[c-nsp] Blocking VTP

Paul Cosgrove paul.cosgrove at heanet.ie
Thu Apr 24 11:38:36 EDT 2008


Thanks for testing that Tassos,
 
The protocol identifier field is five bytes long, and is divided into a 
three byte OUI (which isn't used) and the two byte ethertype.

Paul.

Tassos Chatzithomaoglou wrote:
> Paul,
>
> To be honest, i didn't think the mac acl would work using 0x2003 as an 
> ethertype, because the value 0x2003 refers to the Local Code field (or 
> Protocol Identifier (PID)) of the LLC/SNAP header.
>
> But i tried it and it worked. It also worked for UDLD (0x0111).
>
> I then found out that IEEE made it for backwards compatibility reasons 
> with the Ethernet Version II format which used first the ethertype field.
>
>
> -- 
> Tassos
>
>
> Paul Cosgrove wrote on 24/4/2008 4:20 μμ:
>> As you probably know, while VTP is not particularly chatty, you will 
>> find the debugs easier to read if you also specify the interface you 
>> want
>> i.e.  debug interface fa0/13
>>
>> Paul.
>>
>> Paul Cosgrove wrote:
>>> Hi Skeeve,
>>>
>>> Here are a couple of alternative ways you should be able to block 
>>> VTP.  You can test the following on a trunk link by setting up two 
>>> vtp servers (with same domain etc.)  and watching the vtp traffic 
>>> using "debug sw-vlan vtp xmit" and "debug sw-vlan vtp packet".  Add 
>>> a filter to one switch and create additional new vlans on each device.
>>> The vlan map here will filter VTP from transiting on any vlan, not 
>>> just stopping VTP being received by your device.  You probably do 
>>> not want to do this but it is useful for comparison purposes.  Note 
>>> that the acl required to do that is matching the traffic with a 
>>> permit, not denying it.
>>>
>>> #==== MAC ACL ====
>>> mac access-list extended DENY-VTP
>>>  deny   any host 0100.0ccc.cccc 0x2003 0x0
>>>  permit any any
>>>
>>> interface FastEthernet0/13
>>>  mac access-group DENY-VTP in
>>>
>>> #==== VLAN MAP =====
>>> mac access-list extended MATCH-VTP
>>>   permit  any host 0100.0ccc.cccc 0x2003 0x0
>>>  
>>> vlan access-map DENY-VTP 10
>>>  action drop
>>>  match mac address MATCH-VTP
>>> vlan access-map DENY-VTP 20
>>>  action forward
>>> !
>>> vlan filter DENY-VTP vlan-list 1-4094
>>>
>>> Paul.
>>>
>>> Skeeve Stevens wrote:
>>>  
>>>> Hey Paul,
>>>>
>>>> You got an examples on how you would block this on the port with the
>>>> protocol type and the MAC?
>>>>
>>>> I've never done MAC blocking, or protocol type.... probably easy 
>>>> though.
>>>>
>>>> ...Skeeve
>>>>
>>>> -----Original Message-----
>>>> From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] Sent: 
>>>> Thursday, 24 April 2008 8:13 PM
>>>> To: Phil Mayers
>>>> Cc: skeeve at skeeve.org; 'Gert Doering'; cisco-nsp at puck.nether.net;
>>>> achatz at forthnet.gr
>>>> Subject: Re: [c-nsp] Blocking VTP
>>>>
>>>> Phil Mayers wrote:
>>>>      
>>>>> I'm sorry to say whether you believe it or not has little to do 
>>>>> with the reality of the situation. To the best of my (by no means 
>>>>> encyclopaedic) knowledge, there is no such thing.
>>>>>
>>>>> In any event, Tassos has already suggested:
>>>>>
>>>>> 1) make the port an access port
>>>>> 2) block 01-00-0C-CC-CC-CC (used by CDP too)
>>>>> 3) use transparent vtp v1 & different domain
>>>>> 4) block vlan 1 (although actually that's not possible)
>>>>>
>>>>> Have you tried those? It seems like number 2 in a MAC ACL ought to 
>>>>> be pretty bulletproof.
>>>>> ______________________________________________
>>>>>           
>>>> 01-00-0C-CC-CC-CC is also used by a number of other protocols 
>>>> including PAgP, UDLD, DTP as well as CDP.  You can differentiate 
>>>> VTP from these by specifying it's protocol type (0x2003).
>>>>
>>>> Regards,
>>>>
>>>> Paul.
>>>>
>>>>
>>>>       
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>   
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>



More information about the cisco-nsp mailing list