All Cisco-Network Study Notes: Understanding Cisco VTP

Understanding Cisco VTP 106

The above-mentioned area briefly alluded to addition LAN agreement alleged VTP. VTP reduces

administration aerial in a switched network. With VTP, back you configure a new

VLAN on a about-face appointed as a VTP server, advice apropos that VLAN is

Example 4-5 Verification of the Port’s New Status

6K-3-S720#show interface f5/14 trunk

Port Approach Encapsulation Status Native vlan

Fa5/14 adorable n-802.1q trunking 1

Port Vlans accustomed on trunk

Fa5/14 1-4094

Port Vlans accustomed and alive in administration domain

Fa5/14 1-3,8-13,15,17-22,39,44-46,48-52,55-71,75-76,80-81,85-90,95,100-102,

104,111-112,120-121,130,150-151,161-162,200-204,210,250-251,265,300-301,304,

350-351,400-407,440-445,448,500-503,550,555,600,665-667,701,720,730,740,750,770,

780,800-802,822-823,839,888,900-904,906,921,997-999,1001,1100-1102,1121,1200-

1300,1448,1500-1501,1800-1801,1822,2000-2001,2500,2800,3120-3121,3500,3850-3851,

3900-3901,4000-4003,4094

Port Vlans in spanning timberline forwarding accompaniment and not pruned

Fa5/14 none

6K-3-S720#

Understanding Cisco VTP 81

distributed to all switches in the VTP domain, thereby removing the charge to manually

configure anniversary about-face one by one. You can configure a about-face to accomplish in one of four

different VTP modes:

• Server. Here, you can create, modify, and annul VLANs and specify other

configuration parameters, such as VTP adaptation and VTP pruning, for the absolute VTP

domain. VTP servers acquaint their VLAN agreement to added switches in the

same VTP area and accord their VLAN agreement with added switches

based on advertisements accustomed over block links. VTP server is the absence mode.

• Client. VTP audience behave the aforementioned way as VTP servers, but you cannot create,

change, or annul VLANs on a VTP client.

• Transparent. VTP cellophane switches do not participate in VTP. A VTP transparent

switch does not acquaint its VLAN configuration, and it does not accord its

VLAN agreement based on accustomed advertisements; however, in VTP adaptation 2,

transparent switches advanced VTP advertisements that they accept out of their trunk

ports. They act like a cellophane wire with commendations to VTP messages: They forward

them after processing them.

• Off. In the three antecedent modes, VTP advertisements are accustomed and beatific as soon

as the about-face enters the administration area state. In VTP Off mode, switches behave

the aforementioned as in VTP Cellophane mode, except that VTP advertisements are not

forwarded, but dropped.

A VTP area comprises switches that allotment a accepted VTP area name. VTP reduces

the charge to manually configure the aforementioned VLAN everywhere. VTP is a Cisco-proprietary

protocol that is attainable on best Cisco Catalyst alternation products. Three versions of the

protocol exist: VTP v1, v2, and v3. Versions 1 and 2 are about identical. (Version 2 simply

introduced abutment for Token Ring VLANs.) Adaptation 3 represents a above check of the

protocol that was motivated in allotment by assertive aegis considerations.

VTP Vulnerabilities

Over the accomplished few years, both vulnerabilities6,7 and specific VTP attacks that can force a

switch into accepting VLAN database updates accept surfaced. Those problems are discussed

in Chapter 11, “Information Leaks with Cisco Ancillary Protocols.”

NOTE A abundant overview of VTP, including packet-level traces, is attainable in advertence 5 in the

section, “References.” Users absorbed in agreement capacity are acerb encouraged to

visit this URL.

82 Chapter 4: Are VLANS Safe?

Summary

Partial compassionate of VLAN tagging and accepted LAN protocols such as Cisco DTP

and VTP, accompanying with anachronous accessories still calmly attainable on the Internet,4 frequently

contributes to the quick adjournment of VLANs as a applicable accompaniment to a defended network

design. Are VLANs unsafe? VLANs charge be taken for what they are: On a properly

configured switch, they accommodate Layer 2 cartage isolation. Layer 2 abreast guarantees that

traffic entering a about-face anchorage in VLAN X charcoal bedfast to VLAN X, unless a router is

involved. This is the alone aegis agreement that a VLAN provides. Configuration

techniques, such as the actual tagging of frames on trunks and disabling VTP/DTP

toward end-user ports, accumulate VLAN bent attacks at bay.

References

1http://standards.ieee.org/getieee802/download/802.1Q-2005.pdf.

2http://yersinia.sourceforge.net.

3http://www.ciscopress.com/articles/article.asp?p=29803&seqNum=3&.

4http://www.sans.org/resources/idfaq/vlan.php.

5http://www.cisco.com/warp/public/473/21.html.

6http://www.securityfocus.com/archive/1/445896/30/0/threaded.

7http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml.