The workaround for two of the three vulnerabilities is to apply a VTP domain password. I use VLANs and VTP to segment our network, so this password looks like it will need to be applied on my core 3550 and all of my access layer 2950s.
You can configure a password for the VTP domain, but it is not required. If you do configure a domain password, all domain switches must share the same password and you must configure the password on each switch in the management domain. Switches without a password or with the wrong password reject VTP advertisements.
If you configure a VTP password for a domain, a switch that is booted without a VTP configuration does not accept VTP advertisements until you configure it with the correct password. After the configuration, the switch accepts the next VTP advertisement that uses the same password and domain name in the advertisement.
The question that I have is, how safe is it to apply a VTP domain password? I am able to apply this during a maintenance window, but I do not want to potentially bring down VTP and all of our infrastructure in the process. All of my switches reside on a management VLAN and I do not want to lose connectivity to all of these devices. During the VTP/VLAN implementation, we had an issue with VTP that caused us to lose connectivity to all of our 2950s, and I had to visit each one with a console cable. I do not want a repeat of that. Any guidance that you can provide will be much appreciated. Thank you.
If you change the passwd then it will not bring down the network. Until you upgrade the paswd the new updates will not be installed.
VTP is a tool to send the VLAN's info to the members of the domain.
The IMP thing about VTP is when u add a new switch make sure that it does not overwwrite the VLAN database of the network when it joins. So we change the sw VTP mode to Transparent or Client and change the VTP domain to NULL and put back to whatever is the VTP domain. This will reset the revision number so the even if it starts sending VLAN database the remainning swithces know that this fellow has old database by revision number and will not modify the database.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...