Jump to content


0

[EXAMPLE CONFIG] - Block VTP using an ACL


No replies to this topic

#1 goldplated

goldplated

    Cisco TE

  • Technical Expert
  • PipPipPip
  • 508 posts
  • 94 thanks
  • Location127.0.0.1

Posted 11 August 2010 - 03:53 AM

BLOCK VTP using an ACL

So lets say for whatever reason you need to run VTP in your network but you want to be sure that VTP info doesn't come in from your customers or vendors.

NOTE: This is just an example to illustrate how you can block VTP.  You can use VTP Password to also help prevent this...  so just read the info and learn from it.

----------------------------

We will use SW1(our switch) and SW2(Vendor) switch to show how this can be accomplished.

Lets begin with our VLAN/VTP info on SW1 and SW2

SW1#sh vtp status
VTP Version					 : running VTP1 (VTP2 capable)
Configuration Revision		  : 2
Maximum VLANs supported locally : 1005
Number of existing VLANs		: 7
VTP Operating Mode			  : Server
VTP Domain Name				 : lab
VTP Pruning Mode				: Disabled
VTP V2 Mode					 : Disabled
VTP Traps Generation			: Disabled
MD5 digest					  : 0x82 0x2A 0x38 0xA2 0x00 0x24 0xA1 0xC9 
Configuration last modified by 0.0.0.0 at 3-1-93 00:24:59
Local updater ID is 0.0.0.0 (no valid interface found)
SW1#

SW2#sh vtp status
VTP Version					 : running VTP1 (VTP2 capable)
Configuration Revision		  : 2
Maximum VLANs supported locally : 1005
Number of existing VLANs		: 7
VTP Operating Mode			  : Server
VTP Domain Name				 : lab
VTP Pruning Mode				: Disabled
VTP V2 Mode					 : Disabled
VTP Traps Generation			: Disabled
MD5 digest					  : 0x82 0x2A 0x38 0xA2 0x00 0x24 0xA1 0xC9 
Configuration last modified by 0.0.0.0 at 3-1-93 00:24:59
Local updater ID is 0.0.0.0 (no valid interface found)
SW2#


There are 2 VLAN created (VLAN 10 and 20)
SW1#sh vlan brief

VLAN Name							 Status	Ports
---- -------------------------------- --------- -------------------------------
10   TEST							 active	
20   TEST2							active	
SW1#

SW2#sh vlan brief

VLAN Name							 Status	Ports
---- -------------------------------- --------- -------------------------------
10   TEST							 active	
20   TEST2							active	
SW2#

Lets create a new vlan just to show VTP is working properly...

And we will use SW2 to create it
SW2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW2(config)#vlan 30
SW2(config-vlan)#name TEST3
SW2(config-vlan)#exit
SW2(config)#

(I removed the non-significant info)

SW2#sh vlan brief

VLAN Name							 Status	Ports
---- -------------------------------- --------- -------------------------------
10   TEST							 active	
20   TEST2							active	
30   TEST3							active	
SW2#



So in order to block VTP we are going to use a MAC Access-list

on SW1
!
mac access-list extended deny_vtp
 deny   any host 0100.0ccc.cccc 0x2003 0x0
 permit any any
!

NOTE:  MAC ADDRESS 0100.0ccc.cccc is used as the destination for several protocols (CDP, VTP etc)  and that is why we are using the ether-type 0x2003 which is VTP specifically.

We then have to apply to the uplink port going to SW2..

!
interface GigabitEthernet1/0/23
 switchport trunk encapsulation dot1q
 switchport mode trunk
 mac access-group deny_vtp in
!

We will now try to make a new VLAN on SW2 and see if it shows up on SW1 (previously it did)

SW2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW2(config)#vlan 50
SW2(config-vlan)#name BLOCK_ME
SW2(config-vlan)#exit

SW2#sh vlan brief

VLAN Name							 Status	Ports
---- -------------------------------- --------- -------------------------------
10   TEST							 active	
20   TEST2							active	
30   TEST3							active	
50   BLOCK_ME						 active			 
SW2#


So its on SW2 but how about SW1

SW1#sh vlan brief

VLAN Name							 Status	Ports
---- -------------------------------- --------- -------------------------------
10   TEST							 active	
20   TEST2							active	
30   TEST3							active	
SW1#

BLOCKED!!!  So hopefully this can help you keep the VTP demons under control in your network.

Thanked by 5 Members:
bonaga , pgeorge77 , 0day , mky2 , sybarite



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Organization

Community

Downloads

Test Providers

Site Info


Go to top