VTP Risk Mitigation
As the above-mentioned area discussed, VTP is apparently no best bare in a avant-garde switch
network. But, if it is required,
• Accredit MD5 authentication.
• Use alone adaptation 3 of VTP to acquire antireplay protection.
• Accredit VTP alone on absolute trunks, that is, on a anchorage adverse switches in your management
domain (never to a nontrusted switch).
NOTE VTP is disabled per absence if the anchorage is not in block mode. This agency that an admission port
where agreement is consistently off will never acquire VTP packets. This is addition acumen to put
all ports adverse end users in admission mode.
You can arrange these recommendations in CatOS, as Example 11-2 shows.
Example 11-2 Secure VTP Adaptation 3 Configuration
Console> (enable) set vtp area TEST
VTP area TEST modified
Console> (enable) set vtp adaptation 3
This command will accredit VTP adaptation 3 on this switch.
Do you appetite to abide (y/n) [n]? y
VTP3 area TEST modified
Console> (enable) set vtp passwd SeCrEt
Generating the abstruse associated to the password.
VTP3 area server modified
Console> (enable) set anchorage vtp 3/1-2 disable
VTP is disabled on ports 3/1-2.
Cisco IOS does not abutment VTP adaptation 3 and, therefore, VTP should never be enabled in
Cisco IOS because VTP versions above-mentioned to adaptation 3 acquire no antireplay aegis and are
always globally enabled (on all ports, including nontrusted ones).