Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VTP Vulnerabilities

I have been reading the Cisco Security Response Document that details the newly discovered vulnerabilities in VTP. http://www.cisco.com/en/US/customer/products/hw/switches/ps5528/tsd_products_security_response09186a00807335bc.html

The workaround for two of the three vulnerabilities is to apply a VTP domain password. I use VLANs and VTP to segment our network, so this password looks like it will need to be applied on my core 3550 and all of my access layer 2950s.

Passwords

You can configure a password for the VTP domain, but it is not required. If you do configure a domain password, all domain switches must share the same password and you must configure the password on each switch in the management domain. Switches without a password or with the wrong password reject VTP advertisements.

If you configure a VTP password for a domain, a switch that is booted without a VTP configuration does not accept VTP advertisements until you configure it with the correct password. After the configuration, the switch accepts the next VTP advertisement that uses the same password and domain name in the advertisement.

The question that I have is, how safe is it to apply a VTP domain password? I am able to apply this during a maintenance window, but I do not want to potentially bring down VTP and all of our infrastructure in the process. All of my switches reside on a management VLAN and I do not want to lose connectivity to all of these devices. During the VTP/VLAN implementation, we had an issue with VTP that caused us to lose connectivity to all of our 2950s, and I had to visit each one with a console cable. I do not want a repeat of that. Any guidance that you can provide will be much appreciated. Thank you.

1 REPLY
Community Member

Re: VTP Vulnerabilities

If you change the passwd then it will not bring down the network. Until you upgrade the paswd the new updates will not be installed.

VTP is a tool to send the VLAN's info to the members of the domain.

The IMP thing about VTP is when u add a new switch make sure that it does not overwwrite the VLAN database of the network when it joins. So we change the sw VTP mode to Transparent or Client and change the VTP domain to NULL and put back to whatever is the VTP domain. This will reset the revision number so the even if it starts sending VLAN database the remainning swithces know that this fellow has old database by revision number and will not modify the database.

Somebody will correct me if I am wrong.

212
Views
0
Helpful
1
Replies
CreatePlease to create content