Good to know that CDP eludes the filter :)
My suggesting to run vtp server with different domain was to make sure
you do not let incoming vtp pass through, as would be the case in
transparent mode (if not using version 1) and was before the filtering
option was considered.
-Carlos
Steve Di Bias @ 3/03/2010 13:27 -0300 dixit:
> Carlos, while CDP does use 01-00-0c-cc-cc-cc as it's destination MAC,
> matching on the ethertype with this MAC on the destination only blocks
> VTP, and not CDP.
>
> mac access-list extended deny_vtp
> deny any host 0100.0ccc.cccc 0x2003 0x0000
>
> As long as you are blocking VTP from coming in and running in
> transparent I don't see why running two separate VTP servers in two
> separate domains would make any difference, it's still being blocked
> with the mac acl.
>
>
> On Wed, Mar 3, 2010 at 2:38 AM, Carlos G Mendioroz <tron_at_huapi.ba.ar
> <mailto:tron_at_huapi.ba.ar>> wrote:
>
> On the contrary, run vtp in server mode with a different domain.
> Some versions of transparent will let vtp go through, hence the name of
> the mode. Or else, force v1 and use a different domain.
>
> As for the initial question, vtp is a layer 2 protocol much like CDP.
> I'm not aware of a way of filtering it. You can block it's destination
> MAC but you'll filter CDP as well (01-00-0c-cc-cc-cc)
> (Copied w/o permision from cisco-nsp list, google is your firend TM)
>
> Just a different one, there is a way to filter specific packets on
> content (flexible packet matching) on IOS, and it is available in some
> switches (6k sup 32-PISA). I doubt this will fit you though.
>
> -Carlos
>
> Steve Di Bias @ 3/03/2010 3:43 -0300 dixit:
> > Try running "vtp mode transparent"
> > That will disable VTP on the switch
> >
> >
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/configuration/guide/swvtp.html#wp1035326
> >
> > -Steve Di Bias
> >
> >
> > On Tue, Mar 2, 2010 at 9:28 PM, Nahskur Udniraht <
> > expertinternetwork_at_gmail.com
> <mailto:expertinternetwork_at_gmail.com>> wrote:
> >
> >> Dear All,
> >>
> >> can I use an access control mechanism to stop VTP messages over a
> trunk
> >> link
> >> ? is it possible to do so ?
> >>
> >> --
> >> Nahskur Udniraht
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >>
> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>>
> LW7 EQI Argentina
>
>
>
>
> --
> -Steve Di Bias
-- Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina Blogs and organic groups at http://www.ccie.netReceived on Wed Mar 03 2010 - 14:11:25 ART
This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:34 ART