From: Keane, James (James.Keane@agriculture.gov.ie)
Date: Fri Apr 22 2005 - 12:20:31 GMT-3
Then you would be blocking local generated VTP updates to 'all' trunk ports and blocking DTP to 0/13
which I think would lose marks.
I dont believe you can set VTP modes on an interface basis.
-----Original Message-----
From: Gajewski Mariusz [mailto:Mariusz.Gajewski@telekomunikacja.pl]
Sent: 22 April 2005 15:38
To: ccielab@groupstudy.com
Subject: RE: Blocking VTP traffic
Hi all ,
if really question goes like :prevent DTP and VTP updates that are
recieved from other switches being propogated out the trunk port fast 0/13
following the previous posts , we could set vtp v1 transparent (only
ver.2 sends vtp updates as doc-cd says) which should stop vtp updates and
switch nonegotiate which should block DTP , right ? . Should we block that
address in addition ?
Mariusz
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Keane, James
Sent: Friday, April 22, 2005 4:04 PM
To: ccie2be; boby2kusa; Todd.Osterberg@compucom.com; ccielab@groupstudy.com
Subject: RE: Blocking VTP traffic
I have to agree with boby2kusa
You need to look at the question and once you know about VTP transparent
in that
1) VTP is disabled (on that switch)
2) The switch does not send VTP updates
3) Does not act on VTP updates received from other switches
4) Forwards 'received' VTP advertisements on its trunk links.
Remember that if you stop 0100.000c.cccc outbound
that also kills DTP as it uses the same mac address (on VLAN1)
So if the question was along the lines ..
Question 1.1
prevent DTP and VTP updates that are recieved from other switches being
propogated out the trunk port fast 0/13
you would be thinking stopping that Mac
Question 1.2
Prevent all local VTP traffic exiting trunk links
would be VTP Transparent
I have attempted the lab, while I wouldnt disclose content (devalue the very
goal I seek),
I believe I am allowed to say that the questions are clearly defined and
fair
if you know your technologies 100% then there is no ambiguity.
If you only knew that VTP transparent mode is used for introducing old
switches and
testlab switches and wont update your VTP domain (from the written) then the
questions 1.1 and 1.2
would have you racing for the doc CD / wasting time and undermining you
confidence !!!
Thanks to all for the very complete analysis of VTP transparent !!
James
***
-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: 22 April 2005 12:57
To: 'boby2kusa'; Todd.Osterberg@compucom.com; ccielab@groupstudy.com
Subject: RE: Blocking VTP traffic
You are absolutely correct that using an acl to block vtp doesn't make any
sense in the real world. But, like it or not, the Cisco lab doesn't care
about configurations that are "real world" or best practices.
This isn't the issue.
The original question was about how to block vtp, not how to disable vtp.
While the effect may be the same, the implementation is different. Depending
on the exact wording of the task, disabling vtp might not be an acceptable
option.
Just my .02 worth.
Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
boby2kusa
Sent: Friday, April 22, 2005 1:55 AM
To: Todd.Osterberg@compucom.com; ccielab@groupstudy.com
Subject: Re: Blocking VTP traffic
is everyone serious about creating a mac access list to block VTP????? VTP
Transparent does NOT send VTP advertisement and it ignores any received VTP
advertisement as well. If yo do not believe me make one a server and the
other transparent see if the vlan database is exchanged.
The thought process here is not logical, why would you configure both a
server when and have both switches exchange vlan database through VTP and
then block it so they no exchanged vlan database, does not make sense and
it's NOT applied in the real world.
And look at this:
***
Disabling VTP (VTP Transparent Mode)
When you configure the switch for VTP transparent mode, VTP is disabled on
the switch. The switch does not send VTP updates and does not act on VTP
updates received from other switches. However, a VTP transparent switch
running VTP version 2 does forward received VTP advertisements on its trunk
links.
***
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/scg/swvtp
.htm#wp1035326
----- Original Message -----
From: <Todd.Osterberg@compucom.com>
To: <ccielab@groupstudy.com>
Sent: Thursday, April 21, 2005 2:55 PM
Subject: re: Blocking VTP traffic
> ?
> So, I lab'd up this discussion (config below) and didn't get the
> desired results.
>
> sw1 (gig0/1) ------ sw2 (gig0/1)
>
> Both switches are set to vtp server w/ vtp domain name of cisco. Once
> the intial config was done, I then created vlans on each switch to
> test that
VTP
> was working properly. Once this was happy, I applied the mac
> access-group
to
> sw1. I then created more vlans on sw2 and they were propogated to
> sw1.
I've
> tried using the hex value and decimal value for the vtp ethertype but
> it
vtp
> is still propogating. I've also tried using the 0100.000c.cccc
> destination mac with the same results. Any ideas what I am missing?
>
> TIA,
>
> Todd
>
>
> sw1
> ------
> mac access-list extended block-vtp
> deny any any 0x2003 0x0
> permit any any
>
> interface GigabitEthernet0/1
> mac access-group block-vtp in
>
> ______________________________________________________________________
> _
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:55:07 GMT-3