From: Bart Van Kildonck (bartvankildonck@gmail.com)
Date: Fri Apr 22 2005 - 13:29:01 GMT-3
Hi,
What you can do to disable forwarding of VTP traffic on eg sw2:
SW1: vtp version 2
SW2: vtp version 1 + vtp mode transparent
Sw2 will do a check of the version and domain of the VTP messages
received from SW1 and will see a mismatch with is own configuration
and NOT forward it out of his trunk links.
On CCO:
In VTP version 1, a VTP transparent switch inspects VTP messages for
the domain name and version, and forwards a message only if the
version and domain name match. Because only one domain is supported in
the supervisor engine software, VTP version 2 forwards VTP messages in
transparent mode, without checking the version.
rgds,
bvk
On 4/22/05, Keane, James <James.Keane@agriculture.gov.ie> wrote:
> Then you would be blocking local generated VTP updates to 'all' trunk ports and blocking DTP to 0/13
> which I think would lose marks.
>
> I dont believe you can set VTP modes on an interface basis.
>
>
> -----Original Message-----
> From: Gajewski Mariusz [mailto:Mariusz.Gajewski@telekomunikacja.pl]
> Sent: 22 April 2005 15:38
> To: ccielab@groupstudy.com
> Subject: RE: Blocking VTP traffic
>
> Hi all ,
> if really question goes like :prevent DTP and VTP updates that are
> recieved from other switches being propogated out the trunk port fast 0/13
> following the previous posts , we could set vtp v1 transparent (only
> ver.2 sends vtp updates as doc-cd says) which should stop vtp updates and
> switch nonegotiate which should block DTP , right ? . Should we block that
> address in addition ?
>
> Mariusz
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Keane, James
> Sent: Friday, April 22, 2005 4:04 PM
> To: ccie2be; boby2kusa; Todd.Osterberg@compucom.com; ccielab@groupstudy.com
> Subject: RE: Blocking VTP traffic
>
> I have to agree with boby2kusa
>
> You need to look at the question and once you know about VTP transparent
> in that
>
> 1) VTP is disabled (on that switch)
> 2) The switch does not send VTP updates
> 3) Does not act on VTP updates received from other switches
> 4) Forwards 'received' VTP advertisements on its trunk links.
>
> Remember that if you stop 0100.000c.cccc outbound
> that also kills DTP as it uses the same mac address (on VLAN1)
>
> So if the question was along the lines ..
>
> Question 1.1
> prevent DTP and VTP updates that are recieved from other switches being
> propogated out the trunk port fast 0/13
>
> you would be thinking stopping that Mac
>
> Question 1.2
> Prevent all local VTP traffic exiting trunk links
>
> would be VTP Transparent
>
> I have attempted the lab, while I wouldnt disclose content (devalue the very
> goal I seek),
> I believe I am allowed to say that the questions are clearly defined and
> fair
> if you know your technologies 100% then there is no ambiguity.
>
> If you only knew that VTP transparent mode is used for introducing old
> switches and
> testlab switches and wont update your VTP domain (from the written) then the
> questions 1.1 and 1.2
> would have you racing for the doc CD / wasting time and undermining you
> confidence !!!
>
> Thanks to all for the very complete analysis of VTP transparent !!
>
> James
>
> ***
>
> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: 22 April 2005 12:57
> To: 'boby2kusa'; Todd.Osterberg@compucom.com; ccielab@groupstudy.com
> Subject: RE: Blocking VTP traffic
>
> You are absolutely correct that using an acl to block vtp doesn't make any
> sense in the real world. But, like it or not, the Cisco lab doesn't care
> about configurations that are "real world" or best practices.
>
> This isn't the issue.
>
> The original question was about how to block vtp, not how to disable vtp.
>
> While the effect may be the same, the implementation is different. Depending
> on the exact wording of the task, disabling vtp might not be an acceptable
> option.
>
> Just my .02 worth.
>
> Tim
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> boby2kusa
> Sent: Friday, April 22, 2005 1:55 AM
> To: Todd.Osterberg@compucom.com; ccielab@groupstudy.com
> Subject: Re: Blocking VTP traffic
>
> is everyone serious about creating a mac access list to block VTP????? VTP
> Transparent does NOT send VTP advertisement and it ignores any received VTP
> advertisement as well. If yo do not believe me make one a server and the
> other transparent see if the vlan database is exchanged.
>
> The thought process here is not logical, why would you configure both a
> server when and have both switches exchange vlan database through VTP and
> then block it so they no exchanged vlan database, does not make sense and
> it's NOT applied in the real world.
>
> And look at this:
> ***
> Disabling VTP (VTP Transparent Mode)
>
> When you configure the switch for VTP transparent mode, VTP is disabled on
> the switch. The switch does not send VTP updates and does not act on VTP
> updates received from other switches. However, a VTP transparent switch
> running VTP version 2 does forward received VTP advertisements on its trunk
> links.
> ***
>
> http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/scg/swvtp
> .htm#wp1035326
>
> ----- Original Message -----
> From: <Todd.Osterberg@compucom.com>
> To: <ccielab@groupstudy.com>
> Sent: Thursday, April 21, 2005 2:55 PM
> Subject: re: Blocking VTP traffic
>
> > ?
> > So, I lab'd up this discussion (config below) and didn't get the
> > desired results.
> >
> > sw1 (gig0/1) ------ sw2 (gig0/1)
> >
> > Both switches are set to vtp server w/ vtp domain name of cisco. Once
> > the intial config was done, I then created vlans on each switch to
> > test that
> VTP
> > was working properly. Once this was happy, I applied the mac
> > access-group
> to
> > sw1. I then created more vlans on sw2 and they were propogated to
> > sw1.
> I've
> > tried using the hex value and decimal value for the vtp ethertype but
> > it
> vtp
> > is still propogating. I've also tried using the 0100.000c.cccc
> > destination mac with the same results. Any ideas what I am missing?
> >
> > TIA,
> >
> > Todd
> >
> >
> > sw1
> > ------
> > mac access-list extended block-vtp
> > deny any any 0x2003 0x0
> > permit any any
> >
> > interface GigabitEthernet0/1
> > mac access-group block-vtp in
> >
> > ______________________________________________________________________
> > _
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> **********************************************************************
> *********** Department of Agriculture and Food ***************
>
> The information contained in this email and in any
> attachments is confidential and is designated solely
> for the attention and use of the intended recipient(s).
> This information may be subject to legal and professional privilege. If you
> are not an intended recipient of this email, you must not use, disclose,
> copy, distribute or retain this message or any part of it. If you have
> received this email in error, please notify the sender immediately and
> delete all copies of this email from your computer system(s).
> **********************************************************************
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:55:07 GMT-3