[c-nsp] Blocking VTP

Paul Cosgrove paul.cosgrove at heanet.ie
Thu Apr 24 09:20:15 EDT 2008 

As you probably know, while VTP is not particularly chatty, you will 
find the debugs easier to read if you also specify the interface you want
i.e.  debug interface fa0/13

Paul.

Paul Cosgrove wrote:
> Hi Skeeve,
>
> Here are a couple of alternative ways you should be able to block VTP.  
> You can test the following on a trunk link by setting up two vtp servers 
> (with same domain etc.)  and watching the vtp traffic using "debug 
> sw-vlan vtp xmit" and "debug sw-vlan vtp packet".  Add a filter to one 
> switch and create additional new vlans on each device. 
>
> The vlan map here will filter VTP from transiting on any vlan, not just 
> stopping VTP being received by your device.  You probably do not want to 
> do this but it is useful for comparison purposes.  Note that the acl 
> required to do that is matching the traffic with a permit, not denying it.
>
> #==== MAC ACL ====
> mac access-list extended DENY-VTP
>  deny   any host 0100.0ccc.cccc 0x2003 0x0
>  permit any any
>
> interface FastEthernet0/13
>  mac access-group DENY-VTP in
>
> #==== VLAN MAP =====
> mac access-list extended MATCH-VTP
>   permit  any host 0100.0ccc.cccc 0x2003 0x0
>  
> vlan access-map DENY-VTP 10
>  action drop
>  match mac address MATCH-VTP
> vlan access-map DENY-VTP 20
>  action forward
> !
> vlan filter DENY-VTP vlan-list 1-4094
>
> Paul.
>
> Skeeve Stevens wrote:
>   
>> Hey Paul,
>>
>> You got an examples on how you would block this on the port with the
>> protocol type and the MAC?
>>
>> I've never done MAC blocking, or protocol type.... probably easy though.
>>
>> ...Skeeve
>>
>> -----Original Message-----
>> From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] 
>> Sent: Thursday, 24 April 2008 8:13 PM
>> To: Phil Mayers
>> Cc: skeeve at skeeve.org; 'Gert Doering'; cisco-nsp at puck.nether.net;
>> achatz at forthnet.gr
>> Subject: Re: [c-nsp] Blocking VTP
>>
>> Phil Mayers wrote:
>>   
>>     
>>> I'm sorry to say whether you believe it or not has little to do with the 
>>> reality of the situation. To the best of my (by no means encyclopaedic) 
>>> knowledge, there is no such thing.
>>>
>>> In any event, Tassos has already suggested:
>>>
>>> 1) make the port an access port
>>> 2) block 01-00-0C-CC-CC-CC (used by CDP too)
>>> 3) use transparent vtp v1 & different domain
>>> 4) block vlan 1 (although actually that's not possible)
>>>
>>> Have you tried those? It seems like number 2 in a MAC ACL ought to be 
>>> pretty bulletproof.
>>> ______________________________________________
>>>     
>>>       
>> 01-00-0C-CC-CC-CC is also used by a number of other protocols including 
>> PAgP, UDLD, DTP as well as CDP.  You can differentiate VTP from these by 
>> specifying it's protocol type (0x2003).
>>
>> Regards,
>>
>> Paul.
>>
>>
>>   
>>     
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

More information about the cisco-nsp mailing list