Re: blocking VTP traffic

From: James Ventre (messageboard@ventrefamily.com)
Date: Thu Apr 21 2005 - 14:48:31 GMT-3

>Also keep in mind that CDP and VTP will use the same D-MAC.

To elaborate on this a bit more.

SNAP Protocol Type:
CDP = 0x2000
VTP = 0x2003
DTP = 0x2004

James

James Ventre wrote:

    I take it that the first entry is the one for vtp, right?

  In this instance yes, but don't count on that always being the case.
  That's why I suggest you just memorize it.

    Besides that entry are there any others that are special? Like STP?

  DTP? CDP? HSRP? etc.?
  
  802.1d BPDU = 0180.c200.0000
  PVST BPDU (native vlan) = 0100.0ccc.cccd
  
  You can calculate the one for the tagged PVST vlan ID ... check CCO for
  that.
  
  I'm sure there are more - but I can't remember them off the top of my
  head.
  
  Also keep in mind that CDP and VTP will use the same D-MAC. You block
  one ..... and you might block the other - don't create your own "Rat
  Holes" :)
  
  James
  
  ccie2be wrote:
  
    Hey James,
    
    Thanks for show us that table. I take it that the first entry is the one
    for vtp, right?
    
    Besides that entry are there any others that are special? Like STP? DTP?
    CDP? HSRP? etc.?
    
    Thanks again, Tim
    
    -----Original Message-----
    From: nobody@groupstudy.com [ mailto:nobody@groupstudy.com ] On Behalf Of
    James Ventre
    Sent: Thursday, April 21, 2005 12:39 PM
    To: ccielab@groupstudy.com Subject: Re: blocking VTP traffic
    
    You'll have to remember something about it .... one way or another.
    
    It's either how you figure it out (memorize the command and what to look
    for) or just memorize the MAC. But you've got 2 options.
    
    1. Remember that the multicast byte is turned on ... and the 2nd half is
    all c's.
    
    2. Figure it out from the below list.
    
    SWITCH>sh mac-address-table vl 1
    Mac Address Table
    -------------------------------------------
    
    Vlan Mac Address Type Ports
    ---- ----------- -------- -----
    Vlan Mac Address Type Por
    ---- ----------- -------- ---
    1 0100.0ccc.cccc STATIC CPU
    1 0100.0ccc.cccd STATIC CPU
    1 0180.c200.0000 STATIC CPU
    1 0180.c200.0001 STATIC CPU
    1 0180.c200.0002 STATIC CPU
    1 0180.c200.0003 STATIC CPU
    1 0180.c200.0004 STATIC CPU
    1 0180.c200.0005 STATIC CPU
    1 0180.c200.0006 STATIC CPU
    1 0180.c200.0007 STATIC CPU
    1 0180.c200.0008 STATIC CPU
    1 0180.c200.0009 STATIC CPU
    1 0180.c200.000a STATIC CPU
    1 0180.c200.000b STATIC CPU
    1 0180.c200.000c STATIC CPU
    1 0180.c200.000d STATIC CPU
    1 0180.c200.000e STATIC CPU
    1 0180.c200.000f STATIC CPU
    1 0180.c200.0010 STATIC CPU
    1 ffff.ffff.ffff STATIC CPU
    
    James
    
    ccie2be wrote:
    
      Hey James,
      
      Let's suppose for a moment, someone taking the lab couldn't remember that
      mac address.
      
      How would they find it out? Check the config guide?
      
      Thx, Tim
      
      -----Original Message-----
      From: nobody@groupstudy.com [ mailto:nobody@groupstudy.com ] On
    Behalf Of
      James Ventre
      Sent: Thursday, April 21, 2005 11:56 AM
      To: ccielab@groupstudy.com Subject: Re: blocking VTP traffic
      
      MAC ACL to block destination of: 01-00-0C-CC-CC-CC ??
      
      But on a lot of platforms MAC ACL's are only for NON IP traffic ... so
      be careful.
      
      James
    
      ccie2be wrote:
    
        Pankaj,
        
        I think the only way to do this would be by using a vlan acl.
        
        VTP traffic I believe is always carried in the management vlan which is
    
      vlan
    
        1.
        
        The real issue I think is figuring out how to specify vtp traffic in the
        vlan map.
        
        Off-hand, I don't know how to specify vtp traffic but maybe there's a
    debug
        which could shine some light on this question.
        
        HTH, Tim
        
        -----Original Message-----
        From: nobody@groupstudy.com [ mailto:nobody@groupstudy.com ] On Behalf Of
        Pankaj Madhukar Kulkarni
        Sent: Thursday, April 21, 2005 11:04 AM
        To: ccielab@groupstudy.com Subject: blocking VTP traffic
        
        Hi Group,
    
        If the question demands that all "VTP traffic should be blocked". Does
        this require that both the switches be configured in the transparent
        mode???
    
        Regards,
        
        Pankaj K
        
        _______________________________________________________________________
        Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
        _______________________________________________________________________
        Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
    
      _______________________________________________________________________
      Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
    
    _______________________________________________________________________
    Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
    _______________________________________________________________________
    Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
  
  _______________________________________________________________________
  Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:55:06 GMT-3