From: Sam Joseph (samjoseph747@hotmail.com)
Date: Thu Apr 21 2005 - 22:10:35 GMT-3
According to me, the solution is Very straight forward:
Cat3550's by default run on Vtp mode 1 even though the switch is capable of
running on vtp mode 2. here is an example from my home lab.
Rack09SW1#sh vtp status
VTP Version : 2
Configuration Revision : 3
Maximum VLANs supported locally : 1005
Number of existing VLANs : 9
VTP Operating Mode : Server
VTP Domain Name : VTP09
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x33 0x45 0x93 0xAC 0x97 0xD9 0xAC 0xFB
Configuration last modified by 0.0.0.0 at 3-1-93 02:30:45
Local updater ID is 0.0.0.0 (no valid interface found)
When it runs on VTP 1 mode, to block or disable vtp advertisements from
forwarded or received by the switch, then change the Vtp mode to vtp
transparent on both switches. Once you do that, try creating a vlan on SW1,
on SW2, that VLAN will not show up at all.
when done using a vlan access-map, well, the solution, from a theoritical
stand point appears to be 100% correct. When you look at the 3550 Config
guide here is what it says:
"................you can not enforce vlan maps on traffic between hosts on
hub or another switch connected to this switch".
If the Question or scenario asks for there should not be vtp traffic flowing
between two switches, the right answer is "vtp transparent mode" not vlan
access-maps. vlan access-maps are created for security purposes and that
should not be used to block traffic between switches. That is my humble
opinion.
Having said that, if it is asked that there should not be a particular
traffic flowing thru a vlan, then vlan access-maps makes more sense.
Thx....
>From: Pat Chui <cui666@gmail.com>
>Reply-To: Pat Chui <cui666@gmail.com>
>To: Group Study <ccielab@groupstudy.com>
>Subject: Re: blocking VTP traffic - mac addr list
>Date: Thu, 21 Apr 2005 14:38:32 -0700
>
>Tim,
>I found it on CCO(not on Doc-CD though), and here is the url, btw,
>great white paper for L2 switching:
>
>http://cisco.com/en/US/products/hw/switches/ps700/products_white_paper09186a00801b49a4.shtml
>
>I don't know if there is a best way to memorize it, but "show
>mac-address-table static" on cat3550 can help you locate the ones that
>cisco used for protocols like DTP, VTP, and etc, if you are familiar
>with the chart below and know the patterns, you should be able to
>identify them when required.
>
>Cheers,
>Pat
>
>On 4/21/05, ccie2be <ccie2be@nyc.rr.com> wrote:
> > Hey Pat,
> >
> > Thanks. What a great list to have.
> >
> > Where did you find this list? Did you create it? If so, how?
> >
> > I'm not aware of such list existing on the Doc-Cd. If you had to find
>any
> > of this info during the lab, what would you do assuming you don't have
>this
> > info memorized?
> >
> > Thanks again, Tim
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Pat
> > Chui
> > Sent: Thursday, April 21, 2005 3:49 PM
> > To: ccielab@groupstudy.com
> > Subject: Re: blocking VTP traffic
> >
> > here is a complete list:
> >
> > Feature (SNAP HDLC Protocol
> > Type) (Dest. Mcastt MAC)
> >
> > Port Aggregation Protocol (PAgP) 0x0104 01-00-0c-cc-cc-cc
> > Per-VLAN Spanning Tree + (PVST+) 0x010b 01-00-0c-cc-cc-cd
> > VLAN bridge 0x010c
>01-00-0c-cd-cd-ce
> > Unidirectional Link Detection (UDLD) 0x0111 01-00-0c-cc-cc-cc
> > Cisco Discovery Protocol 0x2000
>01-00-0c-cc-cc-cc
> > Dynamic Trunking (DTP) 0x2004
>01-00-0c-cc-cc-cc
> > STP UplinkFast 0x200a
>01-00-0c-cd-cd-cd
> > IEEE spanning tree 802.1d N/A - DSAP 42 SSAP 42
> > 01-80-c2-00-00-00
> > InterSwitch Link (ISL) N/A
>01-00-0c-00-00-00
> > VLAN Trunk Protocol (VTP) 0x2003 01-00-0c-cc-cc-cc
> > IEEE Pause 802.3x N/A - DSAP 81 SSAP 80
> > 01-80-C2-00-00-00>0F
> >
> > On 4/21/05, James Ventre <messageboard@ventrefamily.com> wrote:
> > > >Also keep in mind that CDP and VTP will use the same D-MAC.
> > >
> > > To elaborate on this a bit more.
> > >
> > > SNAP Protocol Type:
> > > CDP = 0x2000
> > > VTP = 0x2003
> > > DTP = 0x2004
> > >
> > > James
> > >
> > > James Ventre wrote:
> > >
> > > I take it that the first entry is the one for vtp, right?
> > >
> > > In this instance yes, but don't count on that always being the case.
> > > That's why I suggest you just memorize it.
> > >
> > > Besides that entry are there any others that are special? Like
>STP?
> > >
> > > DTP? CDP? HSRP? etc.?
> > >
> > > 802.1d BPDU = 0180.c200.0000
> > > PVST BPDU (native vlan) = 0100.0ccc.cccd
> > >
> > > You can calculate the one for the tagged PVST vlan ID ... check CCO
>for
> > > that.
> > >
> > > I'm sure there are more - but I can't remember them off the top of
>my
> > > head.
> > >
> > > Also keep in mind that CDP and VTP will use the same D-MAC. You
>block
> > > one ..... and you might block the other - don't create your own "Rat
> > > Holes" :)
> > >
> > > James
> > >
> > > ccie2be wrote:
> > >
> > > Hey James,
> > >
> > > Thanks for show us that table. I take it that the first entry is
>the
> > one
> > > for vtp, right?
> > >
> > > Besides that entry are there any others that are special? Like
>STP?
> > DTP?
> > > CDP? HSRP? etc.?
> > >
> > > Thanks again, Tim
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [
>mailto:nobody@groupstudy.com
> > ] On Behalf Of
> > > James Ventre
> > > Sent: Thursday, April 21, 2005 12:39 PM
> > > To: ccielab@groupstudy.com Subject: Re: blocking VTP
>traffic
> > >
> > > You'll have to remember something about it .... one way or
>another.
> > >
> > > It's either how you figure it out (memorize the command and what
>to
> > look
> > > for) or just memorize the MAC. But you've got 2 options.
> > >
> > > 1. Remember that the multicast byte is turned on ... and the 2nd
>half
> > is
> > > all c's.
> > >
> > > 2. Figure it out from the below list.
> > >
> > > SWITCH>sh mac-address-table vl 1
> > > Mac Address Table
> > > -------------------------------------------
> > >
> > > Vlan Mac Address Type Ports
> > > ---- ----------- -------- -----
> > > Vlan Mac Address Type Por
> > > ---- ----------- -------- ---
> > > 1 0100.0ccc.cccc STATIC CPU
> > > 1 0100.0ccc.cccd STATIC CPU
> > > 1 0180.c200.0000 STATIC CPU
> > > 1 0180.c200.0001 STATIC CPU
> > > 1 0180.c200.0002 STATIC CPU
> > > 1 0180.c200.0003 STATIC CPU
> > > 1 0180.c200.0004 STATIC CPU
> > > 1 0180.c200.0005 STATIC CPU
> > > 1 0180.c200.0006 STATIC CPU
> > > 1 0180.c200.0007 STATIC CPU
> > > 1 0180.c200.0008 STATIC CPU
> > > 1 0180.c200.0009 STATIC CPU
> > > 1 0180.c200.000a STATIC CPU
> > > 1 0180.c200.000b STATIC CPU
> > > 1 0180.c200.000c STATIC CPU
> > > 1 0180.c200.000d STATIC CPU
> > > 1 0180.c200.000e STATIC CPU
> > > 1 0180.c200.000f STATIC CPU
> > > 1 0180.c200.0010 STATIC CPU
> > > 1 ffff.ffff.ffff STATIC CPU
> > >
> > > James
> > >
> > > ccie2be wrote:
> > >
> > > Hey James,
> > >
> > > Let's suppose for a moment, someone taking the lab couldn't
>remember
> > that
> > > mac address.
> > >
> > > How would they find it out? Check the config guide?
> > >
> > > Thx, Tim
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [
> > mailto:nobody@groupstudy.com ] On
> > > Behalf Of
> > > James Ventre
> > > Sent: Thursday, April 21, 2005 11:56 AM
> > > To: ccielab@groupstudy.com Subject: Re: blocking VTP
> > traffic
> > >
> > > MAC ACL to block destination of: 01-00-0C-CC-CC-CC ??
> > >
> > > But on a lot of platforms MAC ACL's are only for NON IP traffic
>...
> > so
> > > be careful.
> > >
> > > James
> > >
> > > ccie2be wrote:
> > >
> > > Pankaj,
> > >
> > > I think the only way to do this would be by using a vlan acl.
> > >
> > > VTP traffic I believe is always carried in the management vlan
> > which is
> > >
> > > vlan
> > >
> > > 1.
> > >
> > > The real issue I think is figuring out how to specify vtp
>traffic
> > in the
> > > vlan map.
> > >
> > > Off-hand, I don't know how to specify vtp traffic but maybe
> > there's a
> > > debug
> > > which could shine some light on this question.
> > >
> > > HTH, Tim
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [
> > mailto:nobody@groupstudy.com ] On Behalf Of
> > > Pankaj Madhukar Kulkarni
> > > Sent: Thursday, April 21, 2005 11:04 AM
> > > To: ccielab@groupstudy.com Subject: blocking
>VTP
> > traffic
> > >
> > > Hi Group,
> > >
> > > If the question demands that all "VTP traffic should be
>blocked".
> > Does
> > > this require that both the switches be configured in the
> > transparent
> > > mode???
> > >
> > > Regards,
> > >
> > > Pankaj K
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
>_______________________________________________________________________
> > > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
>_______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:55:06 GMT-3