...Skeeve
>
> -----Original Message-----
> From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] 
> Sent: Thursday, 24 April 2008 8:13 PM
> To: Phil Mayers
> Cc: skeeve at skeeve.org; 'Gert Doering'; cisco-nsp at puck.nether.net;
> achatz at forthnet.gr
> Subject: Re: [c-nsp] Blocking VTP
>
> Phil Mayers wrote:
>   
>> I'm sorry to say whether you believe it or not has little to do with the 
>> reality of the situation. To the best of my (by no means encyclopaedic) 
>> knowledge, there is no such thing.
>>
>> In any event, Tassos has already suggested:
>>
>> 1) make the port an access port
>> 2) block 01-00-0C-CC-CC-CC (used by CDP too)
>> 3) use transparent vtp v1 & different domain
>> 4) block vlan 1 (although actually that's not possible)
>>
>> Have you tried those? It seems like number 2 in a MAC ACL ought to be 
>> pretty bulletproof.
>> ______________________________________________
>>     
> 01-00-0C-CC-CC-CC is also used by a number of other protocols including 
> PAgP, UDLD, DTP as well as CDP.  You can differentiate VTP from these by 
> specifying it's protocol type (0x2003).
>
> Regards,
>
> Paul.
>
>
>

More information about the cisco-nsp mailing list