VLAN Trunking Protocol (VTP) can be used to propagate VLAN information between switches, eliminating the need to add and remove VLANs manually. While many network administrators appreciate the convenience provided by VTP, it is a luxury which introduces additional complexity to a network, and can potentially cause a great deal of damage if not properly configured.
Regardless of an administrator's stance on VTP, there may be times when it is required to completely eliminate VTP from a network. The obvious solution to disable VTP is to set all switches to transparent mode with
vtp mode transparent. However, while this prevents the switch from participating in VTP, it will still propagate VTP advertisements should a rogue server find its way onto the network. How can we eliminate VTP entirely?
This question was recently posed on the cisco-nsp mailing list, and Paul Cosgrove suggested two solutions. The first is to apply a MAC ACL inbound on the interface(s) where VTP is to be blocked:
mac access-list extended BLOCK_VTP deny any host 0100.0ccc.cccc 0x2003 0x0 permit any any ! interface FastEthernet0/1 mac access-group BLOCK_VTP in
The ACL above matches all frames of ethertype
0x2003 destined for
0100.0ccc.cccc. Specifying the ethertype is necessary to prevent blocking other protocols like CDP and UDLD, which use the same destination MAC. The trailing
0x0 is simply a mask for the ethertype (similar to a wildcard mask for IP addresses).
The second method suggested involves the creation of a VLAN filter to block VTP for all ports in certain VLANs:
mac access-list extended MATCH_VTP permit any host 0100.0ccc.cccc 0x2003 0x0 ! vlan access-map BLOCK_VTP 10 action drop match mac address MATCH_VTP vlan access-map BLOCK_VTP 20 action forward vlan filter BLOCK_VTP vlan-list 1-4094
Both solutions will bock VTP completely on the involved interfaces. Additionally, IOS 12.2(33)SXH introduced vtp mode off, providing a much more convenient way to fully disable VTP.