Re: Disabling VTP/DTP

From: Ivan (ivan@iip.net)
Date: Mon Oct 30 2006 - 14:36:59 ART

Send please sh dtp int f0/xxx output.
On my switch all command show disable negotiation of DTP while switchport
nonegotioate

Giga-TCSS#sh run int g0/15
Building configuration...

Current configuration : 291 bytes
!
interface GigabitEthernet0/15
 description laguna
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1-216,218-316,318-4094
 switchport mode trunk
 switchport nonegotiate
 no keepalive
 mls qos cos 1
 mls qos cos override
 no mdix auto
 spanning-tree portfast trunk
end

Giga-TCSS#sh dtp int
Giga-TCSS#sh dtp interface g0/15 | i thern|NONE
DTP information for GigabitEthernet0/15:
  TOS/TAS/TNS: TRUNK/NONEGOTIATE/TRUNK
Giga-TCSS#sh int g0/15 sw
Giga-TCSS#sh int g0/15 switc | i Negot
Negotiation of Trunking: Off

On Monday 30 October 2006 18:37, Jay Hanke wrote:
> I did that here is the config from interface fa0/1. I forgot to include
> the config on my last email.
>
>
>
> interface FastEthernet0/1
>
> switchport access vlan 2
>
> switchport mode access
>
> switchport nonegotiate
>
> no ip address
>
> end
>
>
>
> fa0/9 has no switchport set. My understanding is that if switchport
> nonegotiate is set the interface should not be counted under show dtp or
> show up under sho dtp interface. I wonder if it is an IOS bug. Has
> anyone tried this on a more current IOS?
>
>
>
> Jay
>
>
>
> ________________________________
>
> From: Adam Frederick [mailto:AFrederick@homefederalbank.com]
> Sent: Monday, October 30, 2006 9:19 AM
> To: Jay Hanke
> Subject: RE: Disabling VTP/DTP
>
>
>
> Yep, looks like you only have DTP disabled on Port 9, so all other ports
> are still passing DTP traffic. You need to do an interface range on all
> ports and enter switchport nonegotiate and see what happens from there.
>
>
>
> This should stop those messages from updating. I don't have spare
> switches to test on so please let me know!!!
>
>
>
> ________________________________
>
> From: Jay Hanke [mailto:Jay.Hanke@midwestwireless.com]
> Sent: Monday, October 30, 2006 10:14 AM
> To: Adam Frederick
> Subject: RE: Disabling VTP/DTP
>
>
>
> Should the count decrease on the show dtp when dtp is disabled on an
> interface?
>
>
>
> CAT2#sho int switchport
>
> Name: Fa0/1
>
> Switchport: Enabled
>
> Administrative Mode: static access
>
> Operational Mode: static access
>
> Administrative Trunking Encapsulation: negotiate
>
> Operational Trunking Encapsulation: native
>
> Negotiation of Trunking: Off
>
> Access Mode VLAN: 2 (VLAN0002)
>
> Trunking Native Mode VLAN: 1 (default)
>
> Voice VLAN: none
>
> Administrative private-vlan host-association: none
>
> Administrative private-vlan mapping: none
>
> Administrative private-vlan trunk native VLAN: none
>
> Administrative private-vlan trunk encapsulation: dot1q
>
> Administrative private-vlan trunk normal VLANs: none
>
> Administrative private-vlan trunk private VLANs: none
>
> Operational private-vlan: none
>
> Trunking VLANs Enabled: ALL
>
> Pruning VLANs Enabled: 2-1001
>
> Capture Mode Disabled
>
> Capture VLANs Allowed: ALL
>
> Protected: false
>
> Unknown unicast blocked: disabled
>
> Unknown multicast blocked: disabled
>
>
>
> Appliance trust: none
>
>
>
> CAT2#sho dtp interface
>
> DTP information for FastEthernet0/1:
>
> TOS/TAS/TNS: ACCESS/OFF/ACCESS
>
> TOT/TAT/TNT: NATIVE/NEGOTIATE/NATIVE
>
> Neighbor address 1: 000000000000
>
> Neighbor address 2: 000000000000
>
> Hello timer expiration (sec/state): never/STOPPED
>
> Access timer expiration (sec/state): never/STOPPED
>
> Negotiation timer expiration (sec/state): never/STOPPED
>
> Multidrop timer expiration (sec/state): never/STOPPED
>
> FSM state: S1:OFF
>
> # times multi & trunk 0
>
> Enabled: no
>
> In STP: no
>
>
>
> Statistics
>
> ----------
>
> 0 packets received (0 good)
>
> 0 packets dropped
>
> 0 nonegotiate, 0 bad version, 0 domain mismatches,
>
> 0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other
>
> 0 packets output (0 good)
>
> 0 native, 0 software encap isl, 0 isl hardware native
>
> 0 output errors
>
>
>
> CAT2#sho dtp
>
> Global DTP information
>
> Sending DTP Hello packets every 30 seconds
>
> Dynamic Trunk timeout is 300 seconds
>
> 23 interfaces using DTP
>
> CAT2#sh dtp int | inc Fast
>
> DTP information for FastEthernet0/1:
>
> DTP information for FastEthernet0/2:
>
> DTP information for FastEthernet0/3:
>
> DTP information for FastEthernet0/4:
>
> DTP information for FastEthernet0/5:
>
> DTP information for FastEthernet0/6:
>
> DTP information for FastEthernet0/7:
>
> DTP information for FastEthernet0/8:
>
> DTP information for FastEthernet0/10:
>
> DTP information for FastEthernet0/11:
>
> DTP information for FastEthernet0/12:
>
> DTP information for FastEthernet0/13:
>
> DTP information for FastEthernet0/14:
>
> DTP information for FastEthernet0/15:
>
> DTP information for FastEthernet0/16:
>
> DTP information for FastEthernet0/17:
>
> DTP information for FastEthernet0/18:
>
> DTP information for FastEthernet0/19:
>
> DTP information for FastEthernet0/20:
>
> DTP information for FastEthernet0/21:
>
> DTP information for FastEthernet0/22:
>
> DTP information for FastEthernet0/23:
>
> DTP information for FastEthernet0/24:
>
> CAT2#
>
>
>
> ________________________________
>
> From: Adam Frederick [mailto:AFrederick@homefederalbank.com]
> Sent: Monday, October 30, 2006 8:26 AM
> To: Jay Hanke
> Subject: RE: Disabling VTP/DTP
>
>
>
> Jay;
>
>
>
> It is my understanding, whether it is a switchport or a trunk port,
> "switchport nonegotiate" will disable the sending of DTP frames. I'm
> looking forward to input from other members on this one. One final
> word, if you do a "show interface fa0/0 switchport", it should show
> whether or not dynamic negotiation is enabled.
>
>
>
> HTH
>
> Adam
>
>
>
> ________________________________
>
> From: nobody@groupstudy.com on behalf of Jay Hanke
> Sent: Mon 10/30/2006 9:12 AM
> To: Godswill Oletu; Scott Smith
> Cc: Victor Cappuccio; Jordan Gottlieb; CharlesB; Adam Frederick;
> ccielab@groupstudy.com
> Subject: RE: Disabling VTP/DTP
>
> If I understand correctly switchport nonegotiate (and set to access)
> should turn off DTP on the port. I tried this on a 3550 (Version
> 12.1(19)EA1a) but when I do a show dtp or show dtp interface the
> interfaces still show up in the count or in the list respectively. If I
> do a no switchport on the interface it is removed.
>
> Does switchport nonegotiate turn off dtp for the interface or do I need
> to do something in addition? Also, is the proper way to verify that DTP
> is off to use show dtp interface?
>
> Thanks,
>
> Jay
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Godswill Oletu
> Sent: Monday, October 16, 2006 7:59 PM
> To: Scott Smith
> Cc: Victor Cappuccio; Jordan Gottlieb; CharlesB; Adam Frederick;
> ccielab@groupstudy.com
> Subject: Re: Disabling VTP
>
> Scott,
>
> All that the text of that book you paraphrased is saying is that, there
> is
> no magical command like 'no vtp' or the like to disable VTP. If you can
> do
> something else that will result in the absence or non-operation of VTP
> that
> is liken to disabling it, then you have essentially disabled it and
> enabling
> transparent mode will do that.
>
>
> Godswill Oletu
> CCIE #16464 (R&S).
>
>
> ----- Original Message -----
> From: "Scott Smith" <hioctane@gmail.com>
> To: "Godswill Oletu" <oletu@inbox.lv>
> Cc: "Victor Cappuccio" <cvictor@protokolgroup.com>; "Jordan Gottlieb"
> <thelieber@gmail.com>; "CharlesB" <cbalik@adelphia.net>; "Adam
> Frederick"
> <AFrederick@homefederalbank.com>; <ccielab@groupstudy.com>
> Sent: Monday, October 16, 2006 9:41 AM
> Subject: Re: Disabling VTP
>
> > A paraphrased quote from Cisco LAN Switching.
> >
> > "you cannot disable VTP, the only option is to use transparent mode"
> >
> > So if the task is only asking for you to disable VTP and DTP isn't
> > mentioned I would use transparent mode and not mess with DTP. Just my
> > .02 :-)
> >
> > --
> > Scott
> > CCIE #17040 (R&S)
> >
> > On 10/16/06, Godswill Oletu <oletu@inbox.lv> wrote:
> > > As Victor has stated, setting the trunking mode to 'nonegoatiate'
>
> and
>
> > > configuring VTP transparent mode is the best option. There has been
>
> a
> thread
>
> > > on this in the past, check the archives.
> > >
> > > Filtering with an ACL at best will only prevent VTP from working, it
>
> will
>
> > > not disable it.
> > >
> > > HTH
> > >
> > > Godswill Oletu
> > > CCIE #16464 (R&S)
> > >
> > >
> > > ----- Original Message -----
> > > From: "Victor Cappuccio" <cvictor@protokolgroup.com>
> > > To: "'Jordan Gottlieb'" <thelieber@gmail.com>; "'CharlesB'"
> > > <cbalik@adelphia.net>
> > > Cc: "'Adam Frederick'" <AFrederick@homefederalbank.com>;
> > > <ccielab@groupstudy.com>
> > > Sent: Monday, October 16, 2006 12:32 AM
> > > Subject: RE: Disabling VTP
> > >
> > > > Hi Erez, Congratulations on your Digits!!
> > > >
> > > > But back to the post.
> > > >
> > > > DTP have something to do with VTP
> > > >
> > > > From the same link you sent
>
> http://www.cisco.com/warp/public/473/21.html
>
> > > > Says "
> > > > Dynamic Trunking Protocol (DTP) sends the VTP domain name in a DTP
>
> packet.
>
> > > > Therefore, if you have two ends of a link that belong to different
>
> VTP
>
> > > > domains, the trunk does not come up if you use DTP. In this
>
> special
> case,
>
> > > > you must configure the trunk mode as on or nonegotiate, on both
>
> sides,
> in
>
> > > > order to allow the trunk to come up without DTP negotiation
>
> agreement.
>
> > > > "
> > > >
> > > > I would agree with Adam here, In setting the Switch to Transparent
>
> to
>
> > > avoid
> > >
> > > > sending VTP Messages over the trunk ports.
> > > >
> > > > Please look at the following output in detail, I would not think
>
> that
> the
>
> > > > mac access-list idea could work, but I would test that out
>
> tomorrow
> with a
>
> > > > couple of real 3550, since I'm playing now with Dynamips with an
>
> IOS
> of a
>
> > > > 3640 with a NM-16ESW.
> > > >
> > > > Sw2(vlan)#vtp server
> > > > Setting device to VTP SERVER mode.
> > > > Sw2(vlan)#
> > > > *Mar 1 00:04:16.155: VTP LOG RUNTIME: Transmit vtp summary,
>
> domain
> CISCO,
>
> > > > rev 0
> > > > , followers 1
> > > > MD5 digest calculated = 00 31 17 6B 64 9D 1A 91 56 96 10 B4 FF
>
> 9D
> FC 23
>
> > > > Sw2(vlan)#vtp transparent
> > > > Setting device to VTP TRANSPARENT mode.
> > > > Sw2(vlan)#vtp server
> > > > Setting device to VTP SERVER mode.
> > > > Sw2(vlan)#
> > > > *Mar 1 00:04:39.855: VTP LOG RUNTIME: Transmit vtp summary,
>
> domain
> CISCO,
>
> > > > rev 0
> > > > , followers 1
> > > > MD5 digest calculated = 00 31 17 6B 64 9D 1A 91 56 96 10 B4 FF
>
> 9D
> FC 23
>
> > > > Sw2(vlan)#
> > > >
> > > >
> > > > Please see that the time the First VTP Summary Message was send
>
> out
> was
>
> > > > 00:4:16 and I configured the switch to be in VTP Transparent mode
>
> for
> a
>
> > > > short while and set it back to VTP Server. See the VTP summary now
>
> being
>
> > > > sent out (0.4.39)
> > > >
> > > > Congratulations again,
> > > > Saludos,
> > > > Victor.-
> > > >
> > > >
> > > > -----Mensaje original-----
> > > > De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre
>
> de
>
> > > Jordan
> > >
> > > > Gottlieb
> > > > Enviado el: Domingo, 15 de Octubre de 2006 11:32 p.m.
> > > > Para: CharlesB
> > > > CC: Adam Frederick; ccielab@groupstudy.com
> > > > Asunto: Re: Disabling VTP
> > > >
> > > > From http://www.cisco.com/warp/public/473/21.html"
> > > >
> > > > VTP packets are sent in either Inter-Switch Link (ISL) frames or
>
> in
> IEEE
>
> > > > 802.1Q (dot1q) frames. These packets are sent to the destination
>
> MAC
>
> > > address
> > >
> > > > 01-00-0C-CC-CC-CC with a logical link control (LLC) code of
>
> Subnetwork
>
> > > > Access Protocol (SNAP) (AAAA) and a type of 2003 (in the SNAP
>
> header).
>
> > > > You should be able to configure a Name MAC Extended ACL filter. (
>
> http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/s
> wacl
>
> > > > .htm#wp1177176)
> > > > this on the respective port. I have not tried this...But I
>
> believe it
>
> > > will
> > >
> > > > probably work.
> > > >
> > > > I must caution people not to confuse DTP with VTP. The switchport
> > > > nonegotiate command is a DTP disable command (nothing to to with
>
> VTP).
>
> > > > Hope this helps. BTW... I passed my lab a week ago this past
>
> Thursday in
>
> > > > San Jose. Hope this input (and future to come) helps repay some
>
> of
>
> > > benifit
> > >
> > > > I have obtained from this board.
> > > >
> > > > Erez Jordan Gottlieb
> > > > CCIE #17010
> > > >
> > > > On 10/15/06, CharlesB <cbalik@adelphia.net> wrote:
> > > > > I assume since VTP runs on the trunks ports, getting the
>
> interface
> out
>
> > > of
> > >
> > > > > trunk mode would solve the issue.
> > > > >
> > > > > sw1#sh vtp cou
> > > > > sw1#sh vtp counters
> > > > > VTP statistics:
> > > > > Summary advertisements received : 0
> > > > > Subset advertisements received : 0
> > > > > Request advertisements received : 0
> > > > > Summary advertisements transmitted : 0
> > > > > Subset advertisements transmitted : 0
> > > > > Request advertisements transmitted : 0
> > > > > Number of config revision errors : 0
> > > > > Number of config digest errors : 0
> > > > > Number of V1 summary errors : 0
> > > > >
> > > > >
> > > > > VTP pruning statistics:
> > > > >
> > > > > Trunk Join Transmitted Join Received Summary advts
> > >
> > > received
> > >
> > > > > from
>
> non-pruning-capable
>
> > > > > device
> > > > > ---------------- ---------------- ----------------
> > > > > -------------------------
> > > > > --
> > > > > Fa0/13 0 0 0
> > > > > Fa0/14 0 0 0
> > > > > Fa0/15 0 0 0
> > > > > Fa0/24 0 0
> > >
> > > 0------------------>
> > >
> > > > > check it out
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > s1#interface FastEthernet0/24
> > > > > switchport mode dynamic desirable
> > > > >
> > > > >
> > > > >
> > > > > Since it is in desirable mode, it negotiates the trunk status
>
> wit
> the
>
> > > > > other
> > > > > link, but if it is a switchport, the vtp counters does not list
>
> it
>
> > > > > anymore.
> > > > >
> > > > > sw1(config)#inter fas0/24
> > > > > sw1(config-if)#sw
> > > > > sw1(config-if)#switchport mode acc
> > > > > sw1(config-if)#end
> > > > > sw1#sh
> > > > > 10w2d: %SYS-5-CONFIG_I: Configured from console by conssh vtp
>
> counters
>
> > > > > VTP statistics:
> > > > > Summary advertisements received : 0
> > > > > Subset advertisements received : 0
> > > > > Request advertisements received : 0
> > > > > Summary advertisements transmitted : 0
> > > > > Subset advertisements transmitted : 0
> > > > > Request advertisements transmitted : 0
> > > > > Number of config revision errors : 0
> > > > > Number of config digest errors : 0
> > > > > Number of V1 summary errors : 0
> > > > >
> > > > >
> > > > > VTP pruning statistics:
> > > > >
> > > > > Trunk Join Transmitted Join Received Summary advts
> > >
> > > received
> > >
> > > > > from
>
> non-pruning-capable
>
> > > > > device
> > > > > ---------------- ---------------- ----------------
> > > > > -------------------------
> > > > > --
> > > > > Fa0/13 0 0 0
> > > > > Fa0/14 0 0 0
> > > > > Fa0/15 0 0 0
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
>
> Behalf
> Of
>
> > > > > Adam Frederick
> > > > > Sent: Sunday, October 15, 2006 6:15 PM
> > > > > To: ccielab@groupstudy.com
> > > > > Subject: Disabling VTP
> > > > >
> > > > >
> > > > > ?
> > > > > Group
> > > > >
> > > > > I am working on a practice lab that utilizes 2x3550's & calls
>
> for
>
> > > > > disabling
> > > > > VTP on the fastethernet interfaces. I have searched and
>
> searched
> and
>
> > > > > haven't seen that it is possible to disable VTP on a
>
> per-interface
>
> > > basis,
> > >
> > > > > is
> > > > > this correct? I think the solution is to change VTP to
>
> transparent
>
> > > since
> > >
> > > > > the gigabit ports are not being utilized at all in the practice
> > > > > lab. Could
> > > > > someone confirm this?
> > > > >
> > > > > Thanks,
> > > > > Adam
>
> _______________________________________________________________________
>
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
>
> Behalf
> Of
>
> > > > > Adam Frederick
> > > > > Sent: Sunday, October 15, 2006 6:15 PM
> > > > > To: ccielab@groupstudy.com
> > > > > Subject: Disabling VTP
> > > > >
> > > > >
> > > > > ?
> > > > > Group
> > > > >
> > > > > I am working on a practice lab that utilizes 2x3550's & calls
>
> for
>
> > > > > disabling
> > > > > VTP on the fastethernet interfaces. I have searched and
>
> searched
> and
>
> > > > > haven't seen that it is possible to disable VTP on a
>
> per-interface
>
> > > basis,
> > >
> > > > > is
> > > > > this correct? I think the solution is to change VTP to
>
> transparent
>
> > > since
> > >
> > > > > the gigabit ports are not being utilized at all in the practice
> > > > > lab. Could
> > > > > someone confirm this?
> > > > >
> > > > > Thanks,
> > > > > Adam
>
> _______________________________________________________________________
>
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
>
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
>
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
>
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
>
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> ---------------------------------------------------------------------------
>-- --------
>
> The information contained in this e-mail message may contain
> privileged, confidential, and/or proprietary information intended to be
> protected from public disclosure. If you are not the intended recipient,
> any further disclosure, use, dissemination, distribution, or copying of
> this message or any attachment is strictly prohibited. Unauthorized
> interception or disclosure of this e-mail may violate certain laws and/or
> regulations, resulting in criminal and/or civil prosecution. If you think
> that you have received this e-mail message in error, please delete it and
> notify the sender immediately.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html 

-- 
Ivan

This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:07 ART