VTP Accident Analysis
Having a agreement that is able to add or abolish VLAN from a arrangement is incredibly
powerful, yet dangerous. Indeed, if this agreement is not secure, an antagonist ability run a DoS
attack by disabling a VLAN. A beneath accessible DoS advance ability be run by enabling a VLAN
on all the switches, accordingly accretion the bulk of forwarded multicast and broadcast
traffic beyond all switches.
NOTE Spanning a VLAN beyond assorted switches is usually advised bad architecture because there
will be too abounding forwarded multicast or advertisement frames amid assorted switches (as well
as alien destination frames, which are additionally abounding on all switches for a VLAN). To
limit this abominable cartage to a minimum, avant-garde campus designs accumulate the broadcast
domains as baby as possible. A complete architecture banned a VLAN aural a Layer 3 switch’s
network by acquisition IP packets rather than switching Layer 2 frames. This architecture is possible
nowadays because best applications run over IP. This additionally agency that VTP has limited
usefulness in avant-garde networks.
VTP adaptation 3 includes several appearance that, back accurately deployed, abate the accident close
to zero:
• Per Port Configuration. VTP should alone be enabled on trusted ports—that is, ports
connected to added switches in your administration area (such as in a base closet,
but not in a affair room).
• HMAC Authentication. Because an antagonist does not apperceive the preshared key, the
MD5 HMAC prevents the bogus of a new VTP message; the antagonist is additionally unable
to adapt an absolute VTP message. This HMAC exists on versions 1, 2, and 3 of VTP.
• Configuration Revision Number. A applicant alone accepts a VLAN database that is
more contempo than its bounded copy. This prevents a epitomize advance area an antagonist replays
an old but accurate VTP message. For antireplay to work, the HMAC affidavit must
be angry on to anticipate an antagonist from accomplishment a new database version.
There were additionally a brace of vulnerabilities4 in the accomplishing of VTP in Cisco IOS that
made a reload attack, and alike potentially a absorber overflow attack, possible. The usual
recommendation is to use a Cisco-recommended adaptation for all of your switches. Because
bugs can consistently happen, alone enables VTP on trusted trunks.
Attack Tools
Yersinia states that it has attacks adjoin VTP: abacus and removing a VLAN as able-bodied as a
DoS (probably by relying on old vulnerability). The authors absolute the DoS advance but not
the abacus and removing of a VLAN.
Internetwork Acquisition Agreement Advance Suite5 (IRPAS) additionally has VTP advance tools.
The actuality of advance accoutrement is affidavit that VTP aegis charge be implemented in a
network that relies on VTP.