From: paul cosgrove (paul.cosgrove@gmail.com)
Date: Sat Jul 12 2008 - 21:03:45 ART
Hi Jason,
A five octet PID may be equivalent to a 2 octet Ethertype when OUI=00:00:00,
but they are not the same for VTP, CDP etc, since their OUI is set to the
Cisco OUI and so all five octets of the PID are used. The values you have
listed are not the full PID values.
There clearly is confusion about this, and I know that some sniffer programs
list the PID as being just the last two octets, but I do not see an
explanation for such a useage in IEEE 802-1990:-
"5.3 Protocol Identifier
5.3.1 Concept
...
All SNAP PDUs contain a Protocol Identification Field. An organization uses
its OUI to identify, using a universal unique value, its own protocols.
The protocol identifier is 40 bits in length....The first 24 bits of the
protocol identifier correspond to the OUI in exactly the same fashion as in
48-bit LAN MAC addresses. The remaining 16 bits are locally administered by
the assignee."
"5.3.2 Represention of a Protocol Identifier.
The protocol identifier is represented as a string of five octets separated
by hyphens. The octets are displayed left to right in the order they are
transmitted on the LAN medium. Each octet is displayed as two hexadecimal
digits. The M bit of the first octet is the first bit of the
Organizationally Unique Identifier and is the least significant."
Paul.
On Sat, Jul 12, 2008 at 10:51 PM, Jason Madsen <madsen.jason@gmail.com>
wrote:
> I think ethertype and PID are essentially one in the same. It just depends
> on which source you reference. In MACLs they use the term ethertype, but in
> packet captures the actual value is the PID (protocol ID). At least they
> seem to directly coincide:
>
> VTP 0x2003
> CDP 0x2000
> DTP 0x2004
> UDLD 0x0111
>
> ...but great write ups you provided. i think aky is about a blocking VTP
> kind of person as any now:-)
>
> Jason
>
> On Sat, Jul 12, 2008 at 2:05 PM, paul cosgrove <paul.cosgrove@gmail.com>
> wrote:
>
>>
>> MAC acls can be used to stop VTP being received, they cannot be used to
>> stop advertisements being sent; vtp transparent mode will do that for
>> you. In later versions of IOS there is also a "vtp mode off" command.
>>
>> The (ether)type values can be used to differentiate the protocols. You
>> cannot match the PID, only the (ether) type part of it.
>>
>> You can find a discussion about this including examples of MAC ACLs here:-
>> http://puck.nether.net/pipermail/cisco-nsp/2008-April/050185.html
>>
>> Paul.
>>
>>
>> Jason Madsen wrote:
>> > to be further specific you could block it by it's PID, which is 0x2003,
>> > along with 01:00:0C:CC:CC:CC. CDP's is 0x2000 etc.
>> >
>> > Jason
>> >
>> > On Sat, Jul 12, 2008 at 12:32 PM, Jason Madsen <madsen.jason@gmail.com>
>> > wrote:
>> >
>> >
>> >> hmmmm, that's a good one. of course vtp mode transparent may prevent
>> the
>> >> device from participating in vtp (especially VTP v1), but to actually
>> block
>> >> it is another thing. i believe you could use a MACL and block
>> 01:00:0C:CC:CC:CC,
>> >> but i also believe that CDP, UDLD, DTP, and PAGP also use this address
>> so
>> >> you might have to look at the implications of doing such a thing. you
>> might
>> >> want to use different VTP domain names to further prevent compatibility
>> >> between the systems, although that could be considered overkill.
>> >>
>> >> just some thoughts,
>> >> Jason
>> >>
>> >> On Sat, Jul 12, 2008 at 12:12 PM, akyccie <akyccie@gmail.com> wrote:
>> >>
>> >>
>> >>> How to block VTP advertisement ???
>> >>>
>> >>>
>> >>>
>> _______________________________________________________________________
>> >>> Subscription information may be found at:
>> >>> http://www.groupstudy.com/list/CCIELab.html
>> >>>
>> >
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:54 ART