Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
398
Views
0
Helpful
1
Replies

VTP Vulnerabilities

dunn
Level 1
Level 1

‎09-14-2006 07:25 AM - edited ‎03-03-2019 05:02 AM

I have been reading the Cisco Security Response Document that details the newly discovered vulnerabilities in VTP. http://www.cisco.com/en/US/customer/products/hw/switches/ps5528/tsd_products_security_response09186a00807335bc.html

The workaround for two of the three vulnerabilities is to apply a VTP domain password. I use VLANs and VTP to segment our network, so this password looks like it will need to be applied on my core 3550 and all of my access layer 2950s.

Passwords

You can configure a password for the VTP domain, but it is not required. If you do configure a domain password, all domain switches must share the same password and you must configure the password on each switch in the management domain. Switches without a password or with the wrong password reject VTP advertisements.

If you configure a VTP password for a domain, a switch that is booted without a VTP configuration does not accept VTP advertisements until you configure it with the correct password. After the configuration, the switch accepts the next VTP advertisement that uses the same password and domain name in the advertisement.

The question that I have is, how safe is it to apply a VTP domain password? I am able to apply this during a maintenance window, but I do not want to potentially bring down VTP and all of our infrastructure in the process. All of my switches reside on a management VLAN and I do not want to lose connectivity to all of these devices. During the VTP/VLAN implementation, we had an issue with VTP that caused us to lose connectivity to all of our 2950s, and I had to visit each one with a console cable. I do not want a repeat of that. Any guidance that you can provide will be much appreciated. Thank you.

Labels:
0 Helpful
1 Reply 1

yprasannas
Level 1
Level 1

‎09-14-2006 11:48 AM

If you change the passwd then it will not bring down the network. Until you upgrade the paswd the new updates will not be installed.

VTP is a tool to send the VLAN's info to the members of the domain.

The IMP thing about VTP is when u add a new switch make sure that it does not overwwrite the VLAN database of the network when it joins. So we change the sw VTP mode to Transparent or Client and change the VTP domain to NULL and put back to whatever is the VTP domain. This will reset the revision number so the even if it starts sending VLAN database the remainning swithces know that this fellow has old database by revision number and will not modify the database.

Somebody will correct me if I am wrong.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents