Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

vtp password hash value

the vtp password is send as a md5 hash value in the vtp advertisements.

but the hash value is computed using only the password or it is computed using some otheer field also if yeh then which fields

6 REPLIES
Hall of Fame Super Blue

vtp password hash value

Have a look at this blog and also note the comments -

http://cciepursuit.wordpress.com/2007/06/29/vtp-md5-hash-utilizes-vtp-domain-name/

Jon

New Member

vtp password hash value

i think it depends on the no of vlan also....because whenever i create a new vlan it get changed

Hall of Fame Super Blue

vtp password hash value

It may well do. I couldn't find any specific info other than that blog but it looks like there are a number of things used as iput into the computation.

Jon

Cisco Employee

vtp password hash value

Pankaj,

The VTP MD5 sum is computed over the entire VLAN database contents and including the VTP password. Note that the MD5 checksum is included only in the VTP summary advertisement and not in subsequent subset advertisements, so it is not computed over individual packet's contents. The MD5 sum will change whenever any content of the VLAN database changes.

Note that computing the MD5 only over the password and adding it to VTP packets would be useless right from the start, as the MD5 sum would be the equivalent of the password and password alone - it could be directly stolen and reused over different forged VTP packets. This is a general rule about MD5 protection of all protocols. The MD5 hash must always be computed over a protected content plus the password.

Best regards,

Peter

New Member

vtp password hash value

Peter paluch,

does revision no is also included in the computation of hash value kindly tell me all parameter that are used in computation.

one more question suppose there are two switches 1 & 2, i create a new vlan on 1 then the md5 value will change then this new md5 value will be different that is on 2 then how how communication will happen as for communication these hash value should match.

Re: vtp password hash value

Hi,

from "Troubleshooting VLAN Trunk Protocol" :

"The general purpose of an MD5 value is to verify the integrity of a received packet and to detect any changes to the packet or corruption of the packet during transit. When a switch detects a new revision number that is different from the currently stored value, the switch sends a request message to the VTP server and requests the VTP subsets. A subset advertisement contains a list of VLAN information. The switch calculates the MD5 value for the subset advertisements and compares the value to the MD5 value of the VTP summary advertisement. If the two values are different, the switch increases the No of config digest errors counter."

By the way: I made a couple of tests and it seems that the only relevant field in the summary advertisement, which is not used for the MD5 computation, is the timestamp. I attached a wireshark-capture with summary advertisements from two different switches. I made the same changes on both switches at different times before I connected them (I even configured the same updater IPs on both because different IDs resulted in different hash values. This is interesting because the updater ID is used only in the summary advertisements). You can see that the MD5 values are the same in both messages although the timestamps are different. Any changes of vlan information also resulted in different hash values, as expected.

Hope that helps

Rolf

P.S.: You can find the packet formats in "Understanding VLAN Trunk Protocol"

427
Views
4
Helpful
6
Replies