Blocking VTP

By stretch | Monday, April 28, 2008 at 10:25 a.m. UTC

VLAN Trunking Protocol (VTP) can be used to propagate VLAN information between switches, eliminating the need to add and remove VLANs manually. While many network administrators appreciate the convenience provided by VTP, it is a luxury which introduces additional complexity to a network, and can potentially cause a great deal of damage if not properly configured.

Regardless of an administrator's stance on VTP, there may be times when it is required to completely eliminate VTP from a network. The obvious solution to disable VTP is to set all switches to transparent mode with vtp mode transparent. However, while this prevents the switch from participating in VTP, it will still propagate VTP advertisements should a rogue server find its way onto the network. How can we eliminate VTP entirely?

This question was recently posed on the cisco-nsp mailing list, and Paul Cosgrove suggested two solutions. The first is to apply a MAC ACL inbound on the interface(s) where VTP is to be blocked:

mac access-list extended BLOCK_VTP
 deny   any host 0100.0ccc.cccc 0x2003 0x0
 permit any any
interface FastEthernet0/1
 mac access-group BLOCK_VTP in

The ACL above matches all frames of ethertype 0x2003 destined for 0100.0ccc.cccc. Specifying the ethertype is necessary to prevent blocking other protocols like CDP and UDLD, which use the same destination MAC. The trailing 0x0 is simply a mask for the ethertype (similar to a wildcard mask for IP addresses).

The second method suggested involves the creation of a VLAN filter to block VTP for all ports in certain VLANs:

mac access-list extended MATCH_VTP
 permit any host 0100.0ccc.cccc 0x2003 0x0
vlan access-map BLOCK_VTP 10
 action drop
 match mac address MATCH_VTP
vlan access-map BLOCK_VTP 20
 action forward
vlan filter BLOCK_VTP vlan-list 1-4094

Both solutions will bock VTP completely on the involved interfaces. Additionally, IOS 12.2(33)SXH introduced vtp mode off, providing a much more convenient way to fully disable VTP.

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in Switching


Arthur Lashin (guest)
August 8, 2009 at 2:16 p.m. UTC

Hi, Jeremy. I think that two commands are quite enough for any IOS version:

vtp mode transparent vtp version 1

because in vtp version 1 transparent switch dosen't forward VTP advertisements.

Comments have closed for this article due to its age.