From: ccie2be (ccie2be@nyc.rr.com)
Date: Thu Apr 21 2005 - 17:25:03 GMT-3
Hey Pat,
Thanks. What a great list to have.
Where did you find this list? Did you create it? If so, how?
I'm not aware of such list existing on the Doc-Cd. If you had to find any
of this info during the lab, what would you do assuming you don't have this
info memorized?
Thanks again, Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Pat
Chui
Sent: Thursday, April 21, 2005 3:49 PM
To: ccielab@groupstudy.com
Subject: Re: blocking VTP traffic
here is a complete list:
Feature (SNAP HDLC Protocol
Type) (Dest. Mcastt MAC)
Port Aggregation Protocol (PAgP) 0x0104 01-00-0c-cc-cc-cc
Per-VLAN Spanning Tree + (PVST+) 0x010b 01-00-0c-cc-cc-cd
VLAN bridge 0x010c 01-00-0c-cd-cd-ce
Unidirectional Link Detection (UDLD) 0x0111 01-00-0c-cc-cc-cc
Cisco Discovery Protocol 0x2000 01-00-0c-cc-cc-cc
Dynamic Trunking (DTP) 0x2004 01-00-0c-cc-cc-cc
STP UplinkFast 0x200a 01-00-0c-cd-cd-cd
IEEE spanning tree 802.1d N/A - DSAP 42 SSAP 42
01-80-c2-00-00-00
InterSwitch Link (ISL) N/A 01-00-0c-00-00-00
VLAN Trunk Protocol (VTP) 0x2003 01-00-0c-cc-cc-cc
IEEE Pause 802.3x N/A - DSAP 81 SSAP 80
01-80-C2-00-00-00>0F
On 4/21/05, James Ventre <messageboard@ventrefamily.com> wrote:
> >Also keep in mind that CDP and VTP will use the same D-MAC.
>
> To elaborate on this a bit more.
>
> SNAP Protocol Type:
> CDP = 0x2000
> VTP = 0x2003
> DTP = 0x2004
>
> James
>
> James Ventre wrote:
>
> I take it that the first entry is the one for vtp, right?
>
> In this instance yes, but don't count on that always being the case.
> That's why I suggest you just memorize it.
>
> Besides that entry are there any others that are special? Like STP?
>
> DTP? CDP? HSRP? etc.?
>
> 802.1d BPDU = 0180.c200.0000
> PVST BPDU (native vlan) = 0100.0ccc.cccd
>
> You can calculate the one for the tagged PVST vlan ID ... check CCO for
> that.
>
> I'm sure there are more - but I can't remember them off the top of my
> head.
>
> Also keep in mind that CDP and VTP will use the same D-MAC. You block
> one ..... and you might block the other - don't create your own "Rat
> Holes" :)
>
> James
>
> ccie2be wrote:
>
> Hey James,
>
> Thanks for show us that table. I take it that the first entry is the
one
> for vtp, right?
>
> Besides that entry are there any others that are special? Like STP?
DTP?
> CDP? HSRP? etc.?
>
> Thanks again, Tim
>
> -----Original Message-----
> From: nobody@groupstudy.com [ mailto:nobody@groupstudy.com
] On Behalf Of
> James Ventre
> Sent: Thursday, April 21, 2005 12:39 PM
> To: ccielab@groupstudy.com Subject: Re: blocking VTP traffic
>
> You'll have to remember something about it .... one way or another.
>
> It's either how you figure it out (memorize the command and what to
look
> for) or just memorize the MAC. But you've got 2 options.
>
> 1. Remember that the multicast byte is turned on ... and the 2nd half
is
> all c's.
>
> 2. Figure it out from the below list.
>
> SWITCH>sh mac-address-table vl 1
> Mac Address Table
> -------------------------------------------
>
> Vlan Mac Address Type Ports
> ---- ----------- -------- -----
> Vlan Mac Address Type Por
> ---- ----------- -------- ---
> 1 0100.0ccc.cccc STATIC CPU
> 1 0100.0ccc.cccd STATIC CPU
> 1 0180.c200.0000 STATIC CPU
> 1 0180.c200.0001 STATIC CPU
> 1 0180.c200.0002 STATIC CPU
> 1 0180.c200.0003 STATIC CPU
> 1 0180.c200.0004 STATIC CPU
> 1 0180.c200.0005 STATIC CPU
> 1 0180.c200.0006 STATIC CPU
> 1 0180.c200.0007 STATIC CPU
> 1 0180.c200.0008 STATIC CPU
> 1 0180.c200.0009 STATIC CPU
> 1 0180.c200.000a STATIC CPU
> 1 0180.c200.000b STATIC CPU
> 1 0180.c200.000c STATIC CPU
> 1 0180.c200.000d STATIC CPU
> 1 0180.c200.000e STATIC CPU
> 1 0180.c200.000f STATIC CPU
> 1 0180.c200.0010 STATIC CPU
> 1 ffff.ffff.ffff STATIC CPU
>
> James
>
> ccie2be wrote:
>
> Hey James,
>
> Let's suppose for a moment, someone taking the lab couldn't remember
that
> mac address.
>
> How would they find it out? Check the config guide?
>
> Thx, Tim
>
> -----Original Message-----
> From: nobody@groupstudy.com [
mailto:nobody@groupstudy.com ] On
> Behalf Of
> James Ventre
> Sent: Thursday, April 21, 2005 11:56 AM
> To: ccielab@groupstudy.com Subject: Re: blocking VTP
traffic
>
> MAC ACL to block destination of: 01-00-0C-CC-CC-CC ??
>
> But on a lot of platforms MAC ACL's are only for NON IP traffic ...
so
> be careful.
>
> James
>
> ccie2be wrote:
>
> Pankaj,
>
> I think the only way to do this would be by using a vlan acl.
>
> VTP traffic I believe is always carried in the management vlan
which is
>
> vlan
>
> 1.
>
> The real issue I think is figuring out how to specify vtp traffic
in the
> vlan map.
>
> Off-hand, I don't know how to specify vtp traffic but maybe
there's a
> debug
> which could shine some light on this question.
>
> HTH, Tim
>
> -----Original Message-----
> From: nobody@groupstudy.com [
mailto:nobody@groupstudy.com ] On Behalf Of
> Pankaj Madhukar Kulkarni
> Sent: Thursday, April 21, 2005 11:04 AM
> To: ccielab@groupstudy.com Subject: blocking VTP
traffic
>
> Hi Group,
>
> If the question demands that all "VTP traffic should be blocked".
Does
> this require that both the switches be configured in the
transparent
> mode???
>
> Regards,
>
> Pankaj K
>
>
This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:55:06 GMT-3