From: Alexei Monastyrnyi (alexeim@orcsoftware.com)
Date: Mon Oct 30 2006 - 14:45:53 ART
On 3560 for ISL trunk ports fa 0/13 - 14 with "sw nonegotiate" it looks
like this
SW2#sh dtp in fa 0/13
DTP information for FastEthernet0/13:
TOS/TAS/TNS: TRUNK/NONEGOTIATE/TRUNK
TOT/TAT/TNT: ISL/ISL/ISL
Neighbor address 1: 0015F9D1A78D
Neighbor address 2: 000000000000
Hello timer expiration (sec/state): never/STOPPED
Access timer expiration (sec/state): never/STOPPED
Negotiation timer expiration (sec/state): never/STOPPED
Multidrop timer expiration (sec/state): never/STOPPED
FSM state: S6:TRUNK
# times multi & trunk 0
Enabled: yes
In STP: no
Statistics
----------
140 packets received (140 good)
0 packets dropped
0 nonegotiate, 0 bad version, 0 domain mismatches,
0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other
140 packets output (140 good)
140 native, 0 software encap isl, 0 isl hardware native
0 output errors
0 trunk timeouts
1 link ups, last link up on Mon Mar 01 1993, 00:01:29
0 link downs
SW2#
SW2#sh run in fa 0/13
Building configuration...
Current configuration : 142 bytes
!
interface FastEthernet0/13
switchport trunk encapsulation isl
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
end
SW2#sh run in fa 0/14
Building configuration...
Current configuration : 142 bytes
!
interface FastEthernet0/14
switchport trunk encapsulation isl
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
end
Jay Hanke wrote:
> I did that here is the config from interface fa0/1. I forgot to include
> the config on my last email.
>
>
>
> interface FastEthernet0/1
>
> switchport access vlan 2
>
> switchport mode access
>
> switchport nonegotiate
>
> no ip address
>
> end
>
>
>
> fa0/9 has no switchport set. My understanding is that if switchport
> nonegotiate is set the interface should not be counted under show dtp or
> show up under sho dtp interface. I wonder if it is an IOS bug. Has
> anyone tried this on a more current IOS?
>
>
>
> Jay
>
>
>
> ________________________________
>
> From: Adam Frederick [mailto:AFrederick@homefederalbank.com]
> Sent: Monday, October 30, 2006 9:19 AM
> To: Jay Hanke
> Subject: RE: Disabling VTP/DTP
>
>
>
> Yep, looks like you only have DTP disabled on Port 9, so all other ports
> are still passing DTP traffic. You need to do an interface range on all
> ports and enter switchport nonegotiate and see what happens from there.
>
>
>
> This should stop those messages from updating. I don't have spare
> switches to test on so please let me know!!!
>
>
>
> ________________________________
>
> From: Jay Hanke [mailto:Jay.Hanke@midwestwireless.com]
> Sent: Monday, October 30, 2006 10:14 AM
> To: Adam Frederick
> Subject: RE: Disabling VTP/DTP
>
>
>
> Should the count decrease on the show dtp when dtp is disabled on an
> interface?
>
>
>
> CAT2#sho int switchport
>
> Name: Fa0/1
>
> Switchport: Enabled
>
> Administrative Mode: static access
>
> Operational Mode: static access
>
> Administrative Trunking Encapsulation: negotiate
>
> Operational Trunking Encapsulation: native
>
> Negotiation of Trunking: Off
>
> Access Mode VLAN: 2 (VLAN0002)
>
> Trunking Native Mode VLAN: 1 (default)
>
> Voice VLAN: none
>
> Administrative private-vlan host-association: none
>
> Administrative private-vlan mapping: none
>
> Administrative private-vlan trunk native VLAN: none
>
> Administrative private-vlan trunk encapsulation: dot1q
>
> Administrative private-vlan trunk normal VLANs: none
>
> Administrative private-vlan trunk private VLANs: none
>
> Operational private-vlan: none
>
> Trunking VLANs Enabled: ALL
>
> Pruning VLANs Enabled: 2-1001
>
> Capture Mode Disabled
>
> Capture VLANs Allowed: ALL
>
> Protected: false
>
> Unknown unicast blocked: disabled
>
> Unknown multicast blocked: disabled
>
>
>
> Appliance trust: none
>
>
>
> CAT2#sho dtp interface
>
> DTP information for FastEthernet0/1:
>
> TOS/TAS/TNS: ACCESS/OFF/ACCESS
>
> TOT/TAT/TNT: NATIVE/NEGOTIATE/NATIVE
>
> Neighbor address 1: 000000000000
>
> Neighbor address 2: 000000000000
>
> Hello timer expiration (sec/state): never/STOPPED
>
> Access timer expiration (sec/state): never/STOPPED
>
> Negotiation timer expiration (sec/state): never/STOPPED
>
> Multidrop timer expiration (sec/state): never/STOPPED
>
> FSM state: S1:OFF
>
> # times multi & trunk 0
>
> Enabled: no
>
> In STP: no
>
>
>
> Statistics
>
> ----------
>
> 0 packets received (0 good)
>
> 0 packets dropped
>
> 0 nonegotiate, 0 bad version, 0 domain mismatches,
>
> 0 bad TLVs, 0 bad TAS, 0 bad TAT, 0 bad TOT, 0 other
>
> 0 packets output (0 good)
>
> 0 native, 0 software encap isl, 0 isl hardware native
>
> 0 output errors
>
>
>
> CAT2#sho dtp
>
> Global DTP information
>
> Sending DTP Hello packets every 30 seconds
>
> Dynamic Trunk timeout is 300 seconds
>
> 23 interfaces using DTP
>
> CAT2#sh dtp int | inc Fast
>
> DTP information for FastEthernet0/1:
>
> DTP information for FastEthernet0/2:
>
> DTP information for FastEthernet0/3:
>
> DTP information for FastEthernet0/4:
>
> DTP information for FastEthernet0/5:
>
> DTP information for FastEthernet0/6:
>
> DTP information for FastEthernet0/7:
>
> DTP information for FastEthernet0/8:
>
> DTP information for FastEthernet0/10:
>
> DTP information for FastEthernet0/11:
>
> DTP information for FastEthernet0/12:
>
> DTP information for FastEthernet0/13:
>
> DTP information for FastEthernet0/14:
>
> DTP information for FastEthernet0/15:
>
> DTP information for FastEthernet0/16:
>
> DTP information for FastEthernet0/17:
>
> DTP information for FastEthernet0/18:
>
> DTP information for FastEthernet0/19:
>
> DTP information for FastEthernet0/20:
>
> DTP information for FastEthernet0/21:
>
> DTP information for FastEthernet0/22:
>
> DTP information for FastEthernet0/23:
>
> DTP information for FastEthernet0/24:
>
> CAT2#
>
>
>
> ________________________________
>
> From: Adam Frederick [mailto:AFrederick@homefederalbank.com]
> Sent: Monday, October 30, 2006 8:26 AM
> To: Jay Hanke
> Subject: RE: Disabling VTP/DTP
>
>
>
> Jay;
>
>
>
> It is my understanding, whether it is a switchport or a trunk port,
> "switchport nonegotiate" will disable the sending of DTP frames. I'm
> looking forward to input from other members on this one. One final
> word, if you do a "show interface fa0/0 switchport", it should show
> whether or not dynamic negotiation is enabled.
>
>
>
> HTH
>
> Adam
>
>
>
> ________________________________
>
> From: nobody@groupstudy.com on behalf of Jay Hanke
> Sent: Mon 10/30/2006 9:12 AM
> To: Godswill Oletu; Scott Smith
> Cc: Victor Cappuccio; Jordan Gottlieb; CharlesB; Adam Frederick;
> ccielab@groupstudy.com
> Subject: RE: Disabling VTP/DTP
>
> If I understand correctly switchport nonegotiate (and set to access)
> should turn off DTP on the port. I tried this on a 3550 (Version
> 12.1(19)EA1a) but when I do a show dtp or show dtp interface the
> interfaces still show up in the count or in the list respectively. If I
> do a no switchport on the interface it is removed.
>
> Does switchport nonegotiate turn off dtp for the interface or do I need
> to do something in addition? Also, is the proper way to verify that DTP
> is off to use show dtp interface?
>
> Thanks,
>
> Jay
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Godswill Oletu
> Sent: Monday, October 16, 2006 7:59 PM
> To: Scott Smith
> Cc: Victor Cappuccio; Jordan Gottlieb; CharlesB; Adam Frederick;
> ccielab@groupstudy.com
> Subject: Re: Disabling VTP
>
> Scott,
>
> All that the text of that book you paraphrased is saying is that, there
> is
> no magical command like 'no vtp' or the like to disable VTP. If you can
> do
> something else that will result in the absence or non-operation of VTP
> that
> is liken to disabling it, then you have essentially disabled it and
> enabling
> transparent mode will do that.
>
>
> Godswill Oletu
> CCIE #16464 (R&S).
>
>
> ----- Original Message -----
> From: "Scott Smith" <hioctane@gmail.com>
> To: "Godswill Oletu" <oletu@inbox.lv>
> Cc: "Victor Cappuccio" <cvictor@protokolgroup.com>; "Jordan Gottlieb"
> <thelieber@gmail.com>; "CharlesB" <cbalik@adelphia.net>; "Adam
> Frederick"
> <AFrederick@homefederalbank.com>; <ccielab@groupstudy.com>
> Sent: Monday, October 16, 2006 9:41 AM
> Subject: Re: Disabling VTP
>
>
>
>> A paraphrased quote from Cisco LAN Switching.
>>
>> "you cannot disable VTP, the only option is to use transparent mode"
>>
>> So if the task is only asking for you to disable VTP and DTP isn't
>> mentioned I would use transparent mode and not mess with DTP. Just my
>> .02 :-)
>>
>> --
>> Scott
>> CCIE #17040 (R&S)
>>
>>
>> On 10/16/06, Godswill Oletu <oletu@inbox.lv> wrote:
>>
>>> As Victor has stated, setting the trunking mode to 'nonegoatiate'
>>>
> and
>
>>> configuring VTP transparent mode is the best option. There has been
>>>
> a
> thread
>
>>> on this in the past, check the archives.
>>>
>>> Filtering with an ACL at best will only prevent VTP from working, it
>>>
> will
>
>>> not disable it.
>>>
>>> HTH
>>>
>>> Godswill Oletu
>>> CCIE #16464 (R&S)
>>>
>>>
>>> ----- Original Message -----
>>> From: "Victor Cappuccio" <cvictor@protokolgroup.com>
>>> To: "'Jordan Gottlieb'" <thelieber@gmail.com>; "'CharlesB'"
>>> <cbalik@adelphia.net>
>>> Cc: "'Adam Frederick'" <AFrederick@homefederalbank.com>;
>>> <ccielab@groupstudy.com>
>>> Sent: Monday, October 16, 2006 12:32 AM
>>> Subject: RE: Disabling VTP
>>>
>>>
>>>
>>>> Hi Erez, Congratulations on your Digits!!
>>>>
>>>> But back to the post.
>>>>
>>>> DTP have something to do with VTP
>>>>
>>>> From the same link you sent
>>>>
> http://www.cisco.com/warp/public/473/21.html
>
>>>> Says "
>>>> Dynamic Trunking Protocol (DTP) sends the VTP domain name in a DTP
>>>>
> packet.
>
>>>> Therefore, if you have two ends of a link that belong to different
>>>>
> VTP
>
>>>> domains, the trunk does not come up if you use DTP. In this
>>>>
> special
> case,
>
>>>> you must configure the trunk mode as on or nonegotiate, on both
>>>>
> sides,
> in
>
>>>> order to allow the trunk to come up without DTP negotiation
>>>>
> agreement.
>
>>>> "
>>>>
>>>> I would agree with Adam here, In setting the Switch to Transparent
>>>>
> to
>
>>> avoid
>>>
>>>> sending VTP Messages over the trunk ports.
>>>>
>>>> Please look at the following output in detail, I would not think
>>>>
> that
> the
>
>>>> mac access-list idea could work, but I would test that out
>>>>
> tomorrow
> with a
>
>>>> couple of real 3550, since I'm playing now with Dynamips with an
>>>>
> IOS
> of a
>
>>>> 3640 with a NM-16ESW.
>>>>
>>>> Sw2(vlan)#vtp server
>>>> Setting device to VTP SERVER mode.
>>>> Sw2(vlan)#
>>>> *Mar 1 00:04:16.155: VTP LOG RUNTIME: Transmit vtp summary,
>>>>
> domain
> CISCO,
>
>>>> rev 0
>>>> , followers 1
>>>> MD5 digest calculated = 00 31 17 6B 64 9D 1A 91 56 96 10 B4 FF
>>>>
> 9D
> FC 23
>
>>>> Sw2(vlan)#vtp transparent
>>>> Setting device to VTP TRANSPARENT mode.
>>>> Sw2(vlan)#vtp server
>>>> Setting device to VTP SERVER mode.
>>>> Sw2(vlan)#
>>>> *Mar 1 00:04:39.855: VTP LOG RUNTIME: Transmit vtp summary,
>>>>
> domain
> CISCO,
>
>>>> rev 0
>>>> , followers 1
>>>> MD5 digest calculated = 00 31 17 6B 64 9D 1A 91 56 96 10 B4 FF
>>>>
> 9D
> FC 23
>
>>>> Sw2(vlan)#
>>>>
>>>>
>>>> Please see that the time the First VTP Summary Message was send
>>>>
> out
> was
>
>>>> 00:4:16 and I configured the switch to be in VTP Transparent mode
>>>>
> for
> a
>
>>>> short while and set it back to VTP Server. See the VTP summary now
>>>>
> being
>
>>>> sent out (0.4.39)
>>>>
>>>> Congratulations again,
>>>> Saludos,
>>>> Victor.-
>>>>
>>>>
>>>> -----Mensaje original-----
>>>> De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre
>>>>
> de
>
>>> Jordan
>>>
>>>> Gottlieb
>>>> Enviado el: Domingo, 15 de Octubre de 2006 11:32 p.m.
>>>> Para: CharlesB
>>>> CC: Adam Frederick; ccielab@groupstudy.com
>>>> Asunto: Re: Disabling VTP
>>>>
>>>> From http://www.cisco.com/warp/public/473/21.html"
>>>>
>>>> VTP packets are sent in either Inter-Switch Link (ISL) frames or
>>>>
> in
> IEEE
>
>>>> 802.1Q (dot1q) frames. These packets are sent to the destination
>>>>
> MAC
>
>>> address
>>>
>>>> 01-00-0C-CC-CC-CC with a logical link control (LLC) code of
>>>>
> Subnetwork
>
>>>> Access Protocol (SNAP) (AAAA) and a type of 2003 (in the SNAP
>>>>
> header).
>
>>>> You should be able to configure a Name MAC Extended ACL filter. (
>>>>
>>>>
> http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/s
> wacl
>
>>>> .htm#wp1177176)
>>>> this on the respective port. I have not tried this...But I
>>>>
> believe it
>
>>> will
>>>
>>>> probably work.
>>>>
>>>> I must caution people not to confuse DTP with VTP. The switchport
>>>> nonegotiate command is a DTP disable command (nothing to to with
>>>>
> VTP).
>
>>>> Hope this helps. BTW... I passed my lab a week ago this past
>>>>
> Thursday in
>
>>>> San Jose. Hope this input (and future to come) helps repay some
>>>>
> of
>
>>> benifit
>>>
>>>> I have obtained from this board.
>>>>
>>>> Erez Jordan Gottlieb
>>>> CCIE #17010
>>>>
>>>>
>>>>
>>>> On 10/15/06, CharlesB <cbalik@adelphia.net> wrote:
>>>>
>>>>> I assume since VTP runs on the trunks ports, getting the
>>>>>
> interface
> out
>
>>> of
>>>
>>>>> trunk mode would solve the issue.
>>>>>
>>>>> sw1#sh vtp cou
>>>>> sw1#sh vtp counters
>>>>> VTP statistics:
>>>>> Summary advertisements received : 0
>>>>> Subset advertisements received : 0
>>>>> Request advertisements received : 0
>>>>> Summary advertisements transmitted : 0
>>>>> Subset advertisements transmitted : 0
>>>>> Request advertisements transmitted : 0
>>>>> Number of config revision errors : 0
>>>>> Number of config digest errors : 0
>>>>> Number of V1 summary errors : 0
>>>>>
>>>>>
>>>>> VTP pruning statistics:
>>>>>
>>>>> Trunk Join Transmitted Join Received Summary advts
>>>>>
>>> received
>>>
>>>>> from
>>>>>
>>>>>
> non-pruning-capable
>
>>>>> device
>>>>> ---------------- ---------------- ----------------
>>>>> -------------------------
>>>>> --
>>>>> Fa0/13 0 0 0
>>>>> Fa0/14 0 0 0
>>>>> Fa0/15 0 0 0
>>>>> Fa0/24 0 0
>>>>>
>>> 0------------------>
>>>
>>>>> check it out
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> s1#interface FastEthernet0/24
>>>>> switchport mode dynamic desirable
>>>>>
>>>>>
>>>>>
>>>>> Since it is in desirable mode, it negotiates the trunk status
>>>>>
> wit
> the
>
>>>>> other
>>>>> link, but if it is a switchport, the vtp counters does not list
>>>>>
> it
>
>>>>> anymore.
>>>>>
>>>>> sw1(config)#inter fas0/24
>>>>> sw1(config-if)#sw
>>>>> sw1(config-if)#switchport mode acc
>>>>> sw1(config-if)#end
>>>>> sw1#sh
>>>>> 10w2d: %SYS-5-CONFIG_I: Configured from console by conssh vtp
>>>>>
> counters
>
>>>>> VTP statistics:
>>>>> Summary advertisements received : 0
>>>>> Subset advertisements received : 0
>>>>> Request advertisements received : 0
>>>>> Summary advertisements transmitted : 0
>>>>> Subset advertisements transmitted : 0
>>>>> Request advertisements transmitted : 0
>>>>> Number of config revision errors : 0
>>>>> Number of config digest errors : 0
>>>>> Number of V1 summary errors : 0
>>>>>
>>>>>
>>>>> VTP pruning statistics:
>>>>>
>>>>> Trunk Join Transmitted Join Received Summary advts
>>>>>
>>> received
>>>
>>>>> from
>>>>>
>>>>>
> non-pruning-capable
>
>>>>> device
>>>>> ---------------- ---------------- ----------------
>>>>> -------------------------
>>>>> --
>>>>> Fa0/13 0 0 0
>>>>> Fa0/14 0 0 0
>>>>> Fa0/15 0 0 0
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
>>>>>
> Behalf
> Of
>
>>>>> Adam Frederick
>>>>> Sent: Sunday, October 15, 2006 6:15 PM
>>>>> To: ccielab@groupstudy.com
>>>>> Subject: Disabling VTP
>>>>>
>>>>>
>>>>> ?
>>>>> Group
>>>>>
>>>>> I am working on a practice lab that utilizes 2x3550's & calls
>>>>>
> for
>
>>>>> disabling
>>>>> VTP on the fastethernet interfaces. I have searched and
>>>>>
> searched
> and
>
>>>>> haven't seen that it is possible to disable VTP on a
>>>>>
> per-interface
>
>>> basis,
>>>
>>>>> is
>>>>> this correct? I think the solution is to change VTP to
>>>>>
> transparent
>
>>> since
>>>
>>>>> the gigabit ports are not being utilized at all in the practice
>>>>> lab. Could
>>>>> someone confirm this?
>>>>>
>>>>> Thanks,
>>>>> Adam
>>>>>
>>>>>
>>>>>
> _______________________________________________________________________
>
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>> -----Original Message-----
>>>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
>>>>>
> Behalf
> Of
>
>>>>> Adam Frederick
>>>>> Sent: Sunday, October 15, 2006 6:15 PM
>>>>> To: ccielab@groupstudy.com
>>>>> Subject: Disabling VTP
>>>>>
>>>>>
>>>>> ?
>>>>> Group
>>>>>
>>>>> I am working on a practice lab that utilizes 2x3550's & calls
>>>>>
> for
>
>>>>> disabling
>>>>> VTP on the fastethernet interfaces. I have searched and
>>>>>
> searched
> and
>
>>>>> haven't seen that it is possible to disable VTP on a
>>>>>
> per-interface
>
>>> basis,
>>>
>>>>> is
>>>>> this correct? I think the solution is to change VTP to
>>>>>
> transparent
>
>>> since
>>>
>>>>> the gigabit ports are not being utilized at all in the practice
>>>>> lab. Could
>>>>> someone confirm this?
>>>>>
>>>>> Thanks,
>>>>> Adam
>>>>>
>>>>>
>>>>>
> _______________________________________________________________________
>
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>>
> _______________________________________________________________________
>
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>
> _______________________________________________________________________
>
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
> _______________________________________________________________________
>
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>
> _______________________________________________________________________
>
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> -----------------------------------------------------------------------------
> --------
>
> The information contained in this e-mail message may contain
> privileged, confidential, and/or proprietary information intended to be
> protected from public disclosure. If you are not the intended recipient, any
> further disclosure, use, dissemination, distribution, or copying of this
> message or any attachment is strictly prohibited. Unauthorized interception or
> disclosure of this e-mail may violate certain laws and/or regulations,
> resulting in criminal and/or civil prosecution. If you think that you have
> received this e-mail message in error, please delete it and notify the sender
> immediately.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:07 ART