Thanks Guys. It was a good discussion.
On Wed, Mar 3, 2010 at 11:28 PM, Joe Astorino <jastorino_at_ipexpert.com>wrote:
> be careful with this. If you are using DTP for trunk negotiation this will
> break your trunks : )
>
> On Wed, Mar 3, 2010 at 12:11 PM, Carlos G Mendioroz <tron_at_huapi.ba.ar
> >wrote:
>
> > Good to know that CDP eludes the filter :)
> >
> > My suggesting to run vtp server with different domain was to make sure
> > you do not let incoming vtp pass through, as would be the case in
> > transparent mode (if not using version 1) and was before the filtering
> > option was considered.
> >
> > -Carlos
> >
> > Steve Di Bias @ 3/03/2010 13:27 -0300 dixit:
> > > Carlos, while CDP does use 01-00-0c-cc-cc-cc as it's destination MAC,
> > > matching on the ethertype with this MAC on the destination only blocks
> > > VTP, and not CDP.
> > >
> > > mac access-list extended deny_vtp
> > > deny any host 0100.0ccc.cccc 0x2003 0x0000
> > >
> > > As long as you are blocking VTP from coming in and running in
> > > transparent I don't see why running two separate VTP servers in two
> > > separate domains would make any difference, it's still being blocked
> > > with the mac acl.
> > >
> > >
> > > On Wed, Mar 3, 2010 at 2:38 AM, Carlos G Mendioroz <tron_at_huapi.ba.ar
> > > <mailto:tron_at_huapi.ba.ar>> wrote:
> > >
> > > On the contrary, run vtp in server mode with a different domain.
> > > Some versions of transparent will let vtp go through, hence the
> name
> > of
> > > the mode. Or else, force v1 and use a different domain.
> > >
> > > As for the initial question, vtp is a layer 2 protocol much like
> CDP.
> > > I'm not aware of a way of filtering it. You can block it's
> > destination
> > > MAC but you'll filter CDP as well (01-00-0c-cc-cc-cc)
> > > (Copied w/o permision from cisco-nsp list, google is your firend
> TM)
> > >
> > > Just a different one, there is a way to filter specific packets on
> > > content (flexible packet matching) on IOS, and it is available in
> > some
> > > switches (6k sup 32-PISA). I doubt this will fit you though.
> > >
> > > -Carlos
> > >
> > > Steve Di Bias @ 3/03/2010 3:43 -0300 dixit:
> > > > Try running "vtp mode transparent"
> > > > That will disable VTP on the switch
> > > >
> > > >
> > >
> >
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/configuration/guide/swvtp.html#wp1035326
> > > >
> > > > -Steve Di Bias
> > > >
> > > >
> > > > On Tue, Mar 2, 2010 at 9:28 PM, Nahskur Udniraht <
> > > > expertinternetwork_at_gmail.com
> > > <mailto:expertinternetwork_at_gmail.com>> wrote:
> > > >
> > > >> Dear All,
> > > >>
> > > >> can I use an access control mechanism to stop VTP messages over
> a
> > > trunk
> > > >> link
> > > >> ? is it possible to do so ?
> > > >>
> > > >> --
> > > >> Nahskur Udniraht
> > > >>
> > > >>
> > > >> Blogs and organic groups at http://www.ccie.net
> > > >>
> > > >>
> > >
> > _______________________________________________________________________
> > > >> Subscription information may be found at:
> > > >> http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > > Blogs and organic groups at http://www.ccie.net
> > > >
> > > >
> > >
> > _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > > --
> > > Carlos G Mendioroz <tron_at_huapi.ba.ar <mailto:tron_at_huapi.ba.ar>>
> > > LW7 EQI Argentina
> > >
> > >
> > >
> > >
> > > --
> > > -Steve Di Bias
> >
> > --
> > Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> Regards,
>
> Joe Astorino CCIE #24347 (R&S)
> Sr. Technical Instructor - IPexpert
> Mailto: jastorino_at_ipexpert.com
> Telephone: +1.810.326.1444
> Live Assistance, Please visit: www.ipexpert.com/chat
> eFax: +1.810.454.0130
>
> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S,
> Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security &
> Service
> Provider) Certification Training with locations throughout the United
> States, Europe and Australia. Be sure to check out our online communities
> at
> www.ipexpert.com/communities and our public website at www.ipexpert.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Mar 04 2010 - 09:13:40 ART
This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:34 ART