be careful with this. If you are using DTP for trunk negotiation this will
break your trunks : )
On Wed, Mar 3, 2010 at 12:11 PM, Carlos G Mendioroz <tron_at_huapi.ba.ar>wrote:
> Good to know that CDP eludes the filter :)
>
> My suggesting to run vtp server with different domain was to make sure
> you do not let incoming vtp pass through, as would be the case in
> transparent mode (if not using version 1) and was before the filtering
> option was considered.
>
> -Carlos
>
> Steve Di Bias @ 3/03/2010 13:27 -0300 dixit:
> > Carlos, while CDP does use 01-00-0c-cc-cc-cc as it's destination MAC,
> > matching on the ethertype with this MAC on the destination only blocks
> > VTP, and not CDP.
> >
> > mac access-list extended deny_vtp
> > deny any host 0100.0ccc.cccc 0x2003 0x0000
> >
> > As long as you are blocking VTP from coming in and running in
> > transparent I don't see why running two separate VTP servers in two
> > separate domains would make any difference, it's still being blocked
> > with the mac acl.
> >
> >
> > On Wed, Mar 3, 2010 at 2:38 AM, Carlos G Mendioroz <tron_at_huapi.ba.ar
> > <mailto:tron_at_huapi.ba.ar>> wrote:
> >
> > On the contrary, run vtp in server mode with a different domain.
> > Some versions of transparent will let vtp go through, hence the name
> of
> > the mode. Or else, force v1 and use a different domain.
> >
> > As for the initial question, vtp is a layer 2 protocol much like CDP.
> > I'm not aware of a way of filtering it. You can block it's
> destination
> > MAC but you'll filter CDP as well (01-00-0c-cc-cc-cc)
> > (Copied w/o permision from cisco-nsp list, google is your firend TM)
> >
> > Just a different one, there is a way to filter specific packets on
> > content (flexible packet matching) on IOS, and it is available in
> some
> > switches (6k sup 32-PISA). I doubt this will fit you though.
> >
> > -Carlos
> >
> > Steve Di Bias @ 3/03/2010 3:43 -0300 dixit:
> > > Try running "vtp mode transparent"
> > > That will disable VTP on the switch
> > >
> > >
> >
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/configuration/guide/swvtp.html#wp1035326
> > >
> > > -Steve Di Bias
> > >
> > >
> > > On Tue, Mar 2, 2010 at 9:28 PM, Nahskur Udniraht <
> > > expertinternetwork_at_gmail.com
> > <mailto:expertinternetwork_at_gmail.com>> wrote:
> > >
> > >> Dear All,
> > >>
> > >> can I use an access control mechanism to stop VTP messages over a
> > trunk
> > >> link
> > >> ? is it possible to do so ?
> > >>
> > >> --
> > >> Nahskur Udniraht
> > >>
> > >>
> > >> Blogs and organic groups at http://www.ccie.net
> > >>
> > >>
> >
> _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > >
> >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> > --
> > Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>>
> > LW7 EQI Argentina
> >
> >
> >
> >
> > --
> > -Steve Di Bias
>
> --
> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Regards, Joe Astorino CCIE #24347 (R&S) Sr. Technical Instructor - IPexpert Mailto: jastorino_at_ipexpert.com Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com Blogs and organic groups at http://www.ccie.netReceived on Wed Mar 03 2010 - 14:28:07 ART
This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:34 ART