RE: Blocking VTP traffic

From: Keane, James (James.Keane@agriculture.gov.ie)
Date: Fri Apr 22 2005 - 11:04:05 GMT-3

• Next message: Gajewski Mariusz: "RE: Blocking VTP traffic"
• Previous message: Daniel Paes: "Re: precedence int cbwfq"
• Maybe in reply to: ccie2be: "RE: Blocking VTP traffic"
• Next in thread: Gajewski Mariusz: "RE: Blocking VTP traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I have to agree with boby2kusa

You need to look at the question and once you know about VTP transparent
in that

1) VTP is disabled (on that switch)
2) The switch does not send VTP updates
3) Does not act on VTP updates received from other switches
4) Forwards 'received' VTP advertisements on its trunk links.

Remember that if you stop 0100.000c.cccc outbound
that also kills DTP as it uses the same mac address (on VLAN1)

So if the question was along the lines ..

Question 1.1
prevent DTP and VTP updates that are recieved from other
switches being propogated out the trunk port fast 0/13

you would be thinking stopping that Mac

Question 1.2
Prevent all local VTP traffic exiting trunk links

would be VTP Transparent

I have attempted the lab, while I wouldnt disclose content (devalue the very goal I seek),
I believe I am allowed to say that the questions are clearly defined and fair
if you know your technologies 100% then there is no ambiguity.

If you only knew that VTP transparent mode is used for introducing old switches and
testlab switches and wont update your VTP domain (from the written) then the questions 1.1 and 1.2
would have you racing for the doc CD / wasting time and undermining you confidence !!!

Thanks to all for the very complete analysis of VTP transparent !!

James

***

-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: 22 April 2005 12:57
To: 'boby2kusa'; Todd.Osterberg@compucom.com; ccielab@groupstudy.com
Subject: RE: Blocking VTP traffic

You are absolutely correct that using an acl to block vtp doesn't make any
sense in the real world. But, like it or not, the Cisco lab doesn't care
about configurations that are "real world" or best practices.

This isn't the issue.

The original question was about how to block vtp, not how to disable vtp.

While the effect may be the same, the implementation is different.
Depending on the exact wording of the task, disabling vtp might not be an
acceptable option.

Just my .02 worth.

Tim

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
boby2kusa
Sent: Friday, April 22, 2005 1:55 AM
To: Todd.Osterberg@compucom.com; ccielab@groupstudy.com
Subject: Re: Blocking VTP traffic

is everyone serious about creating a mac access list to block VTP????? VTP
Transparent does NOT send VTP advertisement and it ignores any received VTP
advertisement as well. If yo do not believe me make one a server and the
other transparent see if the vlan database is exchanged.

The thought process here is not logical, why would you configure both a
server when and have both switches exchange vlan database through VTP and
then block it so they no exchanged vlan database, does not make sense and
it's NOT applied in the real world.

And look at this:
***
Disabling VTP (VTP Transparent Mode)

When you configure the switch for VTP transparent mode, VTP is disabled on
the switch. The switch does not send VTP updates and does not act on VTP
updates received from other switches. However, a VTP transparent switch
running VTP version 2 does forward received VTP advertisements on its trunk
links.
***

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/scg/swvtp
.htm#wp1035326

----- Original Message -----
From: <Todd.Osterberg@compucom.com>
To: <ccielab@groupstudy.com>
Sent: Thursday, April 21, 2005 2:55 PM
Subject: re: Blocking VTP traffic

> ?
> So, I lab'd up this discussion (config below) and didn't get the desired
> results.
>
> sw1 (gig0/1) ------ sw2 (gig0/1)
>
> Both switches are set to vtp server w/ vtp domain name of cisco. Once the
> intial config was done, I then created vlans on each switch to test that
VTP
> was working properly. Once this was happy, I applied the mac access-group
to
> sw1. I then created more vlans on sw2 and they were propogated to sw1.
I've
> tried using the hex value and decimal value for the vtp ethertype but it
vtp
> is still propogating. I've also tried using the 0100.000c.cccc
> destination mac with the same results. Any ideas what I am missing?
>
> TIA,
>
> Todd
>
>
> sw1
> ------
> mac access-list extended block-vtp
> deny any any 0x2003 0x0
> permit any any
>
> interface GigabitEthernet0/1
> mac access-group block-vtp in
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Gajewski Mariusz: "RE: Blocking VTP traffic"
• Previous message: Daniel Paes: "Re: precedence int cbwfq"
• Maybe in reply to: ccie2be: "RE: Blocking VTP traffic"
• Next in thread: Gajewski Mariusz: "RE: Blocking VTP traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:55:06 GMT-3