[c-nsp] Blocking VTP

Tassos Chatzithomaoglou achatz at forthnet.gr
Thu Apr 24 10:41:43 EDT 2008 

Paul,

To be honest, i didn't think the mac acl would work using 0x2003 as an ethertype, because the value 0x2003 refers to the Local 
Code field (or Protocol Identifier (PID)) of the LLC/SNAP header.

But i tried it and it worked. It also worked for UDLD (0x0111).

I then found out that IEEE made it for backwards compatibility reasons with the Ethernet Version II format which used first the 
ethertype field.


--
Tassos


Paul Cosgrove wrote on 24/4/2008 4:20 μμ:
> As you probably know, while VTP is not particularly chatty, you will 
> find the debugs easier to read if you also specify the interface you want
> i.e.  debug interface fa0/13
> 
> Paul.
> 
> Paul Cosgrove wrote:
>> Hi Skeeve,
>>
>> Here are a couple of alternative ways you should be able to block VTP.  
>> You can test the following on a trunk link by setting up two vtp servers 
>> (with same domain etc.)  and watching the vtp traffic using "debug 
>> sw-vlan vtp xmit" and "debug sw-vlan vtp packet".  Add a filter to one 
>> switch and create additional new vlans on each device. 
>>
>> The vlan map here will filter VTP from transiting on any vlan, not just 
>> stopping VTP being received by your device.  You probably do not want to 
>> do this but it is useful for comparison purposes.  Note that the acl 
>> required to do that is matching the traffic with a permit, not denying it.
>>
>> #==== MAC ACL ====
>> mac access-list extended DENY-VTP
>>  deny   any host 0100.0ccc.cccc 0x2003 0x0
>>  permit any any
>>
>> interface FastEthernet0/13
>>  mac access-group DENY-VTP in
>>
>> #==== VLAN MAP =====
>> mac access-list extended MATCH-VTP
>>   permit  any host 0100.0ccc.cccc 0x2003 0x0
>>  
>> vlan access-map DENY-VTP 10
>>  action drop
>>  match mac address MATCH-VTP
>> vlan access-map DENY-VTP 20
>>  action forward
>> !
>> vlan filter DENY-VTP vlan-list 1-4094
>>
>> Paul.
>>
>> Skeeve Stevens wrote:
>>   
>>> Hey Paul,
>>>
>>> You got an examples on how you would block this on the port with the
>>> protocol type and the MAC?
>>>
>>> I've never done MAC blocking, or protocol type.... probably easy though.
>>>
>>> ...Skeeve
>>>
>>> -----Original Message-----
>>> From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] 
>>> Sent: Thursday, 24 April 2008 8:13 PM
>>> To: Phil Mayers
>>> Cc: skeeve at skeeve.org; 'Gert Doering'; cisco-nsp at puck.nether.net;
>>> achatz at forthnet.gr
>>> Subject: Re: [c-nsp] Blocking VTP
>>>
>>> Phil Mayers wrote:
>>>   
>>>     
>>>> I'm sorry to say whether you believe it or not has little to do with the 
>>>> reality of the situation. To the best of my (by no means encyclopaedic) 
>>>> knowledge, there is no such thing.
>>>>
>>>> In any event, Tassos has already suggested:
>>>>
>>>> 1) make the port an access port
>>>> 2) block 01-00-0C-CC-CC-CC (used by CDP too)
>>>> 3) use transparent vtp v1 & different domain
>>>> 4) block vlan 1 (although actually that's not possible)
>>>>
>>>> Have you tried those? It seems like number 2 in a MAC ACL ought to be 
>>>> pretty bulletproof.
>>>> ______________________________________________
>>>>     
>>>>       
>>> 01-00-0C-CC-CC-CC is also used by a number of other protocols including 
>>> PAgP, UDLD, DTP as well as CDP.  You can differentiate VTP from these by 
>>> specifying it's protocol type (0x2003).
>>>
>>> Regards,
>>>
>>> Paul.
>>>
>>>
>>>   
>>>     
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>   
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list