Blocking Layer2 network updates

Unanswered Question
Jun 13th, 2007
User Badges:


We have a hardware supplier that need to connect a cisco switch to our backbone network.

We also can't manage this switch, the problem now is that the switch can send CDP info, VTP updates, Spanning Tree etc ... to our switch port.

Is there a way we can protect ourself against these types of traffic. I was thinking something like Layer2 access-lists ?

We're running Catos, they IOS


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ohassairi Thu, 06/14/2007 - 00:03
User Badges:
  • Silver, 250 points or more

cdp that he can send is not harmful.

for vtp, you can either ask him to configure its sw in transparent mode or protect your vtp by a domain name and password.

for spanning tree if you want to ignore the BPDU he sends to your network then configure "BPDU filtering" feature in your interface connected to its sw.

andrewleki Thu, 06/14/2007 - 23:39
User Badges:

Of course we can ask them to configure the switch like it should be. And I'am sure they would, but we don't have control if they do some wrong configuration in the future.

We like to block that kind of traffic on our side, not on them switch.



Jon Marshall Thu, 06/14/2007 - 23:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


i think the suggestions made by Oussama were to do with blocking the traffic on your side ie.

1) Use VTP domain name / password so that the customer switch cannot join your VTP domain and pass updates

2) Enable BPDU filtering on the switch port on your switch so all spanning tree BPDU's are ignored. You obviously need to ensure that you then don't connect the customer switch with another connection.


Konstantin Dunaev Thu, 06/14/2007 - 23:52
User Badges:
  • Bronze, 100 points or more

1. "no cdp enable" on the interface (or was it "no cdp run"? ) will disable the sending of CDP on a cirtain interface. recieving of CDP is harmloss

2. You should configure your VTP domain with name and password, then the VTP information from other switch will not have any influence on your VTP

3. you can configure rootguard on the port to protect you network from new STP root. filter of BPDU's is not a best practice on the interface which connected to other switch, there is possibility of loop.

You can configure the trunks with only a necessary VLANs, which should be seen by other switch, this will reduce the influance on your network in case of any STP change on their side.


This Discussion